Source: netpbm-free
Severity: important
Tags: patch
Please enabled hardened build flags through dpkg-buildflags.
Patches attached:
netpbm-format1.patch, netpbm-format2.patch and netpbm-format3.patch
fix missing format string exposed by the hardened build flags.
netpbm-harden1.patch, netpbm-harden2.patch and netpbm-harden3.patch
inject hardened build flags into the strange and convoluted build
system of netpbm.
Cheers,
Moritz
diff -aur netpbm-free-10.0.orig/ppm/ppmtobmp.c netpbm-free-10.0/ppm/ppmtobmp.c
--- netpbm-free-10.0.orig/ppm/ppmtobmp.c 2012-01-02 03:35:03.000000000 +0100
+++ netpbm-free-10.0/ppm/ppmtobmp.c 2012-01-02 03:36:25.000000000 +0100
@@ -149,7 +149,7 @@
{
if (putc(v, fp) == EOF)
{
- pm_error(er_write);
+ pm_error("%s", er_write);
}
}
@@ -158,7 +158,7 @@
{
if (pm_writelittleshort(fp, v) == -1)
{
- pm_error(er_write);
+ pm_error("%s", er_write);
}
}
@@ -169,7 +169,7 @@
{
if (pm_writelittlelong(fp, v) == -1)
{
- pm_error(er_write);
+ pm_error("%s", er_write);
}
}
Nur in netpbm-free-10.0/ppm: ppmtobmp.c~.
diff -aur netpbm-free-10.0.orig/pnm/fiasco/cwfa.c netpbm-free-10.0/pnm/fiasco/cwfa.c
--- netpbm-free-10.0.orig/pnm/fiasco/cwfa.c 2004-01-05 11:39:56.000000000 +0100
+++ netpbm-free-10.0/pnm/fiasco/cwfa.c 2012-01-02 03:40:19.000000000 +0100
@@ -176,7 +176,7 @@
return 0;
else
{
- fprintf (stderr, fiasco_get_error_message ());
+ fprintf (stderr, "%s", fiasco_get_error_message ());
fprintf (stderr, "\n");
return 1;
}
Nur in netpbm-free-10.0/pnm/fiasco: cwfa.c~.
diff -aur netpbm-free-10.0.orig/pnm/fiasco/params.c netpbm-free-10.0/pnm/fiasco/params.c
--- netpbm-free-10.0.orig/pnm/fiasco/params.c 2003-08-12 20:23:03.000000000 +0200
+++ netpbm-free-10.0/pnm/fiasco/params.c 2012-01-02 03:44:37.000000000 +0100
@@ -650,7 +650,7 @@
fprintf (stderr, "Usage: %s [OPTION]...%s\n", progname,
non_opt_string ? non_opt_string : " ");
if (synopsis != NULL)
- fprintf (stderr, synopsis);
+ fprintf (stderr, "%s", synopsis);
fprintf (stderr, "\n\n");
fprintf (stderr, "Mandatory or optional arguments to long options "
"are mandatory or optional\nfor short options too. "
Nur in netpbm-free-10.0/pnm/fiasco: params.c~.
diff -aur netpbm-free-10.0.orig/Makefile.config.in netpbm-free-10.0/Makefile.config.in
--- netpbm-free-10.0.orig/Makefile.config.in 2003-08-28 22:12:30.000000000 +0200
+++ netpbm-free-10.0/Makefile.config.in 2012-01-02 03:32:23.000000000 +0100
@@ -102,7 +102,11 @@
# -ansi and -Werror should work too, but are not included
# by default because there's no point in daring the build to fail.
# -pedantic isn't a problem because it causes at worst a warning.
-CFLAGS = -pedantic -O3 -Wall -Wno-uninitialized
+
+CFLAGS = `dpkg-buildflags --get CFLAGS`
+CFLAGS += -pedantic -O3 -Wall -Wno-uninitialized
+CFLAGS += `dpkg-buildflags --get CPPFLAGS`
+
# On DEC Tru64 4.0F (at least), you need -DLONG_32 for ppmtompeg.
#Tru64:
#CFLAGS = -O2 -std1 -DLONG_32
@@ -134,7 +138,7 @@
NEED_RUNTIME_PATH = N
#NEED_RUNTIME_PATH = Y
-LDFLAGS =
+LDFLAGS = `dpkg-buildflags --get LDFLAGS`
# Eunice users may want to use -noshare so that the executables can
# run standalone:
#LDFLAGS = -noshare
Nur in netpbm-free-10.0: Makefile.config.in~.
diff -aur netpbm-free-10.0.orig/debian/rules netpbm-free-10.0/debian/rules
--- netpbm-free-10.0.orig/debian/rules 2012-01-12 18:12:05.000000000 +0100
+++ netpbm-free-10.0/debian/rules 2012-01-12 18:13:04.000000000 +0100
@@ -9,6 +9,9 @@
DEBIAN_DIR = $(shell pwd)/debian
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
build: build-stamp
build-stamp:
dh_testdir
Nur in netpbm-free-10.0/debian: rules~.
diff -aur netpbm-free-10.0.orig/pbm/Makefile netpbm-free-10.0/pbm/Makefile
--- netpbm-free-10.0.orig/pbm/Makefile 2004-01-05 11:39:56.000000000 +0100
+++ netpbm-free-10.0/pbm/Makefile 2012-01-12 18:39:29.000000000 +0100
@@ -20,6 +20,12 @@
pbmupc pi3topbm \
wbmptopbm xbmtopbm ybmtopbm
+CFLAGS = `dpkg-buildflags --get CFLAGS`
+CFLAGS += `dpkg-buildflags --get CPPFLAGS`
+LDFLAGS = `dpkg-buildflags --get LDFLAGS`
+export CFLAGS
+export LDFLAGS
+
ifneq ($(LEX)x,x)
PORTBINARIES += thinkjettopbm
endif
Nur in netpbm-free-10.0/pbm: Makefile~.
