Source: nss
Severity: important
Tags: patch
Hi Mike,
Please enabled hardened build flags through dpkg-buildflags.
Patches attached:
nss-harden.patch - Enables hardened build flags
nss-harden2.patch - Patch for NSS buildsystem to source LDFLAGS
nss-format.patch, nss-format2.patch, nss-format3.patch - missing
format strings exposed by "-Wformat -Wformat-security
-Werror=format-security"
There's still one deficiency, though: relro applies to the
binaries from libnss3-tools, e.g.
jmm@pisco:~/scratch$ hardening-check /usr/bin/signtool
/usr/bin/signtool:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
It's not enabled for the NSS libs, though:
jmm@pisco:~/deb/secure-testing/hardening$ hardening-check
/usr/lib/x86_64-linux-gnu/libnss3.so
/usr/lib/x86_64-linux-gnu/libnss3.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: no, not found!
Immediate binding: no not found!
Cheers,
Moritz
diff -aur nss-3.13.1.with.ckbi.1.88.harden/debian/rules nss-3.13.1.with.ckbi.1.88/debian/rules
--- nss-3.13.1.with.ckbi.1.88.harden/debian/rules 2011-11-05 16:56:10.000000000 +0100
+++ nss-3.13.1.with.ckbi.1.88/debian/rules 2012-01-24 22:10:38.000000000 +0100
@@ -21,15 +21,12 @@
USE_64 :=
endif
-CFLAGS := -Wall -pipe
+CFLAGS = `dpkg-buildflags --get CFLAGS`
+CFLAGS += -Wall -pipe
+CFLAGS += `dpkg-buildflags --get CPPFLAGS`
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -Os
-endif
-
-CFLAGS += -g
+LDFLAGS = `dpkg-buildflags --get LDFLAGS`
+export LDFLAGS
DISTDIR := $(CURDIR)/mozilla/dist
Nur in nss-3.13.1.with.ckbi.1.88/debian: rules~.
diff -aur nss-3.13.1.with.ckbi.1.88.harden/mozilla/security/coreconf/Linux.mk nss-3.13.1.with.ckbi.1.88/mozilla/security/coreconf/Linux.mk
--- nss-3.13.1.with.ckbi.1.88.harden/mozilla/security/coreconf/Linux.mk 2012-01-24 22:13:26.000000000 +0100
+++ nss-3.13.1.with.ckbi.1.88/mozilla/security/coreconf/Linux.mk 2012-01-24 23:32:30.000000000 +0100
@@ -159,6 +159,7 @@
# we don't use -z defs there.
ZDEFS_FLAG = -Wl,-z,defs
DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG))
+LDFLAGS = `dpkg-buildflags --get LDFLAGS`
LDFLAGS += $(ARCHFLAG)
# On Maemo, we need to use the -rpath-link flag for even the standard system
Nur in nss-3.13.1.with.ckbi.1.88/mozilla/security/coreconf: Linux.mk~.
diff -aur nss-3.13.1.with.ckbi.1.88.harden/mozilla/security/nss/cmd/certcgi/certcgi.c nss-3.13.1.with.ckbi.1.88/mozilla/security/nss/cmd/certcgi/certcgi.c
--- nss-3.13.1.with.ckbi.1.88.harden/mozilla/security/nss/cmd/certcgi/certcgi.c 2008-02-16 02:17:40.000000000 +0100
+++ nss-3.13.1.with.ckbi.1.88/mozilla/security/nss/cmd/certcgi/certcgi.c 2012-01-24 22:14:02.000000000 +0100
@@ -97,7 +97,7 @@
error_out(char *error_string)
{
printf("Content-type: text/plain\n\n");
- printf(error_string);
+ printf("%s", error_string);
fflush(stderr);
fflush(stdout);
exit(1);
Nur in nss-3.13.1.with.ckbi.1.88/mozilla/security/nss/cmd/certcgi: certcgi.c~.
diff -aur nss-3.13.1.with.ckbi.1.88.harden/mozilla/security/nss/cmd/digest/digest.c nss-3.13.1.with.ckbi.1.88/mozilla/security/nss/cmd/digest/digest.c
--- nss-3.13.1.with.ckbi.1.88.harden/mozilla/security/nss/cmd/digest/digest.c 2004-10-07 06:13:50.000000000 +0200
+++ nss-3.13.1.with.ckbi.1.88/mozilla/security/nss/cmd/digest/digest.c 2012-01-24 22:16:23.000000000 +0100
@@ -105,7 +105,7 @@
"-t type");
fprintf(stderr, "%-20s ", "");
for (htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) {
- fprintf(stderr, HashTypeToOID(htype)->desc);
+ fprintf(stderr, "%s", HashTypeToOID(htype)->desc);
if (htype == (HASH_AlgTOTAL - 2))
fprintf(stderr, " or ");
else if (htype != (HASH_AlgTOTAL - 1))
Nur in nss-3.13.1.with.ckbi.1.88/mozilla/security/nss/cmd/digest: digest.c~.
diff -aur nss-3.13.1.with.ckbi.1.88.harden/mozilla/security/nss/cmd/signver/pk7print.c nss-3.13.1.with.ckbi.1.88/mozilla/security/nss/cmd/signver/pk7print.c
--- nss-3.13.1.with.ckbi.1.88.harden/mozilla/security/nss/cmd/signver/pk7print.c 2008-10-07 01:37:54.000000000 +0200
+++ nss-3.13.1.with.ckbi.1.88/mozilla/security/nss/cmd/signver/pk7print.c 2012-01-24 23:18:11.000000000 +0100
@@ -79,7 +79,7 @@
{
unsigned i;
- if (m) fprintf(out, m);
+ if (m) fprintf(out, "%s", m);
for (i = 0; i < data->len; i++) {
if (i < data->len - 1) {
@@ -136,10 +136,10 @@
{
int rv;
- fprintf(out, m);
+ fprintf(out, "%s", m);
rv = sv_PrintTime(out, &v->notBefore, "notBefore=");
if (rv) return rv;
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintTime(out, &v->notAfter, "notAfter=");
return rv;
}
@@ -181,7 +181,7 @@
int i;
char om[100];
- fprintf(out, m);
+ fprintf(out, "%s", m);
/*
* XXX Make this smarter; look at the type field and then decode
@@ -278,16 +278,16 @@
SEC_PKCS7Attribute *attr;
int iv;
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintInteger(out, &(info->version), "version=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintName(out, &(info->issuerAndSN->issuer), "issuerName=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintInteger(out, &(info->issuerAndSN->serialNumber),
"serialNumber=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintAlgorithmID(out, &(info->digestAlg), "digestAlgorithm=");
if (info->authAttr != NULL) {
@@ -304,9 +304,9 @@
}
/* Parse and display signature */
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintAlgorithmID(out, &(info->digestEncAlg), "digestEncryptionAlgorithm=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintAsHex(out, &(info->encDigest), "encryptedDigest=");
if (info->unAuthAttr != NULL) {
@@ -326,22 +326,22 @@
void
sv_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m)
{
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintInteger(out, &pk->u.rsa.modulus, "modulus=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintInteger(out, &pk->u.rsa.publicExponent, "exponent=");
}
void
sv_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m)
{
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintInteger(out, &pk->u.dsa.params.prime, "prime=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintInteger(out, &pk->u.dsa.params.subPrime, "subprime=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintInteger(out, &pk->u.dsa.params.base, "base=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintInteger(out, &pk->u.dsa.publicValue, "publicValue=");
}
@@ -432,7 +432,7 @@
oidTag = SECOID_FindOIDTag (&((*extensions)->id));
- fprintf(out, msg);
+ fprintf(out, "%s", msg);
tmpitem = &((*extensions)->value);
if (oidTag == SEC_OID_X509_INVALID_DATE)
sv_PrintInvalidDateExten (out, tmpitem,"invalidExt");
@@ -458,13 +458,13 @@
int iv;
char om[100];
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintAlgorithmID(out, &(crl->signatureAlg), "signatureAlgorithm=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintName(out, &(crl->name), "name=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintTime(out, &(crl->lastUpdate), "lastUpdate=");
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintTime(out, &(crl->nextUpdate), "nextUpdate=");
if (crl->entries != NULL) {
@@ -563,10 +563,10 @@
}
m[PORT_Strlen(m) - 5] = 0;
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintAlgorithmID(out, &sd->signatureAlgorithm, "signatureAlgorithm=");
DER_ConvertBitString(&sd->signature);
- fprintf(out, m);
+ fprintf(out, "%s", m);
sv_PrintAsHex(out, &sd->signature, "signature=");
PORT_FreeArena(arena, PR_FALSE);
@@ -632,11 +632,11 @@
iv = 0;
while ((aCrl = src->crls[iv]) != NULL) {
sprintf(om, "signedRevocationList[%d].", iv);
- fprintf(out, om);
+ fprintf(out, "%s", om);
sv_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm,
"signatureAlgorithm=");
DER_ConvertBitString(&aCrl->signatureWrap.signature);
- fprintf(out, om);
+ fprintf(out, "%s", om);
sv_PrintAsHex(out, &aCrl->signatureWrap.signature, "signature=");
sprintf(om, "certificateRevocationList[%d].", iv);
sv_PrintCRLInfo(out, &aCrl->crl, om);
Nur in nss-3.13.1.with.ckbi.1.88/mozilla/security/nss/cmd/signver: pk7print.c~.
