Package: mrd6
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Not all (hardening) compiler flags from dpkg-buildpackage are
used by the Makefile.
As debian/compat=9 is used, it's not necessary to set *FLAGS
manually, dpkg-buildpackage is automatically used. For more
information please have a look at [1], [2] and [3]. The following
patch fixes that:
diff -Nru mrd6-0.9.6/debian/rules mrd6-0.9.6/debian/rules
- --- mrd6-0.9.6/debian/rules 2012-03-03 09:58:03.000000000 +0100
+++ mrd6-0.9.6/debian/rules 2012-03-04 16:43:03.000000000 +0100
@@ -9,10 +9,6 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
- -export CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
- -export CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS)
- -export LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
- -
export PREFIX=/usr
export TARGET=mrd6
But not all flags are used by the Makefile. The attached patches
fix that (0012-Use-flags-from-dpkg-buildflags.patch) and also
enable a verbose build (0011-Enable-verbose-build.patch) so it's
easy to detect missing flags.
With the hardening flags enabled, -Wformat-security detected a
problem: syslog_log_node::log() doesn't use a format string.
0013-Wformat-security-fix.patch fixes that.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/sbin/mrd6 /usr/lib/mrd6/bgp.so
/usr/lib/mrd6/bgp.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: no, not found!
Immediate binding: no not found!
/usr/sbin/mrd6:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPU5FXAAoJEJL+/bfkTDL5uJIP/3NcyvX8DPlTBsk87frrFCot
RPTEbdj1yIvFAUjRMbehRROo91syb1L4MItNC2vMjnt9avm2PAG1oELnp4DtMJHY
ShtImLPgxkbQcGXuApkapuJ20bnJ6bLWw03JllPec71nXubCJOLWEpxWamZabXmh
IljfFTuGcNB6/nBaH6p0SgKQyD1KNfz9ZGnLdKHmMpSiUzovGjx8ynnvJkdj0p2C
BDyK/4C6089YtH0KxPZ0YQ6KywLpbTVwbuMc1m/OJmXXgpwwi8YNw67ZnlL7bCTw
rg962cb45OQdKvTo6mKIGTT4f2Rzks9fqRyApyP4QGinB3ec/E1ycfIciLqg+332
SZTAuP0WDWHSdyMi9qyQgy9TJIwvBRfII9mX7+mkz08enAjyMgTT67CHX10r7CBU
vnFdyYb3v8tPZ3d8HWwAMJOzdao6G7uNz3btyR3yZ4F5gCi3Pj6Chyh/DBW/nUA8
eURdYMGl5mI3dOA9ZtlNHZG94q5oS1g5MCl4IRrpqGkHFxJgOpfHLFW6U3IsbwEU
vX3XxK85pkthrgMvpnSDZ/1hbXnWXSzFqAFDXUwBYBe6S2S+XFnoONzfnBk0k3yo
+3DVarE7J8hoOArPqxralGidid5mILsNPJCIq9GctkMFJxIexLMZcOxtp51FPYxH
btbMJppde6g8V3AQoKKW
=TG/r
-----END PGP SIGNATURE-----
Description: Display compiler commands/flags while building.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-03-04
--- mrd6-0.9.6.orig/src/Makefile
+++ mrd6-0.9.6/src/Makefile
@@ -141,7 +141,7 @@ define module_template
BUILT_SOURCES += $$($(1)_SOURCES)
$$($(1)_TARGET): $$(addprefix $(OBJ_DIR)/,$($(1)_SOURCES:.cpp=.o))
@echo "Module $$($(1)_TARGET)"
- @$(CXX) -shared $(LDMODCMD) $(CXXFLAGS) -o $$($(1)_TARGET) \
+ $(CXX) -shared $(LDMODCMD) $(CXXFLAGS) -o $$($(1)_TARGET) \
$$(addprefix $(OBJ_DIR)/,$($(1)_SOURCES:.cpp=.o))
endef
@@ -154,7 +154,7 @@ define unittest_template
BUILT_SOURCES += $(1).cpp
$(1): $(TEST_OBJECTS) $(1).cpp
@echo "Linking $(1)"
- @$(CXX) $(LDCMD) $(CXXFLAGS) -o $(1) $(1).cpp $(TEST_OBJECTS) \
+ $(CXX) $(LDCMD) $(CXXFLAGS) -o $(1) $(1).cpp $(TEST_OBJECTS) \
$(LDFLAGS) -lboost_unit_test_framework
endef
@@ -166,7 +166,7 @@ $(foreach test,$(TESTS),$(eval $(call un
$(TARGET): $(MRD_OBJECTS)
@echo "Linking $(TARGET)"
- @$(CXX) $(LDCMD) $(CXXFLAGS) -o $@ $(MRD_OBJECTS) $(LDFLAGS)
+ $(CXX) $(LDCMD) $(CXXFLAGS) -o $@ $(MRD_OBJECTS) $(LDFLAGS)
install: $(TARGET) $(EXTERNAL_MODULES)
install -D $(TARGET) $(DEST_PREFIX)/sbin/$(TARGET)
@@ -196,7 +196,7 @@ $(OPTIONS):
$(DEPS_DIR)/%.d: %.cpp $(OPTIONS)
@echo "Deps $<"
- @set -e; mkdir -p $(dir $@); \
+ set -e; mkdir -p $(dir $@); \
$(CXX) -MM -MT $@ -MT $(addprefix $(OBJ_DIR)/,$(<:.cpp=.o)) \
$(CXXFLAGS) $< > $@
@@ -210,7 +210,7 @@ endif
$(OBJ_DIR)/%.o: %.cpp $(OPTIONS)
@echo "C++ $<"
- @set -e; mkdir -p $(dir $@); \
+ set -e; mkdir -p $(dir $@); \
$(CXX) -c $(CXXFLAGS) $< -o $@
clean:
Description: Use compiler flags from the environment.
This is necessary to use the (hardening) compiler flags from dpkg-buildflags.
.
Also pass CPPFLAGS which is used for hardening.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-03-04
Index: mrd6-0.9.6/tools/c/Makefile
===================================================================
--- mrd6-0.9.6.orig/tools/c/Makefile 2012-03-04 16:39:04.000000000 +0100
+++ mrd6-0.9.6/tools/c/Makefile 2012-03-04 16:42:23.000000000 +0100
@@ -1,4 +1,4 @@
-CFLAGS = -g -O2 -Wall -ansi
+CFLAGS += -Wall -ansi
PREFIX ?= /usr/local
Index: mrd6-0.9.6/src/Makefile
===================================================================
--- mrd6-0.9.6.orig/src/Makefile 2012-03-04 16:42:23.000000000 +0100
+++ mrd6-0.9.6/src/Makefile 2012-03-04 16:42:36.000000000 +0100
@@ -105,7 +105,7 @@
DEST_PREFIX = $(DESTDIR)$(PREFIX)
-CXXFLAGS = $(INCLUDES) -ansi -Wall -Wno-multichar -fno-exceptions -fPIC \
+CXXFLAGS += $(CPPFLAGS) $(INCLUDES) -ansi -Wall -Wno-multichar -fno-exceptions -fPIC \
-fno-strict-aliasing -D$(PLATFORM) $(addprefix -D,$(MODULE_OPTIONS))
ifeq ($(OPTIMIZE),yes)
Description: Fix compiling with -Wformat-security.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-03-04
--- mrd6-0.9.6.orig/src/log.cpp
+++ mrd6-0.9.6/src/log.cpp
@@ -321,7 +321,7 @@ static inline int type_as_syslog_priorit
}
void syslog_log_node::log(int type, int level, const char *msg, bool) {
- syslog(type_as_syslog_priority(type), msg);
+ syslog(type_as_syslog_priority(type), "%s", msg);
}
tb_log_node::tb_log_node(log_base *parent, const char *name, int level)
