Package: afterstep
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The CPPFLAGS hardening flags are missing because they are not set
in debian/rules.
The following patch fixes the issue by adding them to CFLAGS
which is already used.
diff -Nru afterstep-2.2.11/debian/rules afterstep-2.2.11/debian/rules
- --- afterstep-2.2.11/debian/rules 2012-01-17 23:27:28.000000000 +0100
+++ afterstep-2.2.11/debian/rules 2012-03-05 01:42:51.000000000 +0100
@@ -5,7 +5,7 @@
SHELL := /bin/bash
DH_AUTO_OPTIONS := -v -Sautoconf
DESTDIR := $(CURDIR)/debian/tmp
- -CFLAGS := $(shell dpkg-buildflags --get CFLAGS)
+CFLAGS := $(shell dpkg-buildflags --get CFLAGS) $(shell
dpkg-buildflags --get CPPFLAGS)
LDFLAGS := -Wl,-z,defs -Wl,--as-needed
LDFLAGS += $(shell dpkg-buildflags --get LDFLAGS)
Normally you don't have to use dpkg-buildflags when compat=9 is
used, it's set automatically. DEB_*_MAINT_APPEND is the preferred
way to set additional flags (see man dpkg-buildflags for more
information). For more hardening information please have a look
at [1], [2] and [3].
The attached patch handles it in that way - by using
DEB_LDFLAGS_MAINT_APPEND, choose the patch you like best. Both
should work fine.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/bin/afterstep ...
/usr/bin/afterstep:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVBQjAAoJEJL+/bfkTDL59FUP+wYOCZEwXe6sd5ifP/6CRMNE
CIDjRXv/AkOF3zSteIboKaiAOSfLGual8Xwquk4BJPKf2CrfyLa7yl0bTUGl/TXM
0Ebv92xVx16raQywOGiErnAk9kd72vX/uM8kGOu0bQQEAtsgBj0p9IWfNvLnN7/T
IKLsGatgTUmeOPmIAi4Q7LSydCLCEq3SDicP3EILB+g9ZXm3iKeWcT09zoTZX628
L9qvagzdd7xVZMPy80/m4mL7ABM5rO5Ihk8TW7Joc1706Ni+f/WRYdEb+d8SIZPd
lXuO0kO5mIbxaWR9nSwTNaFP0b1D/jWV4c79FSdLF7V2FXzWBPe8/JiRefyNCkyk
6CuYQL4olWG6GDzX+NNdPI4P2fCZsJPSOFSF/urziWUnVegXDjENYbWMldMc3cDX
vJg5qo8FkOu/rB8wwTp8QFlvk3YDNLBAKqPbgztK8W0UiL0es1rl7RZF8JUffHUn
8pSV6b5PQZ4pZlKic5kDjQt5bQ1cXgNwUWXvwCL/YJZ9L/PgbE+1zF3cNH/e0482
rwiKO+iwdp+015oivM7146GutebAJQqPoWmpD4azyhWx8smh8IrXSmIVqEpj2cDc
ooO4GUtZs2aVH6hMu7ZRfZX7Ip0JDInhfCZuG8IDIivOgsFiyXXPWS9FRD38pLJ8
DFKFOcYMgDc7lcOHw5Gj
=vg+0
-----END PGP SIGNATURE-----
--- afterstep-2.2.11/debian/rules 2012-01-17 23:27:28.000000000 +0100
+++ afterstep-2.2.11/debian/rules 2012-03-05 02:13:13.000000000 +0100
@@ -5,9 +5,7 @@
SHELL := /bin/bash
DH_AUTO_OPTIONS := -v -Sautoconf
DESTDIR := $(CURDIR)/debian/tmp
-CFLAGS := $(shell dpkg-buildflags --get CFLAGS)
-LDFLAGS := -Wl,-z,defs -Wl,--as-needed
-LDFLAGS += $(shell dpkg-buildflags --get LDFLAGS)
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,--as-needed
BUILD_DIR := DEB-build-tree
STAMP_DIR := $(BUILD_DIR)/stamps
@@ -126,7 +124,7 @@
@echo "***** Configure static *****"
@echo
cd $(BUILD_TREE_STATIC) && \
- CFLAGS="$(CFLAGS)" LDCONFIG="/bin/true" \
+ CFLAGS="$(CFLAGS) $(CPPFLAGS)" LDCONFIG="/bin/true" \
LDFLAGS="$(LDFLAGS)" \
$(call common-configure, --enable-staticlibs)
@@ -139,7 +137,7 @@
@echo "***** Configure dynamic *****"
@echo
cd $(BUILD_TREE) && \
- CFLAGS="$(CFLAGS) -fPIC" LDCONFIG="/bin/true" \
+ CFLAGS="$(CFLAGS) $(CPPFLAGS) -fPIC" LDCONFIG="/bin/true" \
LDFLAGS="$(LDFLAGS) -rdynamic" \
$(call common-configure, --disable-staticlibs)
