Package: wp2x
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
The following patch bumps debian/compat to 9 to automatically
enable the hardening flags; you could also enable them without
changing compat (see [2]), but compat=9 is the preferred and
simplest solution.
diff -u wp2x-2.5-mhi/debian/control wp2x-2.5-mhi/debian/control
--- wp2x-2.5-mhi/debian/control
+++ wp2x-2.5-mhi/debian/control
@@ -2,7 +2,7 @@
Section: text
Priority: optional
Maintainer: Petter Reinholdtsen <[email protected]>
-Build-Depends: debhelper (>> 8.0), dpatch
+Build-Depends: debhelper (>= 9.0), dpatch
Standards-Version: 3.9.3
Package: wp2x
diff -u wp2x-2.5-mhi/debian/compat wp2x-2.5-mhi/debian/compat
--- wp2x-2.5-mhi/debian/compat
+++ wp2x-2.5-mhi/debian/compat
@@ -1 +1 @@
-8
+9
The build system (Makefile) ignores compiler flags from the
environment. The attached patch (for debian/patches) fixes that
to enable hardening flags.
The test suite works fine with this change.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/bin/wp2x
/usr/bin/wp2x:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVTHcAAoJEJL+/bfkTDL5kFcP/2gzRkZKDGaMMzxYMcGBdP0l
Yo4IyllwqSRs8X/nhVlLO4XQCVQN0B2cxKarpJxRu3//cT6vDoBeJhapZhgHikLm
rm97Plr7SIrFxcGdp0fd3JfUpDv+1aS9mL2PcRyVWer06+UAfLs/Eq7fPARMNAbR
08oXQ5B6iqgDVHZX3xDOgQctx9U2zOUqGzFP2yXGie8si0fwOgzfRdVPcMkB7L/r
TAPett2J0QUAo7BCb42rfIagDuQr2iglAciUa21sx639EJmv8i0zqRqWULRuhzaN
zWPiTEG7C2eRbAfJlTI3MbcDhMQ5oT4GrCpmN+DYeA+G7OjStqO5E5tSUOjKZEsW
RFzw3xTNatsv0O/u6NhldugOwWNC93B0QHT1RZgaLPl6uQSiZaW95k5BSYWL/0gA
ujb3yslLU1mw9Vmi1L5H2ZMK9TJpt4np4vhGofTPPfr4jZAtM6gPxBNku375sHNH
w5RpMMYrX6tdPwP2yxg6YpNvHg9gOqRjZAdtSKcr3grqcUaYqxiHO6P6LItgU5HO
JAtsTwrhmq7hX9/iTQEO0HVE1iTf7rPKrHHTn7et8PdJjUt6BHABt+wTlXuH22m2
QKn4v5GAAkDK41NMLwPsmwCi9zuPr4GN5XXNcmhoEAYS7I9qdviF7s0CWzG9dI88
4hIqZ6TO4oT5olNIQVmJ
=fw5g
-----END PGP SIGNATURE-----
#! /bin/sh /usr/share/dpatch/dpatch-run
## 03_dpkg_buildflags.dpatch by Simon Ruderich
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Use build flags from the environment (dpkg-buildflags).
@DPATCH@
Index: wp2x-2.5-mhi/src/Makefile
===================================================================
--- wp2x-2.5-mhi.orig/src/Makefile 2012-03-05 22:22:41.398175234 +0100
+++ wp2x-2.5-mhi/src/Makefile 2012-03-05 22:24:05.158174488 +0100
@@ -3,10 +3,10 @@
OBJS = $(SRCS:.c=.o)
CC = gcc -g -O -ansi -funsigned-char -W -Wall
-CFLAGS = -DUNIX -DWP2X_DIR=\"$(WP2X_DIR)\" -DVERSION=\"$(VERSION)\"
+CFLAGS += -DUNIX -DWP2X_DIR=\"$(WP2X_DIR)\" -DVERSION=\"$(VERSION)\"
wp2x: $(OBJS)
- $(CC) -o wp2x $(CFLAGS) $(OBJS)
+ $(CC) -o wp2x $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(OBJS)
install:
install -c -o root -g root -m 755 wp2x $(BINDIR)
