Package: aqsis
Version: 1.6.0-9
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The CPPFLAGS hardening flags are missing because CMake ignores
them by default.
The attached patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. It also updates the debhelper Build-Depends to 9
which is necessary for compat=9 and uses +all instead of
+pie,+bindow to enable possible future hardening flags as well.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/lib/libaqsis_util.so.1.6
/usr/lib/libaqsis_tex.so.1.6 /usr/lib/libaqsis_slxargs.so.1.6 ...
/usr/lib/libaqsis_util.so.1.6:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/libaqsis_tex.so.1.6:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/libaqsis_slxargs.so.1.6:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
...
The Fortify Source functions warnings are fine, the correct flags
are passed.
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVlBgAAoJEJL+/bfkTDL5rwQQALooTTrZ2OFXqqW8d8JnAMDN
YFD3Z19u99ITDh6UTB5Do77b4Ye9Bmbs/aE5BvDH6jDYID0K1sHMjcRhkgtgGAob
49nMnf2+SfY4uHwwNSmSooDmL3V7gWtxBXUHf5EsIJwL9FBsBwMuo9CSzkh1yoAq
oRue9bA6KN3l00gFSM4hUUcVnJFhfDvIXADw2r+8qv7vtRw5pXy8CZELms94u6m6
keu3Fb1Ps1sVaDClPqFGajiJR+mFy+etKaxIkiJ/k9kpGrEpsyjqAQDaqAx3f0Ui
/tNWQtd6q1TQPC6OSB7zXinsflduTh1hXDBBiUqKmAu1t0RQGVfeacgl6Vsk8ffa
0CLoE0FDIZsEEIyBm5k1XSjVfYHxVxHO2060bHcQUKdrTpUw9oFnSiqfXQbLR0Df
dSaXmBX9LJXi3wWCDKJO+DmNOoNlTGj26nwj9HpchxDjYw69oUZJ5POXXVHgoKq7
LUxrAE0E9q8e8xR+1FazoI8Rh3WJozfVm4DqY7QD6PyjeC/DbpMD+oUwFXB5t1OY
nUvluZMOr368VGSRLZeY/SqhCxHO/7agK9DexwbapesAoZsFExGObtSc/vL81mOv
H0Jqw0+kcvGYW0OClQgRqQejDILF+vQtjJRLGbBjUBVbzw7Nq5WNkgZhmifBDJKA
qgU8MFtMcqC3oauvrldD
=mbJe
-----END PGP SIGNATURE-----
diff -Nru aqsis-1.6.0/debian/control aqsis-1.6.0/debian/control
--- aqsis-1.6.0/debian/control 2011-12-19 01:59:25.000000000 +0100
+++ aqsis-1.6.0/debian/control 2012-03-06 18:40:08.000000000 +0100
@@ -4,7 +4,7 @@
Maintainer: Manuel A. Fernandez Montecelo <manuel.montez...@gmail.com>
Uploaders: David MartÃnez Moreno <en...@debian.org>
DM-Upload-Allowed: yes
-Build-Depends: debhelper (>= 8.9.0~), cmake (>= 2.6.3), flex (>= 2.5.35), bison (>= 1.35), libtiff4-dev, libjpeg-dev, libopenexr-dev, zlib1g-dev, libboost-filesystem-dev (>= 1.42), libboost-iostreams-dev (>= 1.42), libboost-wave-dev (>= 1.42), libboost-regex-dev (>= 1.42), libboost-serialization-dev (>> 1.42), libboost-test-dev (>= 1.42), libboost-thread-dev (>= 1.42), libfltk1.1-dev, fluid, xsltproc, libtinyxml-dev (>= 2.5)
+Build-Depends: debhelper (>= 9), cmake (>= 2.6.3), flex (>= 2.5.35), bison (>= 1.35), libtiff4-dev, libjpeg-dev, libopenexr-dev, zlib1g-dev, libboost-filesystem-dev (>= 1.42), libboost-iostreams-dev (>= 1.42), libboost-wave-dev (>= 1.42), libboost-regex-dev (>= 1.42), libboost-serialization-dev (>> 1.42), libboost-test-dev (>= 1.42), libboost-thread-dev (>= 1.42), libfltk1.1-dev, fluid, xsltproc, libtinyxml-dev (>= 2.5)
Standards-Version: 3.9.2
Homepage: http://www.aqsis.org/
diff -Nru aqsis-1.6.0/debian/rules aqsis-1.6.0/debian/rules
--- aqsis-1.6.0/debian/rules 2011-12-20 18:35:44.000000000 +0100
+++ aqsis-1.6.0/debian/rules 2012-03-06 18:46:34.000000000 +0100
@@ -3,9 +3,11 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
-export DEB_BUILD_MAINT_OPTIONS := hardening=+pie,+bindnow
-export DEB_CFLAGS_MAINT_APPEND := -pipe -Wall
-export DEB_CXXFLAGS_MAINT_APPEND := -pipe -Wall
+# Cmake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_BUILD_MAINT_OPTIONS := hardening=+all
+export DEB_CFLAGS_MAINT_APPEND := -pipe -Wall $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND := -pipe -Wall $(shell dpkg-buildflags --get CPPFLAGS)
export DEB_LDFLAGS_MAINT_APPEND := -Wl,-Bsymbolic -Wl,--as-needed
