Package: yabause
Version: 0.9.11-1
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The hardening flags are missing because export LDFLAGS += in
debian/rules overwrites the default hardening flags; additionally
the build system ignores CFLAGS/CPPFLAGS.
DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].
The following patch fixes the missing LDFLAGS and CPPFLAGS (only
in combination with the attached patch).
diff -Nru yabause-0.9.11/debian/rules yabause-0.9.11/debian/rules
--- yabause-0.9.11/debian/rules 2011-11-28 09:44:43.000000000 +0100
+++ yabause-0.9.11/debian/rules 2012-03-07 17:44:32.000000000 +0100
@@ -1,8 +1,12 @@
#!/usr/bin/make -f
# -*- makefile -*-
-LDFLAGS+=-Wl,-z,defs -Wl,--as-needed
-export LDFLAGS
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,--as-needed
%:
dh $@
The attached patch updates the build system to respect the
hardening flags, necessary for CFLAGS and CPPFLAGS. I'm not sure
if this patch is correct because I have no experience with CMake,
please check if it's correct.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/yabause-qt /usr/bin/yabause-gtk
/usr/bin/yabause-qt:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/yabause-gtk:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
yabause has an executable stack which might cause security
problems. But I'm not sure if this is required by the program -
if it's not adding -Wl,-z,noexecstack to DEB_LDFLAGS_MAINT_APPEND
fixes that.
I haven't tested yabause with these new flags, please test it
before uploading a new package with these changes. Normally
everything works fine, but yabause uses assembly which might
cause problems.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPV5POAAoJEJL+/bfkTDL5Il4P/3hDeVpLDbpsZSgA/Z80Uwne
DOs1sdgY5uK41zXEaaf5OTlSq/tDgRCpAFxrp/kjOvvJgkD0V0+NVttCXZhHfDpu
n/K05iZ4vYE1H65nY/1SvlmImjWVNvEBf7146EyHTmn5TZKGGVtdy3HxBcEJlXvV
zoB+WpNRE8+t8WcUq1XaJ0oXByWCDRufDfMAtbPlXbrZ3nPeEUHli+BuJvG7/iJ0
cDzCHBZ9wu77aMpEhzW9o/jnKfsPBxc1YMV3KBmUiVRVjtaSI9co0mtwTvRpTTzx
CD0AloLqkPPqBSmCyXFYm1f1OEIuo8okI+A5yIOVVJCabZPyUxhepkhN2a1MYdvM
bESytOJvfpdGxM////DkTSfpoCla7W2BV27XVmIPI81Lxtvbkdx9rjGhW2k3pMJW
iRVlQNzpC/MDkDODcC+5SB2AS0GE6YiJLYXz5A4UM+16WfMWYjWOJUxdBnrckI0P
oB2ax/pbVkP7H+Zp65ht1MYnE706/lCuXq2B4+r5HBJ+M7UhE/wcYELIXUa+ldUD
5WGVrQqWN7ZnqIQMnue4A5+8PL8GbykuCspZJv4YqF6p+U4fqwzmre5upUNgzmO9
B2MnBLfNITLe/eVNBFqOlppmAwlzCnVlgl+GCYn5ZtgWpxfd3v2zQAoSKFb2vcgy
CrktHnHOO9fTGlUpGRuy
=cTu6
-----END PGP SIGNATURE-----
Description: Use build flags from environment (dpkg-buildflags).
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-03-07
--- yabause-0.9.11.orig/src/CMakeLists.txt
+++ yabause-0.9.11/src/CMakeLists.txt
@@ -324,13 +324,13 @@ else ()
endif ()
if("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i686")
- set(CMAKE_C_FLAGS "-O3 -march=i686 -msse")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O3 -march=i686 -msse")
endif("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i686")
if("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
- set(CMAKE_C_FLAGS "-O3")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O3")
endif("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
if("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "armv7l")
- set(CMAKE_C_FLAGS "-O3 -mcpu=cortex-a8 -mfpu=vfp -mfloat-abi=softfp")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O3 -mcpu=cortex-a8 -mfpu=vfp -mfloat-abi=softfp")
endif("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "armv7l")
add_definitions(-DPACKAGE=\"yabause\")
--- yabause-0.9.11.orig/autopackage/default.apspec.in
+++ yabause-0.9.11/autopackage/default.apspec.in
@@ -34,7 +34,7 @@ AutopackageTarget: 1.0
This is a Sega Saturn emulator.
[BuildPrepare]
-prepareBuild --enable-static-mini18n CFLAGS='-D_FORTIFY_SOURCE=0'
+prepareBuild --enable-static-mini18n
[BuildUnprepare]
unprepareBuild
