Package: btag
Version: 1.1.2-1
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please enable the last missing hardening flag -z now. The
following patch adds it (+all to also enable possible future
hardening flags). For more hardening information please have a
look at [1], [2] and [3].
Additionally CMake ignores CPPFLAGS, the patch also fixes that by
passing them through CFLAGS/CXXFLAGS.
diff -Nru btag-1.1.2/debian/rules btag-1.1.2/debian/rules
--- btag-1.1.2/debian/rules 2011-12-03 18:59:22.000000000 +0100
+++ btag-1.1.2/debian/rules 2012-03-07 18:06:54.000000000 +0100
@@ -2,9 +2,14 @@
# vi: ts=8 sw=8 noet
DPKG_EXPORT_BUILDFLAGS = 1
-DEB_BUILD_MAINT_OPTIONS = "hardening=+pie"
+export DEB_BUILD_MAINT_OPTIONS = "hardening=+all"
include /usr/share/dpkg/buildflags.mk
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+CFLAGS += $(CPPFLAGS)
+CXXFLAGS += $(CPPFLAGS)
+
EXTRA_CMAKE_FLAGS =
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
EXTRA_CMAKE_FLAGS = -DENABLE_TESTS=1
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/btag
/usr/bin/btag:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
The Fortify Source functions warning is fine, there are no
protectable functions yet.
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPV5e9AAoJEJL+/bfkTDL5mD4P/31AFmg8U0lrJ04RRt0dF6gB
e1KDI9kSTJlciSTAQ05rfrERopYv5jEKgEsXG9876QUcBqslR1xWP+B4X6ck93xg
FqOZka+oFPwQrhJa5hx2j5v18DgUYIN0MWIV9uB4RfjcXvMjERXzHv/VN/HvNBwO
dszgtBdPaFmjAAxlsagOsFsXzQ/nsFn+Uf4ZyExjfYpTyk8Ant5GKqkxVMDolQe7
1FNvRXu1LBkI/b1Nxx654BmlAz0pAU3mM5h3PFBe48r1NlIWo/XJccmwYa88dkhK
7WA68478HuvgSNqM2Nl0HaMF1kpg/qD3eI+on90x1QXt9LWfsfswpuWJQIQyJTLR
yTaDMQh17fcqPBXOQM+avHEZMOkxOlsPFYWZDE8rF5FXHVzPPOsftf5WHfMTFI9v
zo1QFdHMXVAcErkanPeM7d6TwvcB9m68yFVQ5TbI4Yb8uYTwTO6Le/+y9B/aP/ye
M+BfR5Gl5A9u05WY3pZfL0s718FuEQdgDxArEtaPtuHEND8nf0PZFnJzUB7x2nsg
fA8LNKh3lA/vOYZo2jM8xK5E3ZjnSsLEbtl9P+fk40LZFAhs5ElQrYpgYm7rt9dV
gAthPWot+45dH9nPqviS/JJGTm5J4NDt90viRYUWlzxHjm5v10xbnz+2ax/fQ59o
SwvJz3sFC2X4NJiJwnSg
=osoj
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
