Package: fpm2
Version: 0.79-2
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The LDFLAGS hardening flags are missing because they are
overwritten in debian/rules, by the time dh $@ is executed
LDFLAGS doesn't contain the hardening flags yet.
DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].
The following patch fixes the issue:
diff -Nru fpm2-0.79/debian/rules fpm2-0.79/debian/rules
--- fpm2-0.79/debian/rules 2012-03-07 20:53:00.000000000 +0100
+++ fpm2-0.79/debian/rules 2012-03-09 22:33:31.000000000 +0100
@@ -2,6 +2,7 @@
# Use all hardening features
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs,--as-needed
%:
- LDFLAGS="$(LDFLAGS) -Wl,-z,defs,--as-needed" dh $@
+ dh $@
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/fpm2
/usr/bin/fpm2:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPWnqOAAoJEJL+/bfkTDL5nXIP/0/FTYrQjlaZAowz8fTtbhiD
McV+Csk8V/2iWxOP+Tgtpo4nV9ERpX+u4gAm47HiA0GwAoWb8Qx6Qu3aJCoTNLIc
YoKLC9lH6i2Xr3J9YoqYEtGFmty6FaCJWVfQxspL6bapHn/9+p6uSaDDxirPJbHh
CbrF+dGoZ0lQR8GR9vvK7R15Ex7DWzvLxmLYrsPJJX09JfUjxbJ2FJ5PCOih+ema
jCCORstXao/Pq9A5jRMiNljN91dwtaLk1BCEdqrdXjF4AHaKqR1soRcMh7AP8rwd
yn19lHAhDhRqda24Ui1GeUiSM63VCm9lqBaqsHVn6IvZXc0ELrXmQLA4+4iaEB1W
hDW+5EtoiLd5vmgbRRM2jgkl8ZXJ12K8ybVlCpKaLibkbZ5AT/YSPRDgH85oRD5x
MAPnDO6laCintVlKxRhpht1kgk33A34nuxntIT81FKO1GgGWQxedNxo5J/2Q1oS2
rEsL+ZbMmTf3yD1FsjkDsehPIioTt+qzEeVVGp2mcJH944XK+2lb9AEFpzJB8VG6
fB0XpMxnrXSXAdr9/0O2DHX6vd8hE/Jj4ukjfae80txT2hYFqSPldrR97Lj4spcU
u6U/X5r4neC549bXuA/ySmNY1pS8Io8rBsiMZJqNglkCyPhPxJY8oEqdXe+RsSY/
0CW7JSVVd7E9tUFSrFuy
=tfUf
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
