Package: fltk1.3
Version: 1.3.0-6
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The LDFLAGS hardening flags are missing because the build system
partially ignores them. For more hardening information please
have a look at [1], [2] and [3].
The attached patch fixes the issue.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/x86_64-linux-gnu/libfltk_images.so.1.3
/usr/lib/x86_64-linux-gnu/libfltk_gl.so.1.3 ..
/usr/lib/x86_64-linux-gnu/libfltk_images.so.1.3:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/x86_64-linux-gnu/libfltk_gl.so.1.3:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPWqXsAAoJEJL+/bfkTDL5NdIP/01ykJt4KQhEPzce5kYEEM4n
fNFndyXJ00mjlqfWCPxLih9A3UjYhfbBFgZW9AvzX1feYZPVaMVFjZX3OJtdqtg6
KHtkMI7XmCtIaYcopYeOzWFJ9/h/B+mnp+6Z0k8I3nIt4X+MdicOhai2zhUMnBJu
eNsLwIgHc92Io8H6ZlfRu3QoATqpksNP+tB90gWVdgAa6IajcqL8vfvQq5dWT3UD
MWmLHp4rJv/yW3EiPy78o8i2OxTVLRYfwcOahrbUej9N3y+oMd5fwyqe71YKxuV4
lDyqGGidow3fbhNQi8kDopk9sAiq4DL0q7snOiBCFBXFVNtREEI539pLpgvn8+J4
hIKQv+27iLfioPM68aEfwOi8SrApIcj2Btb4YZ9pzYZloiZ+RSNC40BbDunLUuKU
ZZvQHOA2Cg3aiVb0WHqSdyKc0KhvLhQ/ygg+KBEYLHYNhprC6Cq4nlLXtzrRF21F
xpgQVlB3ZH3qmkGaaC9wPLOUXXrd5R7gA4fnZqwgPAw3pwdgcZ03gQQXiDji/RsN
/aqhbTu592RAXhMar0wb3LmtdNyhaknzkEOVR4Pxwwvs/vnSEHG8ZcGOYfGksXD8
zYwoHYllEPswUN7VrRwt9uzvHooM92rB16m/UYTIDwnL977hgSTRTVkx3wZB1zAt
vs4JRjsULbIVt8igRbNl
=8XuV
-----END PGP SIGNATURE-----
diff -Nru fltk1.3-1.3.0/debian/patches/debian-changes fltk1.3-1.3.0/debian/patches/debian-changes
--- fltk1.3-1.3.0/debian/patches/debian-changes 2012-03-08 05:24:26.000000000 +0100
+++ fltk1.3-1.3.0/debian/patches/debian-changes 2012-03-10 01:34:22.000000000 +0100
@@ -9,7 +9,7 @@
- if test "x$libdir" != "x/usr/lib" -a "x$libdir" != "x/usr/lib64"; then
- DSOLINK="-Wl,-rpath,$libdir"
- fi
-+ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o"
++ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) \$(LDFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o"
+# if test "x$libdir" != "x/usr/lib" -a "x$libdir" != "x/usr/lib64"; then
+# DSOLINK="-Wl,-rpath,$libdir"
+# fi
@@ -140,7 +140,7 @@
- if test "x$libdir" != "x/usr/lib" -a "x$libdir" != "x/usr/lib64"; then
- DSOLINK="-Wl,-rpath,$libdir"
- fi
-+ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o"
++ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) \$(LDFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o"
+# if test "x$libdir" != "x/usr/lib" -a "x$libdir" != "x/usr/lib64"; then
+# DSOLINK="-Wl,-rpath,$libdir"
+# fi
@@ -376,7 +376,7 @@
threads$(EXEEXT): threads.o
+ echo Linking $@...
-+ $(CXX) -I.. $(CXXFLAGS) threads.o -o $@ $(LINKFLTK) -lpthread
++ $(CXX) -I.. $(LDFLAGS) threads.o -o $@ $(LINKFLTK) -lpthread
# This ensures that we have this dependency even if threads are not
# enabled in the current tree...
threads.o: threads.h
