Bug#663613: freetype: CPPFLAGS hardening flags missing for ft2demos

[Simon Ruderich]

Package: freetype
Version: 2.4.8-1
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The CPPFLAGS hardening flags are missing for ft2demos because the
Makefiles ignore them.

The attached patch (for debian/patches-ft2demos/) fixes the
issue. If possible it should be sent upstream. For more hardening
information please have a look at [1], [2] and [3].

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/bin/ftbench /usr/bin/ftdump /usr/bin/ftlint ...
    /usr/bin/ftbench:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/ftdump:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/ftlint:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPXjJNAAoJEJL+/bfkTDL5+sUP/0X4HefsqrkHUp7/ZjchBQ+0
kyN+KbU5/pwkpmUli/YvB1Ol+fy/5Fj8y7yTNPVu/Z/dc7phjIy9MdZjEgQ4DNdE
tElVIcSbO2Bz0VkZh9eIUKa/ghIYz0qcqBrb2MP0kxPZ+C1d6+2FVPnsjRuD3d6M
mJjV8wEPvmhNr+1Q0aQvOTXFQUfIa/uXcnXKCijkxJDgjHwJJJCv3TxRXUIgfc7f
to6FnNN1Tu6QHr54nJFa1giFXiUJujg1nFGN+vWtsgAaqPjpelHpTeTjSjYsFKOA
Z2y20zUB/TVVJ7l4/qSzP9pCkBdo1pFIY/JuJQD8F9/Td/RTe2uz7XxQLyuLH/Jg
HaxEnX6pQzTrvLeNrfiX/uoFrBpg2Tx/DNUIw0VndNy1QllxKX8z6HBoGJT/N7az
NntmuV+skQpgLZQWtMfCLM9uqDzem38/1M5eHgUTagIeAcmhMcxv3R4pyreuE9Pk
kZmCgcgW/sHBJWsQBOIiLWf+DK0+rndaAABvimJEk8xj92ZqrpN+xWENWbjUxS5x
Ab3axIEV5fofVh7CYaOB8A3hsJWgHYaCGQRSVUVvE4JeGbAQmcABJNH+dPGFDt0u
oMMCXrgvdepzW+5qAT+lAaKRe5IARyD8d77kNCck5dUqg2KsDEywdnoxt1J01SzT
tIteme6YicQiW8NZlwAi
=hoh9
-----END PGP SIGNATURE-----

Description: Use CPPFLAGS from environment (dpkg-buildflags).
 Necessary for hardening flags.
 Author: Simon Ruderich <si...@ruderich.org>
 Last-Update: 2012-03-12

Index: ft2demos-2.4.8/Makefile
===================================================================
--- ft2demos-2.4.8.orig/Makefile	2011-04-19 06:46:37.000000000 +0200
+++ ft2demos-2.4.8/Makefile	2012-03-12 18:19:46.217136170 +0100
@@ -127,7 +127,7 @@
                  $(TOP_DIR)/include \
                  $(SRC_DIR)
 
-  COMPILE = $(CC) $(CFLAGS) \
+  COMPILE = $(CC) $(CFLAGS) $(CPPFLAGS) \
                   $(INCLUDES:%=$I%) \
                   $DFT_CONFIG_MODULES_H="<ftmodule.h>"
 
Index: ft2demos-2.4.8/graph/allegro/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/allegro/rules.mk	2009-03-14 14:58:28.000000000 +0100
+++ ft2demos-2.4.8/graph/allegro/rules.mk	2012-03-12 18:19:46.217136170 +0100
@@ -23,7 +23,7 @@
   # our compilation rule
   #
   $(OBJ_DIR_2)/gralleg.$O : $(GR_ALLEG)/gralleg.c $(GR_ALLEG)/gralleg.h
-	  $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+	  $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
                 $I$(subst /,$(COMPILER_SEP),$(GR_ALLEG)) \
                 $T$(subst /,$(COMPILER_SEP),$@ $<)
 
Index: ft2demos-2.4.8/graph/beos/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/beos/rules.mk	2009-03-14 14:58:28.000000000 +0100
+++ ft2demos-2.4.8/graph/beos/rules.mk	2012-03-12 18:19:46.217136170 +0100
@@ -21,7 +21,7 @@
   # the rule used to compile the graphics driver
   #
   $(OBJ_DIR_2)/grbeos.$(SO): $(GR_BEOS)/grbeos.cpp $(GR_BEOS)/grbeos.h
-	  $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+	  $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
                 $I$(subst /,$(COMPILER_SEP),$(GR_BEOS)) \
                 $(X11_INCLUDE:%=$I%) \
                 $T$(subst /,$(COMPILER_SEP),$@ $<)
Index: ft2demos-2.4.8/graph/os2/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/os2/rules.mk	2009-03-14 14:58:28.000000000 +0100
+++ ft2demos-2.4.8/graph/os2/rules.mk	2012-03-12 18:19:46.217136170 +0100
@@ -23,7 +23,7 @@
   # the rule used to compile the graphics driver
   #
   $(OBJ_DIR_2)/gros2pm.$O: $(GR_OS2)/gros2pm.c $(GR_OS2)/gros2pm.h
-	  $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+	  $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
                 $I$(subst /,$(COMPILER_SEP),$(GR_OS2)) \
                 $T$(subst /,$(COMPILER_SEP),$@ $<)
 
Index: ft2demos-2.4.8/graph/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/rules.mk	2009-03-14 14:58:28.000000000 +0100
+++ ft2demos-2.4.8/graph/rules.mk	2012-03-12 18:19:58.781136650 +0100
@@ -67,14 +67,14 @@
 # pattern rule for normal sources
 #
 $(OBJ_DIR_2)/%.$(SO): $(GRAPH)/%.c $(GRAPH_H)
-	$(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) $T$@ $<
+	$(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) $T$@ $<
 
 
 # a special rule is used for 'grinit.o' as it needs the definition
 # of some macros like "-DDEVICE_X11" or "-DDEVICE_OS2_PM"
 #
 $(OBJ_DIR_2)/grinit.$(SO): $(GRAPH)/grinit.c $(GRAPH_H)
-	$(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+	$(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
               $(DEVICES:%=$DDEVICE_%) $T$(subst /,$(COMPILER_SEP),$@ $<)
 
 
Index: ft2demos-2.4.8/graph/win32/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/win32/rules.mk	2009-03-14 14:58:28.000000000 +0100
+++ ft2demos-2.4.8/graph/win32/rules.mk	2012-03-12 18:19:46.217136170 +0100
@@ -20,7 +20,7 @@
   # the rule used to compile the graphics driver
   #
   $(OBJ_DIR_2)/grwin32.$O: $(GR_WIN32)/grwin32.c $(GR_WIN32)/grwin32.h
-	  $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+	  $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
                 $I$(subst /,$(COMPILER_SEP),$(GR_WIN32)) \
                 $T$(subst /,$(COMPILER_SEP),$@ $<)
 
Index: ft2demos-2.4.8/graph/x11/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/x11/rules.mk	2012-03-12 18:19:46.193136170 +0100
+++ ft2demos-2.4.8/graph/x11/rules.mk	2012-03-12 18:19:46.217136170 +0100
@@ -100,7 +100,7 @@
   # the rule used to compile the X11 driver
   #
   $(OBJ_DIR_2)/grx11.$(SO): $(GR_X11)/grx11.c $(GR_X11)/grx11.h
-	  $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+	  $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
                 $I$(subst /,$(COMPILER_SEP),$(GR_X11)) \
                 $(X11_INCLUDE:%=$I%) \
                 $T$(subst /,$(COMPILER_SEP),$@ $<)