Package: openldap
Version: 2.4.28-1.1
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The hardening flags are missing for autogroup and smbk5pwd
because the build system ignores them.
The attached patch fixes the issue. If possible it should be sent
to upstream (it might not apply cleanly to upstream because the
Makefile is modified by another Debian patch).
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/ldap/autogroup.so.0.0.0
/usr/lib/ldap/smbk5pwd.so.0.0.0
/usr/lib/ldap/autogroup.so.0.0.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
/usr/lib/ldap/smbk5pwd.so.0.0.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPX2klAAoJEJL+/bfkTDL5Q7YP/0b4vK7IN3dSe0mkvLSZokGK
aGZzOLbhcDUlijWL/Ms5vJ4Ds3/b2+YgPhiDozozL/L/+d0qHYImcH7xKKKu0hXP
O//j7YzOU0AEPbOBCop3XJbX0m9oULs+rnZHgoBbaZV8Lk46UjD4WuRmyaB2M0Ve
MXWVAwzU83FSIKCZ+9HhY4h1iAOgQRnYDM10BIbLm7wdHcBpjJtSTUU/HVnmbmK3
5xEqarQMEL2IXXMfupciBljh5yMC65FzKid1KMbO3VjBs2kZQKXuBTfqN6YOOKR4
O4QKNVHRLNh1hil4tOd2ZlXZ7z5shdR4zqtaX+GE/SbTEzz6kES1nORYvm40EYEj
vk7PM2ynpdXgE2iaKhha5MuTt4BQiwoiOTQGCjgqbklTNWEdXTjHytSFl6JN4tMC
1htLE/KFNaosDtMeM8X+ogXA3AWLHu9DnKMMgVejxcOy01+6qiejB3fRdorGxOlr
ZDHxuuVAMD8ZMfM7wDiqhd9/dhgNSd/q9nknrSY18lbHoMs1dq5OJakJ18pr8xOS
X5NXA+EYCobCyhgBVmWASiJ+1oT1kBLX9qJk5HTUVLuWJ0G7WKPBOyryjItD3vLb
i0xXfnR+5fdS7bivsYPHUYut+Amfdeni92fKCwZsfXQeBsHsjnzllThayrG5bHyB
9piwDooomTOlJf5kEym0
=t1Hv
-----END PGP SIGNATURE-----
Index: openldap-2.4.28/contrib/slapd-modules/autogroup/Makefile
===================================================================
--- openldap-2.4.28.orig/contrib/slapd-modules/autogroup/Makefile 2012-03-12 21:42:24.281598917 +0100
+++ openldap-2.4.28/contrib/slapd-modules/autogroup/Makefile 2012-03-12 21:44:24.861603510 +0100
@@ -12,10 +12,10 @@
all: autogroup.la
autogroup.lo: autogroup.c
- $(LIBTOOL) --mode=compile $(CC) $(CPPFLAGS) -Wall -c $?
+ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) -Wall -c $?
autogroup.la: autogroup.lo
- $(LIBTOOL) --mode=link $(CC) -version-info 0:0:0 \
+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info 0:0:0 \
-rpath /usr/lib/ldap -module -o $@ $?
clean:
Index: openldap-2.4.28/contrib/slapd-modules/smbk5pwd/Makefile
===================================================================
--- openldap-2.4.28.orig/contrib/slapd-modules/smbk5pwd/Makefile 2012-03-12 21:42:24.269598918 +0100
+++ openldap-2.4.28/contrib/slapd-modules/smbk5pwd/Makefile 2012-03-12 21:43:59.229602532 +0100
@@ -41,10 +41,10 @@
smbk5pwd.lo: smbk5pwd.c
- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $?
+ $(LIBTOOL) --mode=compile $(CC) $(OPT) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $?
smbk5pwd.la: smbk5pwd.lo
- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \
+ $(LIBTOOL) --mode=link $(CC) $(OPT) $(LDFLAGS) -version-info 0:0:0 \
-rpath $(moduledir) -module -o $@ $? $(LIBS)
clean:
