Package: plasma-widget-yawp Version: 0.4.2-1 Severity: normal Tags: patch Dear Maintainer,
The LDFLAGS hardening flags are missing because they are
overwritten in debian/rules.
DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].
The following patch fixes the issue.
diff -Nru plasma-widget-yawp-0.4.2/debian/rules
plasma-widget-yawp-0.4.2/debian/rules
--- plasma-widget-yawp-0.4.2/debian/rules 2011-02-26 12:55:12.000000000
+0100
+++ plasma-widget-yawp-0.4.2/debian/rules 2012-04-18 02:29:00.000000000
+0200
@@ -2,13 +2,12 @@
DH_ALWAYS_EXCLUDE:=CVS:.svn:.svnignore:.hg:.hgignore:.git:.gitignore
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--no-undefined -Wl,--as-needed
+
override_dh_auto_configure:
dh_auto_configure --parallel -Skde -- -DBUILD_UNITTESTS=NO \
-DDEBUG_LOGFILE=/tmp/plasma-widget-yawp.log \
- -DDEBUG_LOGLEVEL=Warning
-DCMAKE_BUILD_TYPE=Release \
-
-DCMAKE_SHARED_LINKER_FLAGS="-Wl,--no-undefined -Wl,--as-needed" \
-
-DCMAKE_MODULE_LINKER_FLAGS="-Wl,--no-undefined -Wl,--as-needed" \
-
-DCMAKE_EXE_LINKER_FLAGS="-Wl,--no-undefined -Wl,--as-needed"
+ -DDEBUG_LOGLEVEL=Warning
-DCMAKE_BUILD_TYPE=Release
override_dh_installchangelogs:
dh_installchangelogs CHANGELOG
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):
$ hardening-check /usr/lib/kde4/plasma_applet_yawp.so
/usr/lib/kde4/ion_wunderground.so /usr/lib/kde4/ion_google.so
/usr/lib/kde4/ion_accuweather.so
/usr/lib/kde4/plasma_applet_yawp.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/kde4/ion_wunderground.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/kde4/ion_google.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/kde4/ion_accuweather.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
