Package: plasma-widget-yawp Version: 0.4.2-1 Severity: normal Tags: patch Dear Maintainer,
The LDFLAGS hardening flags are missing because they are overwritten in debian/rules. DEB_*_MAINT_APPEND is the preferred way to set additional flags (see man dpkg-buildflags for more information). For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue. diff -Nru plasma-widget-yawp-0.4.2/debian/rules plasma-widget-yawp-0.4.2/debian/rules --- plasma-widget-yawp-0.4.2/debian/rules 2011-02-26 12:55:12.000000000 +0100 +++ plasma-widget-yawp-0.4.2/debian/rules 2012-04-18 02:29:00.000000000 +0200 @@ -2,13 +2,12 @@ DH_ALWAYS_EXCLUDE:=CVS:.svn:.svnignore:.hg:.hgignore:.git:.gitignore +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--no-undefined -Wl,--as-needed + override_dh_auto_configure: dh_auto_configure --parallel -Skde -- -DBUILD_UNITTESTS=NO \ -DDEBUG_LOGFILE=/tmp/plasma-widget-yawp.log \ - -DDEBUG_LOGLEVEL=Warning -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_SHARED_LINKER_FLAGS="-Wl,--no-undefined -Wl,--as-needed" \ - -DCMAKE_MODULE_LINKER_FLAGS="-Wl,--no-undefined -Wl,--as-needed" \ - -DCMAKE_EXE_LINKER_FLAGS="-Wl,--no-undefined -Wl,--as-needed" + -DDEBUG_LOGLEVEL=Warning -DCMAKE_BUILD_TYPE=Release override_dh_installchangelogs: dh_installchangelogs CHANGELOG To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/lib/kde4/plasma_applet_yawp.so /usr/lib/kde4/ion_wunderground.so /usr/lib/kde4/ion_google.so /usr/lib/kde4/ion_accuweather.so /usr/lib/kde4/plasma_applet_yawp.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! /usr/lib/kde4/ion_wunderground.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! /usr/lib/kde4/ion_google.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! /usr/lib/kde4/ion_accuweather.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature