reopen 658430 thanks Hello,
The hardening flags are still missing in a few places:
$ blhc newt_0.52.14-11_amd64.log
CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security): \ gcc -D_GNU_SOURCE -I/usr/include/slang
-D_FORTIFY_SOURCE=2 $PIFLAGS $PCFLAGS -fPIC -c -o $ver/snackmodule.o
snackmodule.c
CFLAGS missing (-O2): \ gcc -I/usr/include/tcl8.5 -g -O0
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
-I/usr/include/${ver}_d -fPIC -c -o $ver/snackmodule_d.o snackmodule.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): \ gcc
-I/usr/include/tcl8.5 -g -O0 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -I/usr/include/${ver}_d -fPIC -c -o
$ver/snackmodule_d.o snackmodule.c
LDFLAGS missing (-Wl,-z,relro): \ gcc --shared -fPIC -fPIC
-o $ver/_snackmodule_d.so $ver/snackmodule_d.o -L . -lnewt
CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security): \ gcc -D_GNU_SOURCE -I/usr/include/slang
-D_FORTIFY_SOURCE=2 $PIFLAGS $PCFLAGS -fPIC -c -o $ver/snackmodule.o
snackmodule.c
CFLAGS missing (-O2): \ gcc -I/usr/include/tcl8.5 -g -O0
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
-I/usr/include/${ver}_d -fPIC -c -o $ver/snackmodule_d.o snackmodule.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): \ gcc
-I/usr/include/tcl8.5 -g -O0 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -I/usr/include/${ver}_d -fPIC -c -o
$ver/snackmodule_d.o snackmodule.c
LDFLAGS missing (-Wl,-z,relro): \ gcc --shared -fPIC -fPIC
-o $ver/_snackmodule_d.so $ver/snackmodule_d.o -L . -lnewt
The attached patch fixes the issue. It should be merged with
other patches touching those lines in Makefile.in.
If possible -O0 should be replaced with at least -O1 to support
-D_FORTIFY_SOURCE=2 (not sure why -O2 is disabled for the debug
build).
Regards,
Simon
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags).
Necessary for hardening flags.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2013-02-11
Index: newt-0.52.14/Makefile.in
===================================================================
--- newt-0.52.14.orig/Makefile.in 2013-02-11 15:05:16.165039397 +0100
+++ newt-0.52.14/Makefile.in 2013-02-11 15:05:16.157039353 +0100
@@ -83,10 +83,10 @@
PIFLAGS=`$$ver-config --includes`; \
PLDFLAGS=`$$ver-config --ldflags | sed -e 's/\-lpython[0-9.]*//'`; \
PLFLAGS=`$$ver-config --libs | sed -e 's/\-lpython[0-9.]*//'`; \
- $(CC) $(CPPFLAGS) $$PIFLAGS $$PCFLAGS -fPIC -c -o $$ver/snackmodule.o snackmodule.c ;\
+ $(CC) $(CPPFLAGS) $(CFLAGS) $$PIFLAGS $$PCFLAGS -fPIC -c -o $$ver/snackmodule.o snackmodule.c ;\
$(CC) --shared -fPIC $$PLDFLAGS $$PLFLAGS $(LDFLAGS) -o $$ver/_snackmodule.so $$ver/snackmodule.o -L. -lnewt $(LIBS);\
- $(CC) $(subst -O2,-O0,$(CFLAGS)) -I/usr/include/$${ver}_d -fPIC -c -o $$ver/snackmodule_d.o snackmodule.c ;\
- $(CC) --shared -fPIC $(SHCFLAGS) -o $$ver/_snackmodule_d.so $$ver/snackmodule_d.o -L . -lnewt ;\
+ $(CC) $(CPPFLAGS) $(subst -O2,-O0,$(CFLAGS)) -I/usr/include/$${ver}_d -fPIC -c -o $$ver/snackmodule_d.o snackmodule.c ;\
+ $(CC) --shared -fPIC $(SHCFLAGS) $(LDFLAGS) -o $$ver/_snackmodule_d.so $$ver/snackmodule_d.o -L . -lnewt ;\
done || :
touch $@
signature.asc
Description: Digital signature
