Bug#652449: marked as done (elinks: Hardening CPPFLAGS missing, please enable pie and bindnow)

Sat, 24 Dec 2011 13:33:23 -0800 

Your message dated Sat, 24 Dec 2011 21:32:25 +0000
with message-id <[email protected]>
and subject line Bug#652449: fixed in elinks 0.12~pre5-7
has caused the Debian Bug report #652449,
regarding elinks: Hardening CPPFLAGS missing, please enable pie and bindnow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
652449: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652449
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: elinks
Version: 0.12~pre5-6
Severity: normal
Tags: patch

Hello,

Hardening flags were only enabled partially in 0.12~pre5-6,
CPPFLAGS is missing. The attached patch fixes this and also
enables pie and bindnow for elinks (builds and works fine for
me). As a browser elinks reads untrusted data and thus the
additional hardening flags are recommended.

Regards,
Simon

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages elinks depends on:
ii  elinks-data       0.12~pre5-6
ii  libbz2-1.0        1.0.6-1
ii  libc6             2.13-23
ii  libcomerr2        1.42-1
ii  libexpat1         2.0.1-7.2
ii  libfsplib0        0.11-2
ii  libgnutls26       2.12.14-4
ii  libgpm2           1.20.4-4
ii  libgssapi-krb5-2  1.10+dfsg~alpha1-6
ii  libidn11          1.23-2
ii  libk5crypto3      1.10+dfsg~alpha1-6
ii  libkrb5-3         1.10+dfsg~alpha1-6
ii  liblua50          5.0.3-6
ii  liblualib50       5.0.3-6
ii  libperl5.14       5.14.2-6
ii  libruby1.8        1.8.7.352-2
ii  libtre5           0.8.0-2
ii  zlib1g            1:1.2.3.4.dfsg-3

elinks recommends no packages.

Versions of packages elinks suggests:
pn  elinks-doc  <none>

-- no debconf information

diff -u elinks-0.12~pre5/debian/rules elinks-0.12~pre5/debian/rules
--- elinks-0.12~pre5/debian/rules
+++ elinks-0.12~pre5/debian/rules
@@ -17,9 +17,14 @@
 DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 
+# Use hardening flags.
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
 CFLAGS_COMMON=-g
 CFLAGS_COMMON += `dpkg-buildflags --get CFLAGS`
 
+CPPFLAGS_COMMON = `dpkg-buildflags --get CPPFLAGS`
+
 LDFLAGS_COMMON="-Wl,-z,defs"
 LDFLAGS_COMMON += `dpkg-buildflags --get LDFLAGS`
 
@@ -129,11 +134,11 @@
 build-arch-stamp: patch-stamp save-stamp
 	mkdir $(CURDIR)/build-main && cd $(CURDIR)/build-main && \
 		$(CURDIR)/configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
-		$(confopts_main) CFLAGS="$(CFLAGS_COMMON)" LDFLAGS="$(LDFLAGS_COMMON)"
+		$(confopts_main) CFLAGS="$(CFLAGS_COMMON)" CPPFLAGS="$(CPPFLAGS_COMMON)" LDFLAGS="$(LDFLAGS_COMMON)"
 	$(MAKE) -C $(CURDIR)/build-main
 	mkdir $(CURDIR)/build-lite && cd $(CURDIR)/build-lite && \
 		$(CURDIR)/configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \
-		$(confopts_lite) CFLAGS="$(CFLAGS_COMMON) $(CFLAGS_LITE)" LDFLAGS="$(LDFLAGS_COMMON)"
+		$(confopts_lite) CFLAGS="$(CFLAGS_COMMON) $(CFLAGS_LITE)" CPPFLAGS="$(CPPFLAGS_COMMON)" LDFLAGS="$(LDFLAGS_COMMON)"
 	$(MAKE) -C $(CURDIR)/build-lite
 	touch $@

--- End Message ---
--- Begin Message --- 
Source: elinks
Source-Version: 0.12~pre5-7

We believe that the bug you reported is fixed in the latest version of
elinks, which is due to be installed in the Debian FTP archive:

elinks-data_0.12~pre5-7_all.deb
  to main/e/elinks/elinks-data_0.12~pre5-7_all.deb
elinks-doc_0.12~pre5-7_all.deb
  to main/e/elinks/elinks-doc_0.12~pre5-7_all.deb
elinks-lite_0.12~pre5-7_amd64.deb
  to main/e/elinks/elinks-lite_0.12~pre5-7_amd64.deb
elinks_0.12~pre5-7.diff.gz
  to main/e/elinks/elinks_0.12~pre5-7.diff.gz
elinks_0.12~pre5-7.dsc
  to main/e/elinks/elinks_0.12~pre5-7.dsc
elinks_0.12~pre5-7_amd64.deb
  to main/e/elinks/elinks_0.12~pre5-7_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <[email protected]> (supplier of updated elinks package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 19 Dec 2011 23:47:27 +0100
Source: elinks
Binary: elinks elinks-data elinks-doc elinks-lite
Architecture: source amd64 all
Version: 0.12~pre5-7
Distribution: unstable
Urgency: low
Maintainer: Y Giridhar Appaji Nag <[email protected]>
Changed-By: Moritz Muehlenhoff <[email protected]>
Description: 
 elinks     - advanced text-mode WWW browser
 elinks-data - advanced text-mode WWW browser - data files
 elinks-doc - advanced text-mode WWW browser - documentation
 elinks-lite - advanced text-mode WWW browser - lightweight version
Closes: 652449
Changes: 
 elinks (0.12~pre5-7) unstable; urgency=low
 .
   * Fix handling of CPPFLAGS, thanks to Simon Ruderich (Closes: #652449)
     I won't enable pie and znow for now, they'll be activated in the
     default flags at some point.
Checksums-Sha1: 
 5dbc18601689222c939b64b30637c64cc4f5d527 1632 elinks_0.12~pre5-7.dsc
 39294d5d602d302cafddd8c00fcb0a3631396199 36582 elinks_0.12~pre5-7.diff.gz
 bee5a5a77093b5845d7f047f4bea2e7fcb800738 586418 elinks_0.12~pre5-7_amd64.deb
 ae06e3acaf93baed3fa96f54f5e9a19cb1dff413 411110 
elinks-lite_0.12~pre5-7_amd64.deb
 1719ad6b79bc3584da2ac8ede17145c4476258c0 613456 elinks-data_0.12~pre5-7_all.deb
 526e0d99665e0a44c3f75adadf72b300ad8fda8d 609208 elinks-doc_0.12~pre5-7_all.deb
Checksums-Sha256: 
 8cb9e468decce1aa3d958f3ed2f2e145c646f05bf16439da7c124d9d5e464ef7 1632 
elinks_0.12~pre5-7.dsc
 fc25fe99af616a604a5deae0760af27ba3ade588b61c1f5642e37b4a0ac823d7 36582 
elinks_0.12~pre5-7.diff.gz
 f6d827a62e2010abab2f1b0e75693ca986efd5c91a1e4ed10d4d211ae0012585 586418 
elinks_0.12~pre5-7_amd64.deb
 ff38726e1f2780bae1a67e788d6643fc775f870f7f92cb4943032aca0adf586d 411110 
elinks-lite_0.12~pre5-7_amd64.deb
 089ecc7ae1f5eece6640d1d102dd0ca0e8c902c65959cc621b877325764bf3ff 613456 
elinks-data_0.12~pre5-7_all.deb
 05ef4d581e62753e95f8bb2aa93310d00a3b3ee70c267cc76585bd6a2df55cf3 609208 
elinks-doc_0.12~pre5-7_all.deb
Files: 
 a28d3cdbabec9484e2d96bd6a0798bad 1632 web optional elinks_0.12~pre5-7.dsc
 a69df0b0ed65c1c00de3baa1a9f81813 36582 web optional elinks_0.12~pre5-7.diff.gz
 05c15274ed2e794f9ed2ed57fca998dc 586418 web optional 
elinks_0.12~pre5-7_amd64.deb
 eb1f393e975494ea8761396c3be0b80f 411110 web extra 
elinks-lite_0.12~pre5-7_amd64.deb
 a1d99fe38dbf5cbc7e58926de0fc76ce 613456 web optional 
elinks-data_0.12~pre5-7_all.deb
 4e1ccaab1a5985c9456bed9aa0a783c7 609208 doc optional 
elinks-doc_0.12~pre5-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk72DE4ACgkQXm3vHE4uylrkSgCg19PMpjKlTAZE6ghkbwqUq9eh
RDsAoJKDsCnI6svddCD06RqNfB+qQurE
=8D1i
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to