Your message dated Sun, 04 Mar 2012 21:36:43 +0000
with message-id <[email protected]>
and subject line Bug#662191: fixed in mrd6 0.9.6-9
has caused the Debian Bug report #662191,
regarding mrd6: Hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
662191: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662191
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mrd6
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Not all (hardening) compiler flags from dpkg-buildpackage are
used by the Makefile.
As debian/compat=9 is used, it's not necessary to set *FLAGS
manually, dpkg-buildpackage is automatically used. For more
information please have a look at [1], [2] and [3]. The following
patch fixes that:
diff -Nru mrd6-0.9.6/debian/rules mrd6-0.9.6/debian/rules
- --- mrd6-0.9.6/debian/rules 2012-03-03 09:58:03.000000000 +0100
+++ mrd6-0.9.6/debian/rules 2012-03-04 16:43:03.000000000 +0100
@@ -9,10 +9,6 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
- -export CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
- -export CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS)
- -export LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
- -
export PREFIX=/usr
export TARGET=mrd6
But not all flags are used by the Makefile. The attached patches
fix that (0012-Use-flags-from-dpkg-buildflags.patch) and also
enable a verbose build (0011-Enable-verbose-build.patch) so it's
easy to detect missing flags.
With the hardening flags enabled, -Wformat-security detected a
problem: syslog_log_node::log() doesn't use a format string.
0013-Wformat-security-fix.patch fixes that.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/sbin/mrd6 /usr/lib/mrd6/bgp.so
/usr/lib/mrd6/bgp.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: no, not found!
Immediate binding: no not found!
/usr/sbin/mrd6:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPU5FXAAoJEJL+/bfkTDL5uJIP/3NcyvX8DPlTBsk87frrFCot
RPTEbdj1yIvFAUjRMbehRROo91syb1L4MItNC2vMjnt9avm2PAG1oELnp4DtMJHY
ShtImLPgxkbQcGXuApkapuJ20bnJ6bLWw03JllPec71nXubCJOLWEpxWamZabXmh
IljfFTuGcNB6/nBaH6p0SgKQyD1KNfz9ZGnLdKHmMpSiUzovGjx8ynnvJkdj0p2C
BDyK/4C6089YtH0KxPZ0YQ6KywLpbTVwbuMc1m/OJmXXgpwwi8YNw67ZnlL7bCTw
rg962cb45OQdKvTo6mKIGTT4f2Rzks9fqRyApyP4QGinB3ec/E1ycfIciLqg+332
SZTAuP0WDWHSdyMi9qyQgy9TJIwvBRfII9mX7+mkz08enAjyMgTT67CHX10r7CBU
vnFdyYb3v8tPZ3d8HWwAMJOzdao6G7uNz3btyR3yZ4F5gCi3Pj6Chyh/DBW/nUA8
eURdYMGl5mI3dOA9ZtlNHZG94q5oS1g5MCl4IRrpqGkHFxJgOpfHLFW6U3IsbwEU
vX3XxK85pkthrgMvpnSDZ/1hbXnWXSzFqAFDXUwBYBe6S2S+XFnoONzfnBk0k3yo
+3DVarE7J8hoOArPqxralGidid5mILsNPJCIq9GctkMFJxIexLMZcOxtp51FPYxH
btbMJppde6g8V3AQoKKW
=TG/r
-----END PGP SIGNATURE-----
Description: Display compiler commands/flags while building.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-04
--- mrd6-0.9.6.orig/src/Makefile
+++ mrd6-0.9.6/src/Makefile
@@ -141,7 +141,7 @@ define module_template
BUILT_SOURCES += $$($(1)_SOURCES)
$$($(1)_TARGET): $$(addprefix $(OBJ_DIR)/,$($(1)_SOURCES:.cpp=.o))
@echo "Module $$($(1)_TARGET)"
- @$(CXX) -shared $(LDMODCMD) $(CXXFLAGS) -o $$($(1)_TARGET) \
+ $(CXX) -shared $(LDMODCMD) $(CXXFLAGS) -o $$($(1)_TARGET) \
$$(addprefix $(OBJ_DIR)/,$($(1)_SOURCES:.cpp=.o))
endef
@@ -154,7 +154,7 @@ define unittest_template
BUILT_SOURCES += $(1).cpp
$(1): $(TEST_OBJECTS) $(1).cpp
@echo "Linking $(1)"
- @$(CXX) $(LDCMD) $(CXXFLAGS) -o $(1) $(1).cpp $(TEST_OBJECTS) \
+ $(CXX) $(LDCMD) $(CXXFLAGS) -o $(1) $(1).cpp $(TEST_OBJECTS) \
$(LDFLAGS) -lboost_unit_test_framework
endef
@@ -166,7 +166,7 @@ $(foreach test,$(TESTS),$(eval $(call un
$(TARGET): $(MRD_OBJECTS)
@echo "Linking $(TARGET)"
- @$(CXX) $(LDCMD) $(CXXFLAGS) -o $@ $(MRD_OBJECTS) $(LDFLAGS)
+ $(CXX) $(LDCMD) $(CXXFLAGS) -o $@ $(MRD_OBJECTS) $(LDFLAGS)
install: $(TARGET) $(EXTERNAL_MODULES)
install -D $(TARGET) $(DEST_PREFIX)/sbin/$(TARGET)
@@ -196,7 +196,7 @@ $(OPTIONS):
$(DEPS_DIR)/%.d: %.cpp $(OPTIONS)
@echo "Deps $<"
- @set -e; mkdir -p $(dir $@); \
+ set -e; mkdir -p $(dir $@); \
$(CXX) -MM -MT $@ -MT $(addprefix $(OBJ_DIR)/,$(<:.cpp=.o)) \
$(CXXFLAGS) $< > $@
@@ -210,7 +210,7 @@ endif
$(OBJ_DIR)/%.o: %.cpp $(OPTIONS)
@echo "C++ $<"
- @set -e; mkdir -p $(dir $@); \
+ set -e; mkdir -p $(dir $@); \
$(CXX) -c $(CXXFLAGS) $< -o $@
clean:
Description: Use compiler flags from the environment.
This is necessary to use the (hardening) compiler flags from dpkg-buildflags.
.
Also pass CPPFLAGS which is used for hardening.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-04
Index: mrd6-0.9.6/tools/c/Makefile
===================================================================
--- mrd6-0.9.6.orig/tools/c/Makefile 2012-03-04 16:39:04.000000000 +0100
+++ mrd6-0.9.6/tools/c/Makefile 2012-03-04 16:42:23.000000000 +0100
@@ -1,4 +1,4 @@
-CFLAGS = -g -O2 -Wall -ansi
+CFLAGS += -Wall -ansi
PREFIX ?= /usr/local
Index: mrd6-0.9.6/src/Makefile
===================================================================
--- mrd6-0.9.6.orig/src/Makefile 2012-03-04 16:42:23.000000000 +0100
+++ mrd6-0.9.6/src/Makefile 2012-03-04 16:42:36.000000000 +0100
@@ -105,7 +105,7 @@
DEST_PREFIX = $(DESTDIR)$(PREFIX)
-CXXFLAGS = $(INCLUDES) -ansi -Wall -Wno-multichar -fno-exceptions -fPIC \
+CXXFLAGS += $(CPPFLAGS) $(INCLUDES) -ansi -Wall -Wno-multichar -fno-exceptions -fPIC \
-fno-strict-aliasing -D$(PLATFORM) $(addprefix -D,$(MODULE_OPTIONS))
ifeq ($(OPTIMIZE),yes)
Description: Fix compiling with -Wformat-security.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-04
--- mrd6-0.9.6.orig/src/log.cpp
+++ mrd6-0.9.6/src/log.cpp
@@ -321,7 +321,7 @@ static inline int type_as_syslog_priorit
}
void syslog_log_node::log(int type, int level, const char *msg, bool) {
- syslog(type_as_syslog_priority(type), msg);
+ syslog(type_as_syslog_priority(type), "%s", msg);
}
tb_log_node::tb_log_node(log_base *parent, const char *name, int level)
--- End Message ---
--- Begin Message ---
Source: mrd6
Source-Version: 0.9.6-9
We believe that the bug you reported is fixed in the latest version of
mrd6, which is due to be installed in the Debian FTP archive:
mrd6_0.9.6-9.debian.tar.gz
to main/m/mrd6/mrd6_0.9.6-9.debian.tar.gz
mrd6_0.9.6-9.dsc
to main/m/mrd6/mrd6_0.9.6-9.dsc
mrd6_0.9.6-9_amd64.deb
to main/m/mrd6/mrd6_0.9.6-9_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Preud'homme <[email protected]> (supplier of updated mrd6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 04 Mar 2012 21:48:42 +0100
Source: mrd6
Binary: mrd6
Architecture: source amd64
Version: 0.9.6-9
Distribution: unstable
Urgency: low
Maintainer: Thomas Preud'homme <[email protected]>
Changed-By: Thomas Preud'homme <[email protected]>
Description:
mrd6 - IPv6 Multicast Routing Daemon
Closes: 662191
Changes:
mrd6 (0.9.6-9) unstable; urgency=low
.
* Improve fortification of mrd6 (Closes: #662191, big thanks Simon
Ruderich):
+ Enable verbose build to catch missing flags.
+ Always allow flags to be set from environment.
+ Use LDFLAGS when linking modules.
+ Interpret syslog buffer string as string only.
+ Remove manual setting of *FLAGS with dpkg-buildflags in debian/rules.
Checksums-Sha1:
20b31612b10b10e819e2bf5a3f44b15391effa26 1845 mrd6_0.9.6-9.dsc
0cf004849de25e800c4a4cff8584e72508301adf 12401 mrd6_0.9.6-9.debian.tar.gz
cc2e3504d132100722a4c288bae60da384035dc3 367894 mrd6_0.9.6-9_amd64.deb
Checksums-Sha256:
f14256d6b1a25d32fef275167909a6251db062619b61d599e247e4acbba79f94 1845
mrd6_0.9.6-9.dsc
0e68839b434a0a327795c1820c4e3ad4b483e45a258f47d63d51b9e835ebb100 12401
mrd6_0.9.6-9.debian.tar.gz
3f608eb8cbfcca96b29daa01e939e1912f987d29d086c592dc71d2679fe52ecc 367894
mrd6_0.9.6-9_amd64.deb
Files:
51668db6050efa0c91ee9abe68a82027 1845 net optional mrd6_0.9.6-9.dsc
5dbee39d2d1706f72de7c7dd431be2e2 12401 net optional mrd6_0.9.6-9.debian.tar.gz
f3f213a26654abd82825ccf4c1a7bf35 367894 net optional mrd6_0.9.6-9_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPU9qDAAoJENADhS+9UlKeor4P/itJonmXuUXv/NKNbPcNKnbP
N8FcawOPRuG4p7i6z9mcQKIsOvlqGzfp+UBjJh8pYFz5bDKdVvyr0HrMN92n9E/A
tvVNUk5tR2iLV5evvMaE71xPPRnP6nIs9A5e8ftt6Z48jK3e9onjnGikaSYPG6Sl
IrnSNC/6288qwCneE+sKTHNLoKdBFrP7IXRS3SVxoOVw9EbKdn9SVxCTq52lXKPS
SqeVsEl+9AZ+tjY9NLViLqFIlNSja7APZotF1mESOuuhFb87SwU2QNACbcCjxjgp
wB8EvRhonyXiq6M9xpxPf8Ucu9MM19+f1w72aKYB+zIjnzW/1S3FYdVjTbnNJOlj
QNJXn1RhHTrTkZc+kDKAfqJ4dvZBM8pTKlMqycf7SpfT+tCC54h5S+fgAvMenyFM
coIAVmzK1clxehpbQysoj/oUbjZcaO/YtOGZSsirpeu7g1MK+EUp62ffqMs4wxs7
PLoE+sKrav6D9VRFnz1DWa6oFmrYM+uut/kN8cYanmaQzDD4g9kfo0NhR0SlCb8s
D/r0q8ipc3NJNdRt1V3OV8Tt7PuAdbZ5q+TU7Q4yb9LczjOdMLSFpwR8WgSBTx62
oa+cZD4YMey0hkYesYKWpOblKCxpjvReh7sWzlgJdhumSimE2dgdzCiUSZf1v5uL
nQtZTL5PwG5A5C0phm9T
=gyqc
-----END PGP SIGNATURE-----
--- End Message ---
