Your message dated Fri, 09 Mar 2012 13:04:47 +0000
with message-id <[email protected]>
and subject line Bug#662803: fixed in pngcheck 2.3.0-5
has caused the Debian Bug report #662803,
regarding pngcheck: CPPFLAGS hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
662803: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662803
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pngcheck
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
The CPPFLAGS hardening flags are missing because they are not
enabled in debian/rules.
DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].
The attached patch fixes the issue, debian/debian-compile.mk was
updated to prevent CFLAGS from overwriting the hardening flags.
dpkg-buildflags automatically handles noopt, setting it manually
is no longer necessary.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/bin/pngcheck
/usr/bin/pngcheck:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVhrxAAoJEJL+/bfkTDL5IKEP/A/gZHvv+W3MV18m7OYm1jOO
7w3RvWT09cw6t7uxfiyoAvr9ztx+VBn1HdWw8Vc+Q1W1KTWOZjMCgLWOHNPbVmcF
LzbJQhQcJe9+KJLelENJyTMgjAu1mpGFp5rmnckJNAZ0xI02HzTQ1L0KPCkBW4Pv
sutrKNC1bj0CfUyl6GuKZnQYtMdqsDmkpTcpt0kmyotQaV8awLVzNrc39m4eQU4U
APQCHojExWQebULv6XfbX2IC2pDRqzO2uApcyauCF9vlX3IMecGgNPTcGERagTxv
9cX0y+ISo2Uvi7vJSpgg2csT3dgB9JSJxu9V4s5G2tge5fOztJDuzcfMS755epv3
/VToopiMQsHrCuaY2iTHoAQoars/FfRcf/1mDf2gtF50M9+NkaB53kVFvtop/qqa
qkqJJrIw7kz5I3tyUZ2VUwl8CX9lklLoTpNGHzR9HHSxAHJo6/F1RlNc+OWKZ6Hb
5Vp7Tjl4vpD1jnRq1XyZTf/kPuXleEejVExPe6hRRvFvMufjf8VOdyrqoSLpKyXk
3uoYw2zhyTjyGvO+iFg7pr4+gqNCFBCF6f6orxM4nvlnWRBQu9vus8pNPWNlcD0P
67IWp8HeLiMKHL940JnlUOI2nA/JMkVr0REgRNb4rvgrBZcd2Z0zfC5RDKnBUzW8
jiDrLnvYqIUpsQus7PxC
=KIev
-----END PGP SIGNATURE-----
diff -Nru pngcheck-2.3.0/debian/debian-compile.mk pngcheck-2.3.0/debian/debian-compile.mk
--- pngcheck-2.3.0/debian/debian-compile.mk 2012-02-14 21:10:37.000000000 +0100
+++ pngcheck-2.3.0/debian/debian-compile.mk 2012-03-06 15:02:08.000000000 +0100
@@ -45,16 +45,6 @@
export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
#######################################################################
-
-CFLAGS = -Wall -g
-
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
-
-#######################################################################
# [Add this to use multiple CPU cores]
# build-stamp:
# $(MAKE) $(MAKE_FLAGS)
diff -Nru pngcheck-2.3.0/debian/rules pngcheck-2.3.0/debian/rules
--- pngcheck-2.3.0/debian/rules 2012-03-05 10:01:09.000000000 +0100
+++ pngcheck-2.3.0/debian/rules 2012-03-06 14:59:50.000000000 +0100
@@ -4,17 +4,15 @@
include debian/debian-compile.mk
-include /usr/share/dpkg/buildflags.mk
-CFLAGS += -Wall -pedantic
-CFLAGS += -DUSE_ZLIB
-LDFLAGS += -Wl,--as-needed
+export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -DUSE_ZLIB
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
LIBS = -lz
man:
$(MAKE) -C debian -f pod2man.mk PACKAGE=$(PACKAGE) makeman
override_dh_auto_build: man
- gcc $(CFLAGS) $(LDFLAGS) -o $(PACKAGE) $(PACKAGE).c $(LIBS)
+ gcc $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $(PACKAGE) $(PACKAGE).c $(LIBS)
%:
dh $@
--- End Message ---
--- Begin Message ---
Source: pngcheck
Source-Version: 2.3.0-5
We believe that the bug you reported is fixed in the latest version of
pngcheck, which is due to be installed in the Debian FTP archive:
pngcheck_2.3.0-5.debian.tar.gz
to main/p/pngcheck/pngcheck_2.3.0-5.debian.tar.gz
pngcheck_2.3.0-5.dsc
to main/p/pngcheck/pngcheck_2.3.0-5.dsc
pngcheck_2.3.0-5_amd64.deb
to main/p/pngcheck/pngcheck_2.3.0-5_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jari Aalto <[email protected]> (supplier of updated pngcheck package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 07 Mar 2012 00:46:04 -0500
Source: pngcheck
Binary: pngcheck
Architecture: source amd64
Version: 2.3.0-5
Distribution: unstable
Urgency: low
Maintainer: Jari Aalto <[email protected]>
Changed-By: Jari Aalto <[email protected]>
Description:
pngcheck - print info and check PNG, JNG and MNG files
Closes: 662803
Changes:
pngcheck (2.3.0-5) unstable; urgency=low
.
* debian/control
- (Build-Depends): Rm dpkg-dev; not needed with debhelper 9.
* debian/debian-compile.mk
- Delete. Not used.
* debian/rules
- Enable all hardening flags.
- Change to DEB_CXXFLAGS_* flags and improve build target to
include CPPFLAGS (Closes: #662803). Patch thanks to Simon Ruderich
<[email protected]>.
Checksums-Sha1:
f0e5c037a0472655d2f2cab536eb5d1d64377c31 1205 pngcheck_2.3.0-5.dsc
62cf0929a62193aff26bcd4d6660801eb9f293f8 5522 pngcheck_2.3.0-5.debian.tar.gz
a80eb8ccd1a584ad5e590a3a7ff7579c4d7f5434 59040 pngcheck_2.3.0-5_amd64.deb
Checksums-Sha256:
81fd1b4789f4eddc5311a8faa8511c57b3c284b9cee19b85a1e6f3bc84156ca7 1205
pngcheck_2.3.0-5.dsc
7e539ca3a2e2ccb72e1d5564c0cc6d332a1508bde2cbe8a5855fd49791fd7689 5522
pngcheck_2.3.0-5.debian.tar.gz
a2fe89a8d6f40ded605a8c748c30cf89137696a34b5ec93cec4420a810e55ad5 59040
pngcheck_2.3.0-5_amd64.deb
Files:
6823cf2ccb74bfe6b7ebe882960fe809 1205 graphics optional pngcheck_2.3.0-5.dsc
631f78e03f3c929743cf09a3b84a4e99 5522 graphics optional
pngcheck_2.3.0-5.debian.tar.gz
9ba4ef080582ed9c17fb2a4621c669aa 59040 graphics optional
pngcheck_2.3.0-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9Z/csACgkQLARVQsm1XazLCACfZN39oolHUm9ZOSF10IIFpG2q
/q8An3SZ6kmPLWz8r5ogdhjlRNujRIdy
=G040
-----END PGP SIGNATURE-----
--- End Message ---
