Your message dated Sun, 18 Mar 2012 13:33:00 +0000
with message-id <[email protected]>
and subject line Bug#663590: fixed in mailman 1:2.1.14-4
has caused the Debian Bug report #663590,
regarding mailman: CPPFLAGS/LDFLAGS hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
663590: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663590
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mailman
Version: 1:2.1.14-3
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The CPPFLAGS and LDFLAGS hardening flags are missing because the
build system ignores them.
For more hardening information please have a look at [1], [2] and
[3].
The attached patch fixes the issue. If possible it should be sent
to upstream.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/mailman/mail/mailman
/usr/lib/cgi-bin/mailman/subscribe /usr/lib/cgi-bin/mailman/roster ...
/usr/lib/mailman/mail/mailman:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/cgi-bin/mailman/subscribe:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/cgi-bin/mailman/roster:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPXg0YAAoJEJL+/bfkTDL5tlMP/05bCesEq5OBPLT3DKqSRWgP
YiAGGNr93rUlnnzy3CgDaYt3/C/ZmXdM9ZbaykAdQkLMHFM0jSTmnGyBtIXgyfU4
vanA4b2S/2jHlJERGMDvopRabTefYGlLoWCrUt/glatsjd+QF79rclPor+MIFh3L
AGTxA9wxlR6e0UfbeeA88u41DkrSfC0qyJv8JMZI62hQor5/x/WWFTGVwBYmNcKp
iTyQdISFvtsaY1kC/jpqHfe2Xd3+QucnTLFK+jJzinqY2455YxfE97xxGobDRGDT
0THQJ5Z9oZtoKl9L9VhZTgiLaDQC3QErmUyaEVloRvyEMA0rm3Mc582S5TdpKkTt
pjOEyAUkidfjk/86hMUtLdJY4oJdxvS5h1L2xZV8/2VV1nMvtFyo/mu4JCJl1d/3
YFh3vQ1X82Nag9ZMVwSEFmZ5vhmUGQoW112B5PBXyPeDbjM7SBIO+r3SE9GiQbGQ
gNb4AKzkgu0ezmmmwrAXqzxAWkcLXN/FTZsN+9j5YeOFDOjJ9TBNhmkGzCJyrJcQ
fDa5B8KHQf/XLOpf5UpJC9VlQJoFYAhjQt5c4cZM5FmqGXr24CTKgy2nJN7OGOWW
d4J8tIV/kWVvY2+i8KLeZ26SXN0eXPsuIn7DELYF0raLWAZjLU9d+7GxBa1oZo63
pOu9ofKaC5w45zRpbvkw
=aYw1
-----END PGP SIGNATURE-----
Description: Use CPPFLAGS/LDFLAGS from environment (dpkg-buildflags).
Necessary for hardening flags.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-12
--- mailman-2.1.14.orig/src/Makefile.in
+++ mailman-2.1.14/src/Makefile.in
@@ -43,6 +43,8 @@ MAILMAN_USER= @MAILMAN_USER@
# Customizable but not set by configure
OPT= @OPT@
CFLAGS= @CFLAGS@ $(OPT) $(DEFS) $(LIBS)
+CPPFLAGS= @CPPFLAGS@
+LDFLAGS= @LDFLAGS@
CGIDIR= $(exec_prefix)/cgi-bin
CGIEXT= @CGIEXT@
MAILDIR= $(exec_prefix)/mail
@@ -91,19 +93,19 @@ PROGRAMS= $(CGI_PROGS) $(MAIL_PROGS) $(A
all: $(PROGRAMS)
mailman: $(srcdir)/mail-wrapper.c $(COMMONOBJS)
- $(CC) -I. $(MAIL_FLAGS) $(CFLAGS) $(COMMONOBJS) -o $@ $(srcdir)/mail-wrapper.c
+ $(CC) -I. $(MAIL_FLAGS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(COMMONOBJS) -o $@ $(srcdir)/mail-wrapper.c
#addaliases: $(srcdir)/alias-wrapper.c $(COMMONOBJS)
-# $(CC) -I. $(ALIAS_FLAGS) $(CFLAGS) -o $@ $(srcdir)/alias-wrapper.c
+# $(CC) -I. $(ALIAS_FLAGS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $(srcdir)/alias-wrapper.c
$(CGI_PROGS): $(srcdir)/cgi-wrapper.c $(COMMONOBJS)
- $(CC) -DSCRIPT="\"$@\"" -I. $(CGI_FLAGS) $(CFLAGS) $(COMMONOBJS) -o $@ $(srcdir)/cgi-wrapper.c
+ $(CC) -DSCRIPT="\"$@\"" -I. $(CGI_FLAGS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(COMMONOBJS) -o $@ $(srcdir)/cgi-wrapper.c
common.o: $(srcdir)/common.c $(srcdir)/common.h Makefile
- $(CC) -c -I. $(COMMON_FLAGS) $(CFLAGS) $(srcdir)/common.c
+ $(CC) -c -I. $(COMMON_FLAGS) $(CFLAGS) $(CPPFLAGS) $(srcdir)/common.c
vsnprintf.o: $(srcdir)/vsnprintf.c Makefile
- $(CC) -c -I. $(COMMON_FLAGS) $(CFLAGS) $(srcdir)/vsnprintf.c
+ $(CC) -c -I. $(COMMON_FLAGS) $(CFLAGS) $(CPPFLAGS) $(srcdir)/vsnprintf.c
install: all
for f in $(CGI_PROGS); \
--- End Message ---
--- Begin Message ---
Source: mailman
Source-Version: 1:2.1.14-4
We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive:
mailman_2.1.14-4.debian.tar.gz
to main/m/mailman/mailman_2.1.14-4.debian.tar.gz
mailman_2.1.14-4.dsc
to main/m/mailman/mailman_2.1.14-4.dsc
mailman_2.1.14-4_amd64.deb
to main/m/mailman/mailman_2.1.14-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[email protected]> (supplier of updated mailman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 18 Mar 2012 14:12:49 +0100
Source: mailman
Binary: mailman
Architecture: source amd64
Version: 1:2.1.14-4
Distribution: unstable
Urgency: low
Maintainer: Mailman for Debian <[email protected]>
Changed-By: Thijs Kinkhorst <[email protected]>
Description:
mailman - Powerful, web-based mailing list manager
Closes: 653766 655837 659467 663590
Changes:
mailman (1:2.1.14-4) unstable; urgency=low
.
* Ensure CPPFLAGS and LDFLAGS are actually used during build,
thanks Simon Ruderich for the patch! (closes: #663590)
Additionally, enable all available hardening features.
* Checked for policy 3.9.3, add DEP3 patch headers.
* Add Danish debconf translation, thanks Joe Dalton (closes: #659467).
* Add 'su root list' statements to logrotate config, to cope
with logrotate >= 3.8; thanks Joël Bertrand (closes: #653766).
* Avoid config file prompt for mailman crontab entry if this
file was unmodified (closes: #655837).
Checksums-Sha1:
b86ff0c9a4dd9a88f2537ae7a07716b843cb6c3d 1689 mailman_2.1.14-4.dsc
d4d4921edc8c37ee7c5f9484b0e6548c0488e477 104676 mailman_2.1.14-4.debian.tar.gz
f193f32f1b68bb17ef1813f1c5bb28fc17558227 9736602 mailman_2.1.14-4_amd64.deb
Checksums-Sha256:
4b9d4cebae152f64006cf7d35cbcda6643ea6d24bc73338fb01ebb4361342228 1689
mailman_2.1.14-4.dsc
4c26e233776ae2be2b1f0e7b040ff81a350afd4fa41061704a6b74371bec0ad4 104676
mailman_2.1.14-4.debian.tar.gz
456fe448db5d6773875f59d49e715d519cb481fc12b263c580752943dc26068e 9736602
mailman_2.1.14-4_amd64.deb
Files:
141661e8abff53a4312d0e343c9c892f 1689 mail optional mailman_2.1.14-4.dsc
ae534ea00fc5a5c02c200f59e1d18780 104676 mail optional
mailman_2.1.14-4.debian.tar.gz
76da89384e5e258b5983a87e6e71ed06 9736602 mail optional
mailman_2.1.14-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJPZeF0AAoJEOxfUAG2iX57KIQH/0NvBe5UhgquYz7Z9+oG1O4R
zTlQvyE4/DdvHo311rJzN9DJbXv8oMng2mhYB+BVLQUkEJIJtq+tOZg44a5SDJh3
1P0nzECFy7WJFgCRDjLTUVABySNErKMdB14zW9ZIE3NN4oE05PhXebF1zI9/3JyB
PpEI8UILAbxygotor3OTRH6pgLHJvyp+4CK9mUgm+uycUFOomdWwVuPVZYSMrzrO
3D/IZXVgFf3Wha9eKldDO9n4JNvNqqXYHOT68PqMq/KvrVIdzcAak0QpknUrtxWa
IIxrOnvsNP2X/MXwonkl8/ee8IlYP9E0VknVtfNF/UvjFHV9lGcUMqrWQE6GHQ8=
=v9F1
-----END PGP SIGNATURE-----
--- End Message ---
