Your message dated Sun, 18 Mar 2012 14:55:12 +0000
with message-id <[email protected]>
and subject line Bug#664512: fixed in xvidcore 2:1.3.2-9
has caused the Debian Bug report #664512,
regarding xvidcore: CPPFLAGS hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
664512: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664512
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xvidcore
Version: 2:1.3.2.-8
Severity: important
Tags: patch
Dear Maintainer,
The CPPFLAGS hardening flags are missing because the build system
ignores them.
The following patch fixes the issue by adding them to CFLAGS. For
more hardening information please have a look at [1], [2] and
[3].
diff -Nru xvidcore-1.3.2/debian/confflags xvidcore-1.3.2/debian/confflags
--- xvidcore-1.3.2/debian/confflags 2012-03-17 18:49:16.000000000 +0100
+++ xvidcore-1.3.2/debian/confflags 2012-03-18 14:58:51.000000000 +0100
@@ -8,6 +8,10 @@
HARDENED_CFLAGS = -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Wformat-security -Werror=format-security
endif
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the
+# missing (hardening) flags.
+HARDENED_CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS) -g
+
# Set CFLAGS from DEB_CFLAGS if defined, otherwise let xvidcore's build system
# set CFLAGS to use.
DEFAULT_CFLAGS = -Wall -O3 -fstrength-reduce -finline-functions -ffast-math \
The attached patch enables verbose builds to make it easy to
(automatically) spot missing hardening flags. Please add it too.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
/usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Immediate binding is not enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Show compiler messages when compiling.
Necessary to detect missing (hardening) flags during build.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-18
Index: xvidcore-1.3.2/vfw/bin/Makefile
===================================================================
--- xvidcore-1.3.2.orig/vfw/bin/Makefile 2012-03-18 14:46:11.048562931 +0100
+++ xvidcore-1.3.2/vfw/bin/Makefile 2012-03-18 14:48:57.420569263 +0100
@@ -60,12 +60,12 @@
$(BUILD_DIR):
@echo " D: $(BUILD_DIR)"
- @mkdir -p $(BUILD_DIR)
+ mkdir -p $(BUILD_DIR)
.rc.obj:
@echo " W: $(@D)/$(<F)"
@mkdir -p $(BUILD_DIR)/$(@D)
- @$(WINDRES) \
+ $(WINDRES) \
--include-dir=$(SRC_DIR) \
--input-format=rc \
--output-format=coff \
@@ -74,12 +74,12 @@
.c.obj:
@echo " C: $(@D)/$(<F)"
@mkdir -p $(BUILD_DIR)/$(@D)
- @$(CC) $(CFLAGS) -c -o $(BUILD_DIR)/$@ $<
+ $(CC) $(CFLAGS) -c -o $(BUILD_DIR)/$@ $<
$(LIBSO): $(BUILD_DIR) $(OBJECTS)
@echo " L: $(@F)"
@cp $(SRC_DIR)/driverproc.def $(BUILD_DIR)/driverproc.def
- @cd $(BUILD_DIR) && \
+ cd $(BUILD_DIR) && \
$(CC) $(LDFLAGS) \
-mno-cygwin -shared -Wl,-dll,--out-implib,[email protected],--enable-stdcall-fixup \
-o $@ \
@@ -88,13 +88,13 @@
clean:
@echo " Cl: Object files and target lib"
- @$(RM) $(BUILD_DIR)
+ $(RM) $(BUILD_DIR)
install:
@echo " I: xvid.dll"
- @cp $(BUILD_DIR)/$(LIBSO) $(LIBSO)
- @rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 ./xvid.inf
- @rm $(LIBSO)
+ cp $(BUILD_DIR)/$(LIBSO) $(LIBSO)
+ rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 ./xvid.inf
+ rm $(LIBSO)
uninstall:
@rundll32.exe setupapi,InstallHinfSection Remove_XviD 132 ./xvid.inf
Index: xvidcore-1.3.2/build/generic/Makefile
===================================================================
--- xvidcore-1.3.2.orig/build/generic/Makefile 2012-03-18 14:47:22.036565634 +0100
+++ xvidcore-1.3.2/build/generic/Makefile 2012-03-18 14:48:57.420569263 +0100
@@ -85,7 +85,7 @@
$(BUILD_DIR):
@echo " D: $(BUILD_DIR)"
- @$(INSTALL) -d $(BUILD_DIR)
+ $(INSTALL) -d $(BUILD_DIR)
#-----------------------------------------------------------------------------
# Generic assembly rule
@@ -94,7 +94,7 @@
.$(ASSEMBLY_EXTENSION).$(OBJECT_EXTENSION):
@echo " A: $(@D)/$(<F)"
@$(INSTALL) -d $(BUILD_DIR)/$(@D)
- @$(AS) $(AFLAGS) $< -o $(BUILD_DIR)/$@
+ $(AS) $(AFLAGS) $< -o $(BUILD_DIR)/$@
#-----------------------------------------------------------------------------
# Generic C rule
@@ -105,7 +105,7 @@
.c.$(OBJECT_EXTENSION):
@echo " C: $(@D)/$(<F)"
@$(INSTALL) -d $(BUILD_DIR)/$(@D)
- @$(CC) -c $(ARCHITECTURE) $(BUS) $(ENDIANNESS) $(FEATURES) $(SPECIFIC_CFLAGS) $(CFLAGS) $< -o $(BUILD_DIR)/$@
+ $(CC) -c $(ARCHITECTURE) $(BUS) $(ENDIANNESS) $(FEATURES) $(SPECIFIC_CFLAGS) $(CFLAGS) $< -o $(BUILD_DIR)/$@
#-----------------------------------------------------------------------------
# Static Library
@@ -113,7 +113,7 @@
$(STATIC_LIB): $(BUILD_DIR) $(OBJECTS)
@echo " L: $(@F)"
- @cd $(BUILD_DIR) && $(AR) rc $(@F) $(OBJECTS) && $(RANLIB) $(@F)
+ cd $(BUILD_DIR) && $(AR) rc $(@F) $(OBJECTS) && $(RANLIB) $(@F)
#-----------------------------------------------------------------------------
# Shared Library
@@ -132,9 +132,9 @@
$(SHARED_LIB): $(BUILD_DIR) $(OBJECTS)
@echo " L: $(@F)"
- @$(INSTALL) -m 644 libxvidcore.def $(BUILD_DIR)/libxvidcore.def
- @$(INSTALL) -m 644 libxvidcore.ld $(BUILD_DIR)/libxvidcore.ld
- @cd $(BUILD_DIR) && $(CC) $(LDFLAGS) $(OBJECTS) -o $(PRE_SHARED_LIB) $(SPECIFIC_LDFLAGS)
+ $(INSTALL) -m 644 libxvidcore.def $(BUILD_DIR)/libxvidcore.def
+ $(INSTALL) -m 644 libxvidcore.ld $(BUILD_DIR)/libxvidcore.ld
+ cd $(BUILD_DIR) && $(CC) $(LDFLAGS) $(OBJECTS) -o $(PRE_SHARED_LIB) $(SPECIFIC_LDFLAGS)
#-----------------------------------------------------------------------------
# Installation
@@ -142,19 +142,19 @@
install: $(BUILD_DIR)/$(STATIC_LIB) $(BUILD_DIR)/$(SHARED_LIB)
@echo " D: $(libdir)"
- @$(INSTALL) -d $(DESTDIR)$(libdir)
+ $(INSTALL) -d $(DESTDIR)$(libdir)
@echo " I: $(libdir)/$(SHARED_LIB)"
- @$(INSTALL) -m 644 $(BUILD_DIR)/$(SHARED_LIB) $(DESTDIR)$(libdir)/$(SHARED_LIB)
- @test -z "$(SO_API_MAJOR_LINK)" || \
+ $(INSTALL) -m 644 $(BUILD_DIR)/$(SHARED_LIB) $(DESTDIR)$(libdir)/$(SHARED_LIB)
+ test -z "$(SO_API_MAJOR_LINK)" || \
$(LN_S) $(SHARED_LIB) $(DESTDIR)$(libdir)/$(SO_API_MAJOR_LINK)
- @test -z "$(SO_LINK)" || \
+ test -z "$(SO_LINK)" || \
$(LN_S) $(SHARED_LIB) $(DESTDIR)$(libdir)/$(SO_LINK)
@echo " I: $(libdir)/$(STATIC_LIB)"
- @$(INSTALL) -m 644 $(BUILD_DIR)/$(STATIC_LIB) $(DESTDIR)$(libdir)/$(STATIC_LIB)
+ $(INSTALL) -m 644 $(BUILD_DIR)/$(STATIC_LIB) $(DESTDIR)$(libdir)/$(STATIC_LIB)
@echo " D: $(includedir)"
- @$(INSTALL) -d $(DESTDIR)$(includedir)
+ $(INSTALL) -d $(DESTDIR)$(includedir)
@echo " I: $(includedir)/xvid.h"
- @$(INSTALL) -m 644 $(SRC_DIR)/xvid.h $(DESTDIR)$(includedir)/xvid.h
+ $(INSTALL) -m 644 $(SRC_DIR)/xvid.h $(DESTDIR)$(includedir)/xvid.h
#-----------------------------------------------------------------------------
# Platorm specific file -- dumb rules for people executing make before
@@ -176,23 +176,23 @@
clean:
@echo " Cl: Build directory"
- @$(RM) $(BUILD_DIR)
+ $(RM) $(BUILD_DIR)
distclean: clean
@echo " Cl: Generated build files"
- @$(RM) platform.inc
- @$(RM) config.log
- @$(RM) config.status
- @$(RM) autom4te.cache
+ $(RM) platform.inc
+ $(RM) config.log
+ $(RM) config.status
+ $(RM) autom4te.cache
mrproper: distclean
@echo " Cl: Bootstrapped build files"
- @$(RM) configure
- @$(RM) install-sh
- @$(RM) missing
- @$(RM) config.guess
- @$(RM) mkinstalldirs
- @$(RM) config.sub
+ $(RM) configure
+ $(RM) install-sh
+ $(RM) missing
+ $(RM) config.guess
+ $(RM) mkinstalldirs
+ $(RM) config.sub
list-objects:
@echo
Index: xvidcore-1.3.2/dshow/Makefile
===================================================================
--- xvidcore-1.3.2.orig/dshow/Makefile 2012-03-18 14:46:11.048562931 +0100
+++ xvidcore-1.3.2/dshow/Makefile 2012-03-18 14:48:57.420569263 +0100
@@ -81,12 +81,12 @@
$(BUILD_DIR):
@echo " D: $(BUILD_DIR)"
- @mkdir -p $(BUILD_DIR)
+ mkdir -p $(BUILD_DIR)
.rc.obj:
@echo " W: $(@D)/$(<F)"
@mkdir -p $(BUILD_DIR)/$(@D)
- @$(WINDRES) \
+ $(WINDRES) \
--include-dir=$(SRC_DIR) \
--input-format=rc \
--output-format=coff \
@@ -95,17 +95,17 @@
.c.obj:
@echo " C: $(@D)/$(<F)"
@mkdir -p $(BUILD_DIR)/$(@D)
- @$(CC) $(CFLAGS) -c -o $(BUILD_DIR)/$@ $<
+ $(CC) $(CFLAGS) -c -o $(BUILD_DIR)/$@ $<
.cpp.obj:
@echo " C: $(@D)/$(<F)"
@mkdir -p $(BUILD_DIR)/$(@D)
- @$(CXX) $(CXXFLAGS) -c -o $(BUILD_DIR)/$@ $<
+ $(CXX) $(CXXFLAGS) -c -o $(BUILD_DIR)/$@ $<
$(LIBSO): $(BUILD_DIR) $(OBJECTS)
@echo " L: $(@F)"
@cp $(SRC_DIR)/xvid.ax.def $(BUILD_DIR)/xvid.ax.def
- @cd $(BUILD_DIR) && \
+ cd $(BUILD_DIR) && \
$(CC) $(LDFLAGS) \
-mno-cygwin -shared -Wl,-dll,--out-implib,[email protected],--enable-stdcall-fixup \
-o $@ \
@@ -116,7 +116,7 @@
clean:
@echo " Cl: Object files and target lib"
- @$(RM) $(BUILD_DIR)
+ $(RM) $(BUILD_DIR)
install:
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: xvidcore
Source-Version: 2:1.3.2-9
We believe that the bug you reported is fixed in the latest version of
xvidcore, which is due to be installed in the Debian FTP archive:
libxvidcore-dev_1.3.2-9_amd64.deb
to main/x/xvidcore/libxvidcore-dev_1.3.2-9_amd64.deb
libxvidcore4_1.3.2-9_amd64.deb
to main/x/xvidcore/libxvidcore4_1.3.2-9_amd64.deb
xvidcore_1.3.2-9.debian.tar.gz
to main/x/xvidcore/xvidcore_1.3.2-9.debian.tar.gz
xvidcore_1.3.2-9.dsc
to main/x/xvidcore/xvidcore_1.3.2-9.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andres Mejia <[email protected]> (supplier of updated xvidcore package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 18 Mar 2012 10:15:39 -0400
Source: xvidcore
Binary: libxvidcore4 libxvidcore-dev
Architecture: source amd64
Version: 2:1.3.2-9
Distribution: unstable
Urgency: low
Maintainer: Debian Multimedia Maintainers
<[email protected]>
Changed-By: Andres Mejia <[email protected]>
Description:
libxvidcore-dev - Open source MPEG-4 video codec (development)
libxvidcore4 - Open source MPEG-4 video codec (library)
Closes: 664512
Changes:
xvidcore (2:1.3.2-9) unstable; urgency=low
.
* Pass hardened CPPFLAGS to CFLAGS. (Closes: #664512)
Checksums-Sha1:
afae1b4fb965a3c213dd427cc637154a024039f4 2183 xvidcore_1.3.2-9.dsc
edad4194dc98fba81f6e8c476e878a0d12d8d9f6 7958 xvidcore_1.3.2-9.debian.tar.gz
68932542152265cda094eb661f433f43aac95334 327184 libxvidcore4_1.3.2-9_amd64.deb
c93db9df49b4e4fa0f9100ecfcb90e8b645fa5a4 380226
libxvidcore-dev_1.3.2-9_amd64.deb
Checksums-Sha256:
ab3edcd92e5bb95d04a850c127d3a9ac04698239f5ddce42dfae3fbad497c205 2183
xvidcore_1.3.2-9.dsc
a1290856a566b54cf24739d7cb37f7c364a756098b5df656a3a58efbd1bd07ac 7958
xvidcore_1.3.2-9.debian.tar.gz
3ad7d583079ae627397b442c56c6e1a76d0d1c0d363969048c5a55b0a614b73f 327184
libxvidcore4_1.3.2-9_amd64.deb
43caf13e12a59dec4fea7d0b7667975bb088ba84420e327b7032a2276886b0c9 380226
libxvidcore-dev_1.3.2-9_amd64.deb
Files:
7f26f90bc5644785f7daa3d5f51e390f 2183 libs optional xvidcore_1.3.2-9.dsc
6ba06474c29f6fb7aef972aa82e15013 7958 libs optional
xvidcore_1.3.2-9.debian.tar.gz
9bac27e451940fa3d56664dac28f4d80 327184 libs optional
libxvidcore4_1.3.2-9_amd64.deb
f8319a25481af7727970570b95587ced 380226 libdevel optional
libxvidcore-dev_1.3.2-9_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJPZfHhAAoJED+5x4pTyFTfyMQQAIbE5ZVI4oon8QG8jjb+T53V
yj0h4ub7klkZkhxe4CKWzTP5UQq1KoTjpe/jKZtUXMg/LS0uRhDbn9gi/+ivJO2Y
LBVkd/3MmIUf6Czz4nG6gwF4lbbulqfngkLlzO5QDy6fAZSJiHREgKKh14ITSkTV
Z3Ft2k+hWFnSiTCwtCFDCUn8wpjIxYzEMj60DNPH3sDkWG9+g/Fs311MJJLgG0Tz
rIP54aNaHJ8L4+1uTl9J9gYCvfpD5D0STimWedgep05r1mC07rKpsWXGClDWUuZA
7g9ssisQ9tYlNnFNccXaBelwlHVbLV2qM8hu9kEH35O1s5twQLsVUK2J/qfWDsxx
d4wtFewXjBD87l/3befceCh3/+d2MgZgXVwKgijUroED2+9wVSOT/1/N4HdpI9/u
5REMMCUL2IHT/79deqxwU5ILdxt9hBX6L7Zmr+4/Ltr4dMCz6iyX6f+Tr6wY61CS
cw+CCyc3M0z9vQOo0KqIvwy1KH5BQ/JvPteb1uVqlzyRcyMd4SgTxEHcuprOrvx3
+IV0F/rXZ+0jrtHPvHhm+QHwf0bMM7fp5PSqdPDi8jdqT/DZYlMyW6Yylmk33a+U
DQeIs1S2easuoQzCbHd3lb8s8E5yAVtfPp0Etr1bkBbqPGV3xyLNom94i3iJUiDf
M6xiCQue24zVmFbvs/uV
=pfJz
-----END PGP SIGNATURE-----
--- End Message ---
