Your message dated Tue, 20 Mar 2012 11:17:15 +0000
with message-id <[email protected]>
and subject line Bug#664168: fixed in canorus 0.7+dfsg+svn1256-2
has caused the Debian Bug report #664168,
regarding canorus: CPPFLAGS hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
664168: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664168
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: canorus
Version: 0.7+dfsg+svn1256-1
Severity: important
Tags: patch
Dear Maintainer,
The CPPFLAGS hardening flags are missing because CMake ignores
them by default.
The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].
It also enables verbose builds to make it easy to (automatically)
spot missing hardening flags.
To use -D_FORTIFY_SOURCE=2 (see [3]) it's necessary to compile
with optimizations. The attached patch handles this - enabling
the release build should also fix this, but I don't know CMake
well enough.
diff -Nru canorus-0.7+dfsg+svn1256/debian/rules
canorus-0.7+dfsg+svn1256/debian/rules
--- canorus-0.7+dfsg+svn1256/debian/rules 2012-03-14 21:58:12.000000000
+0100
+++ canorus-0.7+dfsg+svn1256/debian/rules 2012-03-16 01:16:40.000000000
+0100
@@ -1,8 +1,15 @@
#!/usr/bin/make -f
+export VERBOSE=1
+
# Use all hardening features
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
%:
dh $@
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/canorus
/usr/bin/canorus:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
(Position Independent Executable and Immediate binding is not
enabled by default.)
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Compile with -O2.
Necessary for -D_FORTFY_SOURCE=2 and generally recommened (policy 10.1).
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-16
--- canorus-0.7+dfsg+svn1256.orig/src/CMakeLists.txt
+++ canorus-0.7+dfsg+svn1256/src/CMakeLists.txt
@@ -13,7 +13,7 @@ IF(NOT CMAKE_BUILD_TYPE)
SET(CMAKE_BUILD_TYPE Debug)
ENDIF(NOT CMAKE_BUILD_TYPE)
-SET(CMAKE_C_FLAGS_DEBUG "-O0 -g")
+SET(CMAKE_C_FLAGS_DEBUG "-O2 -g")
SET(CMAKE_C_FLAGS_RELEASE "-O2")
SET(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG}")
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: canorus
Source-Version: 0.7+dfsg+svn1256-2
We believe that the bug you reported is fixed in the latest version of
canorus, which is due to be installed in the Debian FTP archive:
canorus-data_0.7+dfsg+svn1256-2_all.deb
to main/c/canorus/canorus-data_0.7+dfsg+svn1256-2_all.deb
canorus_0.7+dfsg+svn1256-2.debian.tar.gz
to main/c/canorus/canorus_0.7+dfsg+svn1256-2.debian.tar.gz
canorus_0.7+dfsg+svn1256-2.dsc
to main/c/canorus/canorus_0.7+dfsg+svn1256-2.dsc
canorus_0.7+dfsg+svn1256-2_amd64.deb
to main/c/canorus/canorus_0.7+dfsg+svn1256-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Quathamer <[email protected]> (supplier of updated canorus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 20 Mar 2012 10:44:32 +0100
Source: canorus
Binary: canorus canorus-data
Architecture: source amd64 all
Version: 0.7+dfsg+svn1256-2
Distribution: unstable
Urgency: low
Maintainer: Tobias Quathamer <[email protected]>
Changed-By: Tobias Quathamer <[email protected]>
Description:
canorus - graphical music score editor
canorus-data - data files for canorus, a graphical music score editor
Closes: 664168
Changes:
canorus (0.7+dfsg+svn1256-2) unstable; urgency=low
.
* Pass CPPFLAGS to CFLAGS/CXXFLAGS. CMake does not use CPPFLAGS, so
this is needed to enable the missing hardening flags.
Thanks to Simon Ruderich <[email protected]> (Closes: #664168)
* Compile with -O2 to use -D_FORTIFY_SOURCE=2.
Thanks to Simon Ruderich <[email protected]>
Checksums-Sha1:
5b6ca8e9974448857b263e0a00a800fe01749707 2026 canorus_0.7+dfsg+svn1256-2.dsc
be0829ecf34b79194c217ac8033fd5f7d0efa82a 11618
canorus_0.7+dfsg+svn1256-2.debian.tar.gz
b83dad6b04becb8c4bcaa1bb3d38c3d49b605cd0 900140
canorus_0.7+dfsg+svn1256-2_amd64.deb
5e28fc4cfcf81c08e8303732072ea9f932c56793 766940
canorus-data_0.7+dfsg+svn1256-2_all.deb
Checksums-Sha256:
e4c9759cb5a8b688e3d6816e3ee0404037e2960ef11c0f1399c31a9ff19f3405 2026
canorus_0.7+dfsg+svn1256-2.dsc
36dc0fb0175c8b3c0ca2fcfa899eda56178cc14a23b7a6c3ff6215a7a3bdeda8 11618
canorus_0.7+dfsg+svn1256-2.debian.tar.gz
d2d8529f741934618888de5f05db881de8b1adfb88602471df7d51fcf5e5ed53 900140
canorus_0.7+dfsg+svn1256-2_amd64.deb
3e9e62dafe5f95c182f0b11627820d182337bfa69584b3413386a7cc8c6aa2bf 766940
canorus-data_0.7+dfsg+svn1256-2_all.deb
Files:
ac74174da74f49957f988b3494c71ad5 2026 sound optional
canorus_0.7+dfsg+svn1256-2.dsc
1a031f9ae3b218885f0dd38e25bbf0ba 11618 sound optional
canorus_0.7+dfsg+svn1256-2.debian.tar.gz
1804b9a70f1787cd3240277ff6c33532 900140 sound optional
canorus_0.7+dfsg+svn1256-2_amd64.deb
6bbb0731bfc924c526939dca83634b2c 766940 sound optional
canorus-data_0.7+dfsg+svn1256-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJPaFtcAAoJEIP9HEaC0Tjg8PgP/20TYUoP3DvnX+TD6rf95lGz
kmyI35G6OW2L99koJdfgs6R7qSOck+bK2cO1PpC4KWdGVHVkuS9YQq2+EBzg4Yb6
BtR8d5zGqdulIhKRIR3BcrsdopCd75knBR4leJuWzEG4dq1QN5EDcC3y6FyBROdx
YcF8mI9pnQVywOfP1ADrXdYNE8oiYVBSrF5XHn6pA/HnCKNwhTuLA49Fa5PjF3bD
BtvZzpWG79jVLSqirshony2Kz5APjGQ6MBydX6XN4tGW7t78lS9/dbh4hdfdhrW/
KIgo4o8t6vJBSU4wdF448wpjXOOhrF6oxWln7hXEX+2i1UMleFkiUANjG9BvvkMS
oCNvokjCqyycg9NW18WLY4BuroZ7KzdkyMAPEgdHuYa/X3fUbcH5MCtYpTB7XIWo
TCUMRH9fw6Jet9xKYJKWik9NtTM5zKCPFUPv9MgM6qFLRsBIlNVY4VNuRYSyBlW3
ldz2AQh4ygj8+a7Pc/ltlOkxNrqvhTSrZcpGBT7bKjg9LaufMn3hbSRnJrPF8uRs
svALwvU0k97pttIf0BIfMqfRbvWjPCHSPzBgryLA9DTDj6LKcK4SAyTCylzYJbQZ
1Yk8On+mQC5OUbjhSn7/yKwiZePAnz+N41pbrfApytG/o/crahNMLV6hkuCKNQZK
///iXb7yfXaYrf93oTpb
=j4Ln
-----END PGP SIGNATURE-----
--- End Message ---
