Bug#665286: marked as done (iptables: CPPFLAGS hardening flags missing for extensions/)

[Debian Bug Tracking System]

Your message dated Thu, 22 Mar 2012 23:17:57 +0000
with message-id <e1sargx-0004sg...@franck.debian.org>
and subject line Bug#665286: fixed in iptables 1.4.12.2-3
has caused the Debian Bug report #665286,
regarding iptables: CPPFLAGS hardening flags missing for extensions/
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
665286: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665286
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: iptables
Version: 1.4.12.2-2
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing for extensions/ because
the build system ignores them.

The attached patch fixes the issue. If possible it should be sent
upstream.

The following patch enables verbose builds to make it easy to
(automatically) detect missing flags. Please apply it too.

diff -Nru iptables-1.4.12.2/debian/rules iptables-1.4.12.2/debian/rules
--- iptables-1.4.12.2/debian/rules      2011-06-20 18:04:12.000000000 +0200
+++ iptables-1.4.12.2/debian/rules      2012-03-22 21:09:43.000000000 +0100
@@ -1,5 +1,8 @@
 #!/usr/bin/make -f
 
+# Enable verbose to detect missing (hardening) flags.
+export V=1
+
 #_dhopts := --with autotools_dev
 _shlibdeps := -a -Xlib/xtables
 _configure := --with-xtlibdir=/lib/xtables \

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /sbin/xtables-multi /sbin/nfnl_osf 
/lib/libxtables.so.7.0.0 ...
    /sbin/xtables-multi:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /sbin/nfnl_osf:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /lib/libxtables.so.7.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Use CPPFLAGS.
 Necessary for hardening flags.
 .
 All other Makefiles add CPPFLAGS to ${COMPILE} (automake), but GNUmakefile.in
 doesn't set it.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-03-22

--- iptables-1.4.12.2.orig/extensions/GNUmakefile.in
+++ iptables-1.4.12.2/extensions/GNUmakefile.in
@@ -21,7 +21,7 @@ regular_CPPFLAGS := @regular_CPPFLAGS@
 kinclude_CPPFLAGS := @kinclude_CPPFLAGS@
 
 AM_CFLAGS      := ${regular_CFLAGS}
-AM_CPPFLAGS     = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS}
+AM_CPPFLAGS     = ${CPPFLAGS} ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS}
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
 ifeq (${V},)

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: iptables
Source-Version: 1.4.12.2-3

We believe that the bug you reported is fixed in the latest version of
iptables, which is due to be installed in the Debian FTP archive:

iptables-dev_1.4.12.2-3_amd64.deb
  to main/i/iptables/iptables-dev_1.4.12.2-3_amd64.deb
iptables_1.4.12.2-3.debian.tar.gz
  to main/i/iptables/iptables_1.4.12.2-3.debian.tar.gz
iptables_1.4.12.2-3.dsc
  to main/i/iptables/iptables_1.4.12.2-3.dsc
iptables_1.4.12.2-3_amd64.deb
  to main/i/iptables/iptables_1.4.12.2-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 665...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laurence J. Lane <ljl...@debian.org> (supplier of updated iptables package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Mar 2012 18:54:37 -0400
Source: iptables
Binary: iptables iptables-dev
Architecture: source amd64
Version: 1.4.12.2-3
Distribution: unstable
Urgency: low
Maintainer: Laurence J. Lane <ljl...@debian.org>
Changed-By: Laurence J. Lane <ljl...@debian.org>
Description: 
 iptables   - administration tools for packet filtering and NAT
 iptables-dev - iptables development files
Closes: 665286
Changes: 
 iptables (1.4.12.2-3) unstable; urgency=low
 .
   * Added CPPFLAGS for extensions to enable hardening. Report and
     patch by Simon Ruderich. Thanks. Closes: #665286
Checksums-Sha1: 
 022968ce4abe41e585452413162efeb7204acba9 1194 iptables_1.4.12.2-3.dsc
 53418b73614fe3af1ad6a6cdfd9c12082d649d2c 42413 
iptables_1.4.12.2-3.debian.tar.gz
 d5870b913e8168f1ec63086f674c49b1ae349e31 386448 iptables_1.4.12.2-3_amd64.deb
 58d5c5123ef9f5c61f2218dd47fb680dc74a8f1f 61794 
iptables-dev_1.4.12.2-3_amd64.deb
Checksums-Sha256: 
 8371f501527b95b89a0a57cabc0f7616c2f3585d67729f56b46ccaaaa7d77971 1194 
iptables_1.4.12.2-3.dsc
 739926b5f73ef254b3abf29abcc0861f0ed87c227e39a07eb45d08ee08791add 42413 
iptables_1.4.12.2-3.debian.tar.gz
 bdaa8187b5e67f7b15ac462a5cef0d3e7ffa69d530424f4c8a598fa3f08b68c9 386448 
iptables_1.4.12.2-3_amd64.deb
 1be599547188a28b3c6d3a788202d156df8fca417b07d84e6b635aec2b0142b0 61794 
iptables-dev_1.4.12.2-3_amd64.deb
Files: 
 e8c008ea6ad8925531c9a6b1bae3fb84 1194 net important iptables_1.4.12.2-3.dsc
 b2c1091c0a32e5fa2297df078d0e8ed9 42413 net important 
iptables_1.4.12.2-3.debian.tar.gz
 1e7917f64ceb0f4fd0c3fde54c3e367e 386448 net important 
iptables_1.4.12.2-3_amd64.deb
 987f6572d84113f2cdf770f8e8cc0157 61794 devel optional 
iptables-dev_1.4.12.2-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk9rr2wACgkQxJBkNlXToekpVwCdFzR/RYnuGbigYLU5A5btaAZr
KBUAn13q8rYD90/RqnX6kJrVjcbH1vVH
=Zmcn
-----END PGP SIGNATURE-----

--- End Message ---