Bug#665323: marked as done (crtmpserver: CPPFLAGS hardening flags missing)

[Debian Bug Tracking System]

Your message dated Fri, 23 Mar 2012 02:47:21 +0000
with message-id <e1sauxb-0006qs...@franck.debian.org>
and subject line Bug#665323: fixed in crtmpserver 1.0~dfsg-2
has caused the Debian Bug report #665323,
regarding crtmpserver: CPPFLAGS hardening flags missing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
665323: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665323
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: crtmpserver
Version: 1.0~dfsg-1
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because CMake ignores
them by default.

The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].

The -O2 removal is not necessary as gcc uses the last flag, which
is -O3 as set by CMake. compat=9 automatically exports the flags
so it's not necessary to pass them configure manually.

diff -Nru crtmpserver-1.0~dfsg/debian/rules crtmpserver-1.0~dfsg/debian/rules
--- crtmpserver-1.0~dfsg/debian/rules   2012-03-22 01:52:51.000000000 +0100
+++ crtmpserver-1.0~dfsg/debian/rules   2012-03-23 02:53:16.000000000 +0100
@@ -2,16 +2,17 @@
 
 #export DH_VERBOSE=1
 
-CFLAGS = $(shell dpkg-buildflags --get CFLAGS 2>/dev/null | sed -e 's/-O2//g')
-CXXFLAGS = $(shell dpkg-buildflags --get CXXFLAGS 2>/dev/null | sed -e 
's/-O2//g')
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND   = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
 DEB_BUILDDIR = obj-$(DEB_BUILD_GNU_TYPE)
 DEB_PACKAGE_VERSION  := $(shell dpkg-parsechangelog | awk '/^Version/ {print 
$$2}')
 DEB_UPSTREAM_VERSION := $(shell echo $(DEB_PACKAGE_VERSION) | cut -d '-' -f 1 
| sed s,~,_, )
 DEB_CONFIGURE_FLAGS = \
                        -DCMAKE_BUILD_TYPE=Release \
                        -DCMAKE_VERBOSE_MAKEFILE=ON \
-                       -DCMAKE_C_FLAGS="$(CFLAGS)" \
-                       -DCMAKE_CXX_FLAGS="$(CXXFLAGS)" \
                        -DCRTMPSERVER_INSTALL_PREFIX=/usr \
                        -DTEMP_FRAMEWORK_VER="$(DEB_UPSTREAM_VERSION)" \
                        -DCRTMPSERVER_SOURCES_ROOT=$(CURDIR) \

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/sbin/crtmpserver /usr/lib/crtmpserver/libthelib.so 
/usr/lib/crtmpserver/libcommon.so ...
    /usr/sbin/crtmpserver:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/crtmpserver/libthelib.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: no, only unprotected functions found!
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/crtmpserver/libcommon.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: crtmpserver
Source-Version: 1.0~dfsg-2

We believe that the bug you reported is fixed in the latest version of
crtmpserver, which is due to be installed in the Debian FTP archive:

crtmpserver-apps_1.0~dfsg-2_amd64.deb
  to main/c/crtmpserver/crtmpserver-apps_1.0~dfsg-2_amd64.deb
crtmpserver-dev_1.0~dfsg-2_amd64.deb
  to main/c/crtmpserver/crtmpserver-dev_1.0~dfsg-2_amd64.deb
crtmpserver-libs_1.0~dfsg-2_amd64.deb
  to main/c/crtmpserver/crtmpserver-libs_1.0~dfsg-2_amd64.deb
crtmpserver_1.0~dfsg-2.debian.tar.gz
  to main/c/crtmpserver/crtmpserver_1.0~dfsg-2.debian.tar.gz
crtmpserver_1.0~dfsg-2.dsc
  to main/c/crtmpserver/crtmpserver_1.0~dfsg-2.dsc
crtmpserver_1.0~dfsg-2_amd64.deb
  to main/c/crtmpserver/crtmpserver_1.0~dfsg-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 665...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Mejia <ame...@debian.org> (supplier of updated crtmpserver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Mar 2012 22:28:52 -0400
Source: crtmpserver
Binary: crtmpserver crtmpserver-libs crtmpserver-apps crtmpserver-dev
Architecture: source amd64
Version: 1.0~dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintain...@lists.alioth.debian.org>
Changed-By: Andres Mejia <ame...@debian.org>
Description: 
 crtmpserver - High performance RTMP/RTSP streaming server
 crtmpserver-apps - base applications for the crtmpserver platform
 crtmpserver-dev - Development files for the crtmpserver platform
 crtmpserver-libs - shared libraries for the crtmpserver platform
Closes: 665323
Changes: 
 crtmpserver (1.0~dfsg-2) unstable; urgency=low
 .
   * Enable hardened CPPFLAGS. (Closes: #665323)
   * Add myself to Uploaders field.
Checksums-Sha1: 
 1bea8135ac229777aeba9be7fd1f56755d3a9d9e 2279 crtmpserver_1.0~dfsg-2.dsc
 1b0cbe8987bd634a621b9cdaa212db3a004c19e4 14050 
crtmpserver_1.0~dfsg-2.debian.tar.gz
 5450873ca5f5f76239eba7169a46207c51cff341 29452 crtmpserver_1.0~dfsg-2_amd64.deb
 327b350af33549ee5a6b3588b00fae6212ebc517 1056654 
crtmpserver-libs_1.0~dfsg-2_amd64.deb
 ec6948a003efbf1d50f496f9cf4bc398d931fcc0 211260 
crtmpserver-apps_1.0~dfsg-2_amd64.deb
 31c7d90c2f87d45118c7a5a1ba7dc71ae3833249 94004 
crtmpserver-dev_1.0~dfsg-2_amd64.deb
Checksums-Sha256: 
 ca98d348ae5be98ecc5451a94285fc8d555b7ea8f3644ff4bd237756c5f400ff 2279 
crtmpserver_1.0~dfsg-2.dsc
 9c42e710e97dd09fa069067d50aa0dda1cb1bbee7eba39806bb1cd58b489a2aa 14050 
crtmpserver_1.0~dfsg-2.debian.tar.gz
 336cb6fcec5d294b1178204b0aa351fb53c621cb1d8eaaa7cd480c25e9de284b 29452 
crtmpserver_1.0~dfsg-2_amd64.deb
 f240ec95f38fcd89bf40e97d28b42f8d03c295da53714072aa68ea70bf696965 1056654 
crtmpserver-libs_1.0~dfsg-2_amd64.deb
 84dad5b5e9bdd9bf1e4c3103c9f1efdbdce53d1b8ad11a5ef004900c9e77321a 211260 
crtmpserver-apps_1.0~dfsg-2_amd64.deb
 db55692cf4f7f9ff9b7acdb22e4d7f9fa7f90c30a506f86627da33f17752848c 94004 
crtmpserver-dev_1.0~dfsg-2_amd64.deb
Files: 
 675ab6f66f2f97af65992dc9e92b549a 2279 video optional crtmpserver_1.0~dfsg-2.dsc
 092a6a708b71cdead1b390ea917623a9 14050 video optional 
crtmpserver_1.0~dfsg-2.debian.tar.gz
 1649ae7f56e06f030177e8b89233106d 29452 video optional 
crtmpserver_1.0~dfsg-2_amd64.deb
 0f3202b98baab1820c675f89244e9efe 1056654 video optional 
crtmpserver-libs_1.0~dfsg-2_amd64.deb
 7f9aaf0191cb5151142b688c9929c7bd 211260 video optional 
crtmpserver-apps_1.0~dfsg-2_amd64.deb
 107cdc0a64d202c05df0ee7ebd3cd207 94004 video optional 
crtmpserver-dev_1.0~dfsg-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJPa+KaAAoJED+5x4pTyFTfEvgP/2v1YG1KQUYSP+QybRLX6mYU
+6Yl5/kT1PsjV2mfkwBmWsfhg0piVig7+fFM/EoEqqsvd2/mqSOKLfqKGPNsH3KN
pvEANBmS6I5YDQUM9bTnTAiN5b3ejpYmYKujWLk0kgiJQ2ODvGAkjwl9SfgUUCol
voBilzQ5RgSM1UKuCoaC+1Q8vTCD0HcfOSfaviKkNYWc2te7hfonLnLDPtI1pF7u
TQF74u9OCXkwynRT0a9pocSQRkCCaZ1FWJLb/HD+PQYWPDznUf5LUqHeIMgps2Bl
ZzaDdnmCicLAo6QNbsVgQ8yzYr/WsXynkuokCSH6NNzEXli7ldr6yfCGXrwwkEiP
F0Cfmv8AA7MmM+lsiirJ28HdPeLfcHl4xIONdDiQo+wgT8sS0Fujaspugkfzz/OK
kqdw2Ow3MYndHGqyrMuvyVmXKDTFasipxyWO678rYCaM1hkwvrFodT72Ub/yR+8j
vkUdaJ4KOF37N+00ZB03nC1x6VtP8c/IO7qbUmOXQkeOsMqh2dog0/D9XocjIVEp
UB02rxqmTwIk1TqXZEU57mwQu5oEB/zEuJ6DI3yEIL1murUm5+hb1H92BBx1ZklJ
fS5AI6+6UtY11AcKzwTR4HpCm6y8AgMBcgyWATHw+wiSrWC1neKv1Pn65L3yAIXn
+BG2KY6uWXrMiex7IjcN
=9XTI
-----END PGP SIGNATURE-----

--- End Message ---