Your message dated Sat, 24 Mar 2012 03:34:10 +0000
with message-id <[email protected]>
and subject line Bug#663601: fixed in icu 4.8.1.1-5
has caused the Debian Bug report #663601,
regarding icu: Please enable hardening flags
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
663601: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663601
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: icu
Version: 4.8.1.1-4
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
The attached patch enables hardening flags. Including
buildflags.mk is necessary because no CDBS class is used.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/libicutu.so.48.1.1 /usr/lib/libicutest.so.48.1.1
/usr/lib/libiculx.so.48.1.1 ...
/usr/lib/libicutu.so.48.1.1:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/libicutest.so.48.1.1:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/libiculx.so.48.1.1:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPXh5VAAoJEJL+/bfkTDL5hkgQAK5Vz8hp4wPhYK2js7OnUYHK
ubpMHhpSqlyuxTYNuyEWOUDQZQAX/Q9hyQWszaUsAOyUwu60tMqeSnfDLlQRZe4R
4PENz79H1xLgGStypkD5Xx1VoLTdAuvZbmLhgEQCLhH5WWJ1au0nvRLe+Jb3rCyD
g0kP20xa+n8wt7v2+9ifvgGsQwprwWBa9ELgXaYWI5g0SBoTuUc4A5Tmk7XQCl0O
o740KqDt2Oxj6sr0yE9OwJ0PSjnUQ36c16v32kXaVSdzcCUblPqCwucxBtmwZfIk
cib/3V6XN5mT5R6GOKJJxdHGqV3xUUdowIbyxze9HnZJaT22ja5+Zd8BTO+2Grab
aj0u2ZzqPMKM2jMAGIPqVQNFBSMUSyc+lOVfeHhBgQN7aiKY8GroE2I6sdlFENc8
+xhoYhRXI0GRmQbK6hwEdL1vgKcWRhbZjZA+ZqT+TWxq49PdEcoKgQ4FNs+yGEHN
cr9tRxSZc3VR1dOaTJL/3sIrOpIoRXGKCUvpAmCca5qD6OdkgR2+YkoqvXCoW9Kt
yavhP4IoMP8bSfwP4Mqk4WLDZwZ4yMj41SwOSnhGb30E6AXQLlP8j5YOSjSLLog1
DSIFZNfMK9C7HsILlgMoxqwpFo31slYdQmIASI7+luGtUjG/gAHJU/VR7z2qi6Qk
bul57If7iNgTDssO5J8w
=03ug
-----END PGP SIGNATURE-----
diff -Nru icu-4.8.1.1/debian/rules icu-4.8.1.1/debian/rules
--- icu-4.8.1.1/debian/rules 2012-03-11 23:50:05.000000000 +0100
+++ icu-4.8.1.1/debian/rules 2012-03-12 16:41:49.000000000 +0100
@@ -1,5 +1,10 @@
#!/usr/bin/make -f
+# Get (hardening) build flags, CDBS doesn't handle this automatically because
+# no class is used.
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
DEB_HOST_ARCH_CPU ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU)
# To distinguish variables that are truly local to this file (rather
@@ -7,21 +12,24 @@
# variables' names with l_.
l_SONAME := 48
-l_CFLAGS := -g -Wall
+CFLAGS += -g -Wall
ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- l_CFLAGS += -O0
+ CFLAGS += -O0
else
- l_CFLAGS += -O2
+ CFLAGS += -O2
endif
# Turn off optimization on armel to avoid some internal compiler
# errors. This can be removed once bug 484053 is resolved.
ifeq ($(shell dpkg --print-architecture),armel)
-l_CFLAGS := $(filter-out -O%,$(l_CFLAGS)) -O0
+CFLAGS := $(filter-out -O%,$(CFLAGS)) -O0
endif
+# Use local settings for CXXFLAGS as well.
+CXXFLAGS = $(CFLAGS)
+
# common configure cruft
-l_CONFIGURE = CC="gcc" CXX="g++" CPPFLAGS="" LDFLAGS="" \
+l_CONFIGURE = CC="gcc" CXX="g++" \
./configure \
--build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr \
--includedir="\$${prefix}/include" \
@@ -70,14 +78,13 @@
configure/libicu$(l_SONAME) configure/libicu-dev:: debian/stamp-configure
debian/stamp-configure:
cd $(DEB_SRCDIR) && \
- CFLAGS="$(l_CFLAGS)" CXXFLAGS="$(l_CFLAGS)" \
$(l_CONFIGURE)
touch debian/stamp-configure
configure/lib32icu$(l_SONAME) configure/lib32icu-dev:: debian/stamp-configure32
debian/stamp-configure32:
cd $(DEB_SRCDIR)-build32 && \
- CFLAGS="$(l_CFLAGS) -m32" CXXFLAGS="$(l_CFLAGS) -m32" \
+ CFLAGS="$(CFLAGS) -m32" CXXFLAGS="$(CXXFLAGS) -m32" \
$(l_CONFIGURE) --libdir=/usr/lib32
touch debian/stamp-configure32
--- End Message ---
--- Begin Message ---
Source: icu
Source-Version: 4.8.1.1-5
We believe that the bug you reported is fixed in the latest version of
icu, which is due to be installed in the Debian FTP archive:
icu-doc_4.8.1.1-5_all.deb
to main/i/icu/icu-doc_4.8.1.1-5_all.deb
icu_4.8.1.1-5.debian.tar.gz
to main/i/icu/icu_4.8.1.1-5.debian.tar.gz
icu_4.8.1.1-5.dsc
to main/i/icu/icu_4.8.1.1-5.dsc
lib32icu-dev_4.8.1.1-5_amd64.deb
to main/i/icu/lib32icu-dev_4.8.1.1-5_amd64.deb
lib32icu48_4.8.1.1-5_amd64.deb
to main/i/icu/lib32icu48_4.8.1.1-5_amd64.deb
libicu-dev_4.8.1.1-5_amd64.deb
to main/i/icu/libicu-dev_4.8.1.1-5_amd64.deb
libicu48-dbg_4.8.1.1-5_amd64.deb
to main/i/icu/libicu48-dbg_4.8.1.1-5_amd64.deb
libicu48_4.8.1.1-5_amd64.deb
to main/i/icu/libicu48_4.8.1.1-5_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <[email protected]> (supplier of updated icu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 23 Mar 2012 22:45:55 -0400
Source: icu
Binary: libicu48 libicu48-dbg libicu-dev lib32icu48 lib32icu-dev icu-doc
Architecture: source all amd64
Version: 4.8.1.1-5
Distribution: unstable
Urgency: low
Maintainer: Jay Berkenbilt <[email protected]>
Changed-By: Jay Berkenbilt <[email protected]>
Description:
icu-doc - API documentation for ICU classes and functions
lib32icu-dev - Development files for International Components for Unicode
(32-bi
lib32icu48 - International Components for Unicode (32-bit)
libicu-dev - Development files for International Components for Unicode
libicu48 - International Components for Unicode
libicu48-dbg - International Components for Unicode
Closes: 663601
Changes:
icu (4.8.1.1-5) unstable; urgency=low
.
* Enable security hardening flags. Thanks to Simon Ruderich for doing
100% of the work, sending a clean patch, and providing clear
instructions on how to verify. (Closes: #663601)
Checksums-Sha1:
5ff63ed48e8d76798af6207ba8b380e3ef0948fe 2222 icu_4.8.1.1-5.dsc
f60957894373c3aa8b83bf5dfee63b6c68ee0f83 18645 icu_4.8.1.1-5.debian.tar.gz
9c2ab4d0ceffadc20c38f6357de048d06e8b3516 4147568 icu-doc_4.8.1.1-5_all.deb
34c46aaa59bb6c36cf278bab230cf97516d83f9c 8130648 libicu48_4.8.1.1-5_amd64.deb
77f8c90e4eea974cdfedafdf55331c508219549e 4237422
libicu48-dbg_4.8.1.1-5_amd64.deb
0d6d97626f7316ec7f75f81d1c45d9a769bf7059 9780962 libicu-dev_4.8.1.1-5_amd64.deb
54540e179a76b952fa4435cbb0b7837410df7846 8205550 lib32icu48_4.8.1.1-5_amd64.deb
faa9dc7dbfa9a18aac600cc3dde7d0656a294c1d 8555302
lib32icu-dev_4.8.1.1-5_amd64.deb
Checksums-Sha256:
bfdbe0cd00ada976ecaae176447a33fccee35f80bdb31df935d6f45e37945449 2222
icu_4.8.1.1-5.dsc
7b4832f567774491366e4d648757acd6ba54ab803400532be69568512ec1b633 18645
icu_4.8.1.1-5.debian.tar.gz
e021b1ce97cb8312208b1038b5f1d86c1197122684be9de2047f0c743d92a7b8 4147568
icu-doc_4.8.1.1-5_all.deb
9cd39a9acd318ace36985b4df1bebca7dbf5a567aa06b241d4c74d66a8cb1a1c 8130648
libicu48_4.8.1.1-5_amd64.deb
b32c4dcffa95df48c2f6c90b2561220a25b4d53f143772826320dcadb5e49ce3 4237422
libicu48-dbg_4.8.1.1-5_amd64.deb
d6cf7a23b2a1ffb79fa869f4a47225659c3983eff278b7e34487f703e6f580b7 9780962
libicu-dev_4.8.1.1-5_amd64.deb
3c83104d15b44bb5315a6c02d81e03e0ac740ee86378ed302bae50fa1f0264db 8205550
lib32icu48_4.8.1.1-5_amd64.deb
0d97b1d3c333647d9b0dab71356c7f8877c86efa6de37d680078df2e90fa36f4 8555302
lib32icu-dev_4.8.1.1-5_amd64.deb
Files:
fbab12c5594a0c3c34cf3ce95aa503c7 2222 libs optional icu_4.8.1.1-5.dsc
180c516cfbd2c4ae349f797cdc66c27a 18645 libs optional
icu_4.8.1.1-5.debian.tar.gz
a2aa6f4c197a5d02eb7cd53860db422b 4147568 doc optional icu-doc_4.8.1.1-5_all.deb
effa0747223b50f62d557746f58ec370 8130648 libs optional
libicu48_4.8.1.1-5_amd64.deb
1de3681e99712ef7ce6ead459d9f4ae8 4237422 debug extra
libicu48-dbg_4.8.1.1-5_amd64.deb
dbedb0fba913d910d6bd96774490f488 9780962 libdevel optional
libicu-dev_4.8.1.1-5_amd64.deb
682c9a263618c23d0ecc638c89521dc1 8205550 libs optional
lib32icu48_4.8.1.1-5_amd64.deb
a775728c414d144e5910d1745c1106ca 8555302 libdevel optional
lib32icu-dev_4.8.1.1-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJPbTxRAAoJEIp10QmYASx+1ywQAJVaHT6CS4bJuhq9DPLk9ZFH
Iww1TMeQNwmTIFrEwPIiHQgT1kmb/CTByv5y+6VU1+rBr0MunCU3Hvi/rHEmoDt2
+D2Owr/XUKhbltYpflVEU++nKoM6urIK0ksCZWYlRkDaALymUOQ8MTk8RZv1d+/t
/FI/eVN4zdF6kriHDuHC60lhuIsJWufYK+VXId9l0VUuMTBb3XqyoZGh8hN5H6rs
AZg48wfzmtM5aLw6KfyHw5vfRlO67jW31uyTZDj3QeFUdqoW/plwIOHjHCX6kUWg
726SH5+y6vXHIC/4N3AnjlqaWyt04dyjOoHZxYSrguxM6CoypP0ses5DAmqyTh/s
bp6XMf/ugi4NBr8xBnQv0Rbtw16J3++xf01EjHS4/mTJbBeKsVFzuAXFAvuC5CLH
THjzzf1Nm0y1EG8ogtWA1RmzMna4tWaIfRWc0R3f+5wX4nCPP5trfsWqj9kltgC0
jLIiO/NrnxKDqvza3YrnMEM0trkwbcYTDUoUF6rAX0f9i+4vdsyoHkx1ww3TSDbY
ML0gUIBfIXv3NkgyzxsIswp7h+itA/doJ7tFH2ccdUAEvVuJ7V/msnLWDeFVDQyE
I59U3aXNh9ZR8KtPaCsqP7Ubqm1G6FbUu9ME88ypbFX5XtG9YHs52rW0vIDCpQ1Z
1SKgnLcUehp3Z4ZqaEze
=/3Fg
-----END PGP SIGNATURE-----
--- End Message ---
