Your message dated Sat, 24 Mar 2012 23:47:58 +0000
with message-id <[email protected]>
and subject line Bug#663613: fixed in freetype 2.4.9-1
has caused the Debian Bug report #663613,
regarding freetype: CPPFLAGS hardening flags missing for ft2demos
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
663613: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663613
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: freetype
Version: 2.4.8-1
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The CPPFLAGS hardening flags are missing for ft2demos because the
Makefiles ignore them.
The attached patch (for debian/patches-ft2demos/) fixes the
issue. If possible it should be sent upstream. For more hardening
information please have a look at [1], [2] and [3].
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/ftbench /usr/bin/ftdump /usr/bin/ftlint ...
/usr/bin/ftbench:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/ftdump:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/ftlint:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPXjJNAAoJEJL+/bfkTDL5+sUP/0X4HefsqrkHUp7/ZjchBQ+0
kyN+KbU5/pwkpmUli/YvB1Ol+fy/5Fj8y7yTNPVu/Z/dc7phjIy9MdZjEgQ4DNdE
tElVIcSbO2Bz0VkZh9eIUKa/ghIYz0qcqBrb2MP0kxPZ+C1d6+2FVPnsjRuD3d6M
mJjV8wEPvmhNr+1Q0aQvOTXFQUfIa/uXcnXKCijkxJDgjHwJJJCv3TxRXUIgfc7f
to6FnNN1Tu6QHr54nJFa1giFXiUJujg1nFGN+vWtsgAaqPjpelHpTeTjSjYsFKOA
Z2y20zUB/TVVJ7l4/qSzP9pCkBdo1pFIY/JuJQD8F9/Td/RTe2uz7XxQLyuLH/Jg
HaxEnX6pQzTrvLeNrfiX/uoFrBpg2Tx/DNUIw0VndNy1QllxKX8z6HBoGJT/N7az
NntmuV+skQpgLZQWtMfCLM9uqDzem38/1M5eHgUTagIeAcmhMcxv3R4pyreuE9Pk
kZmCgcgW/sHBJWsQBOIiLWf+DK0+rndaAABvimJEk8xj92ZqrpN+xWENWbjUxS5x
Ab3axIEV5fofVh7CYaOB8A3hsJWgHYaCGQRSVUVvE4JeGbAQmcABJNH+dPGFDt0u
oMMCXrgvdepzW+5qAT+lAaKRe5IARyD8d77kNCck5dUqg2KsDEywdnoxt1J01SzT
tIteme6YicQiW8NZlwAi
=hoh9
-----END PGP SIGNATURE-----
Description: Use CPPFLAGS from environment (dpkg-buildflags).
Necessary for hardening flags.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-12
Index: ft2demos-2.4.8/Makefile
===================================================================
--- ft2demos-2.4.8.orig/Makefile 2011-04-19 06:46:37.000000000 +0200
+++ ft2demos-2.4.8/Makefile 2012-03-12 18:19:46.217136170 +0100
@@ -127,7 +127,7 @@
$(TOP_DIR)/include \
$(SRC_DIR)
- COMPILE = $(CC) $(CFLAGS) \
+ COMPILE = $(CC) $(CFLAGS) $(CPPFLAGS) \
$(INCLUDES:%=$I%) \
$DFT_CONFIG_MODULES_H="<ftmodule.h>"
Index: ft2demos-2.4.8/graph/allegro/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/allegro/rules.mk 2009-03-14 14:58:28.000000000 +0100
+++ ft2demos-2.4.8/graph/allegro/rules.mk 2012-03-12 18:19:46.217136170 +0100
@@ -23,7 +23,7 @@
# our compilation rule
#
$(OBJ_DIR_2)/gralleg.$O : $(GR_ALLEG)/gralleg.c $(GR_ALLEG)/gralleg.h
- $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+ $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
$I$(subst /,$(COMPILER_SEP),$(GR_ALLEG)) \
$T$(subst /,$(COMPILER_SEP),$@ $<)
Index: ft2demos-2.4.8/graph/beos/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/beos/rules.mk 2009-03-14 14:58:28.000000000 +0100
+++ ft2demos-2.4.8/graph/beos/rules.mk 2012-03-12 18:19:46.217136170 +0100
@@ -21,7 +21,7 @@
# the rule used to compile the graphics driver
#
$(OBJ_DIR_2)/grbeos.$(SO): $(GR_BEOS)/grbeos.cpp $(GR_BEOS)/grbeos.h
- $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+ $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
$I$(subst /,$(COMPILER_SEP),$(GR_BEOS)) \
$(X11_INCLUDE:%=$I%) \
$T$(subst /,$(COMPILER_SEP),$@ $<)
Index: ft2demos-2.4.8/graph/os2/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/os2/rules.mk 2009-03-14 14:58:28.000000000 +0100
+++ ft2demos-2.4.8/graph/os2/rules.mk 2012-03-12 18:19:46.217136170 +0100
@@ -23,7 +23,7 @@
# the rule used to compile the graphics driver
#
$(OBJ_DIR_2)/gros2pm.$O: $(GR_OS2)/gros2pm.c $(GR_OS2)/gros2pm.h
- $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+ $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
$I$(subst /,$(COMPILER_SEP),$(GR_OS2)) \
$T$(subst /,$(COMPILER_SEP),$@ $<)
Index: ft2demos-2.4.8/graph/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/rules.mk 2009-03-14 14:58:28.000000000 +0100
+++ ft2demos-2.4.8/graph/rules.mk 2012-03-12 18:19:58.781136650 +0100
@@ -67,14 +67,14 @@
# pattern rule for normal sources
#
$(OBJ_DIR_2)/%.$(SO): $(GRAPH)/%.c $(GRAPH_H)
- $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) $T$@ $<
+ $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) $T$@ $<
# a special rule is used for 'grinit.o' as it needs the definition
# of some macros like "-DDEVICE_X11" or "-DDEVICE_OS2_PM"
#
$(OBJ_DIR_2)/grinit.$(SO): $(GRAPH)/grinit.c $(GRAPH_H)
- $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+ $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
$(DEVICES:%=$DDEVICE_%) $T$(subst /,$(COMPILER_SEP),$@ $<)
Index: ft2demos-2.4.8/graph/win32/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/win32/rules.mk 2009-03-14 14:58:28.000000000 +0100
+++ ft2demos-2.4.8/graph/win32/rules.mk 2012-03-12 18:19:46.217136170 +0100
@@ -20,7 +20,7 @@
# the rule used to compile the graphics driver
#
$(OBJ_DIR_2)/grwin32.$O: $(GR_WIN32)/grwin32.c $(GR_WIN32)/grwin32.h
- $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+ $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
$I$(subst /,$(COMPILER_SEP),$(GR_WIN32)) \
$T$(subst /,$(COMPILER_SEP),$@ $<)
Index: ft2demos-2.4.8/graph/x11/rules.mk
===================================================================
--- ft2demos-2.4.8.orig/graph/x11/rules.mk 2012-03-12 18:19:46.193136170 +0100
+++ ft2demos-2.4.8/graph/x11/rules.mk 2012-03-12 18:19:46.217136170 +0100
@@ -100,7 +100,7 @@
# the rule used to compile the X11 driver
#
$(OBJ_DIR_2)/grx11.$(SO): $(GR_X11)/grx11.c $(GR_X11)/grx11.h
- $(CC) $(CFLAGS) $(GRAPH_INCLUDES:%=$I%) \
+ $(CC) $(CFLAGS) $(CPPFLAGS) $(GRAPH_INCLUDES:%=$I%) \
$I$(subst /,$(COMPILER_SEP),$(GR_X11)) \
$(X11_INCLUDE:%=$I%) \
$T$(subst /,$(COMPILER_SEP),$@ $<)
--- End Message ---
--- Begin Message ---
Source: freetype
Source-Version: 2.4.9-1
We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive:
freetype2-demos_2.4.9-1_amd64.deb
to main/f/freetype/freetype2-demos_2.4.9-1_amd64.deb
freetype_2.4.9-1.diff.gz
to main/f/freetype/freetype_2.4.9-1.diff.gz
freetype_2.4.9-1.dsc
to main/f/freetype/freetype_2.4.9-1.dsc
freetype_2.4.9.orig.tar.gz
to main/f/freetype/freetype_2.4.9.orig.tar.gz
libfreetype6-dev_2.4.9-1_amd64.deb
to main/f/freetype/libfreetype6-dev_2.4.9-1_amd64.deb
libfreetype6-udeb_2.4.9-1_amd64.udeb
to main/f/freetype/libfreetype6-udeb_2.4.9-1_amd64.udeb
libfreetype6_2.4.9-1_amd64.deb
to main/f/freetype/libfreetype6_2.4.9-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <[email protected]> (supplier of updated freetype package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Mar 2012 23:35:16 +0000
Source: freetype
Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb
Architecture: source amd64
Version: 2.4.9-1
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <[email protected]>
Changed-By: Steve Langasek <[email protected]>
Description:
freetype2-demos - FreeType 2 demonstration programs
libfreetype6 - FreeType 2 font engine, shared library files
libfreetype6-dev - FreeType 2 font engine, development files
libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Closes: 617217 642059 662864 663613
Changes:
freetype (2.4.9-1) unstable; urgency=low
.
* New upstream release
- upstream fix for multiple vulnerabilities: CVE-2012-1126,
CVE-2012-1133, CVE-2012-1134, CVE-2012-1136, CVE-2012-1142,
CVE-2012-1144. and others. Closes: #662864.
- update symbols file for a new symbol, ft_raccess_guess_table
* debian/patches-freetype/savannah-bug-35847.patch,
debian/patches-freetype/savannah-bug-35833.patch: pull two bugfixes from
upstream git on top of 2.4.9, to address regressions affecting
ghostscript. Thanks to Till Kamppeter for pointing this out.
* push CPPFLAGS into CFLAGS for ft2demos, so our demos will be secure.
Closes: #663613.
* don't let a quiltrc override our QUILT_PATCHES settings in debian/rules.
Closes: #617217.
* Migrate debian/copyright to copyright-format 1.0, and fix up the upstream
URL. Closes: #642059.
Checksums-Sha1:
7e6bd6c89830a01a0e114dc12593f2cb218fd66a 2026 freetype_2.4.9-1.dsc
686608efbc9c71607af7454b0d81966a47cac74e 1774386 freetype_2.4.9.orig.tar.gz
1e51190bd4bab89bdc64ee287ec962405ddd7ef3 37568 freetype_2.4.9-1.diff.gz
c6b68ca140fe70e5a2dd49ec6259c7f74bd63318 449878 libfreetype6_2.4.9-1_amd64.deb
ff31221ce8e5bc4e9edfb567c44685110c298a6b 802742
libfreetype6-dev_2.4.9-1_amd64.deb
02541ae346d33d5a1560061416385d08c621188e 218696
freetype2-demos_2.4.9-1_amd64.deb
673c486c923d30fc12d47489670a33431deb3038 323546
libfreetype6-udeb_2.4.9-1_amd64.udeb
Checksums-Sha256:
5d850bdec1ab8368f9d8126387d9173e3f12d10175575fe41a7a735db9895004 2026
freetype_2.4.9-1.dsc
add4dc9058bfd0d52e8b90280de9dddf79e3d8029fd4da0bd4fa94cbe9c3e7c4 1774386
freetype_2.4.9.orig.tar.gz
321684ec1c3405fb982f09680b650df750c698c601b40a406bf039123faef031 37568
freetype_2.4.9-1.diff.gz
7fd92018ff6d9172d6a08079e049b2f68ebd7abe208331d7c14e8406395c8fff 449878
libfreetype6_2.4.9-1_amd64.deb
35c963d6d15477e33a73bcfde7ab1d79185e7468125fe7a2ee0cf787396a4bd9 802742
libfreetype6-dev_2.4.9-1_amd64.deb
ee4b79c1d52fa61b0830806de6701d112ae76e99edd906c4d29f3dcfc44bf44f 218696
freetype2-demos_2.4.9-1_amd64.deb
b84f3ff38fbb3f1b18ae38310a6a3713df322b9fd6d58459d9c35023eeb47f01 323546
libfreetype6-udeb_2.4.9-1_amd64.udeb
Files:
62c2b3a1f11cd58bfcf6ea2d6602930c 2026 libs optional freetype_2.4.9-1.dsc
d59215a7c9616c752ec3a4c859af240b 1774386 libs optional
freetype_2.4.9.orig.tar.gz
cdc6e34be2dbd10cc63e75e696b70773 37568 libs optional freetype_2.4.9-1.diff.gz
fd9bd2e9c2c5d671d2c625e101f938ce 449878 libs optional
libfreetype6_2.4.9-1_amd64.deb
75846a249b9af478bf94ed35bca29fb4 802742 libdevel optional
libfreetype6-dev_2.4.9-1_amd64.deb
b7ccdf1118f73f15f104ba0cec710187 218696 utils optional
freetype2-demos_2.4.9-1_amd64.deb
6780dda2a14a8b1ac82e33493cca8a8a 323546 debian-installer extra
libfreetype6-udeb_2.4.9-1_amd64.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIVAwUBT25avVaNMPMhshM9AQhybxAAxU5WDbQsRiom9Col0hxABvOPACQ1OzwP
S8p8ahWOtdZiBHRBiyFT73WGgJHFjVqawcHDuhirhNvSZkWjkG2NZVYNF8+TRurc
JngoWYh/RWQzU56p8DOxSGkJD/1CeBjSq25UVCS1E/zYcjqO6I6oV48s2bgpqyZN
EUKzIIVLCurLN6kI+XlagzoHYtTCPNI3SMDNzqw6r2093UDtZemivkMQkCbs2Khh
AwJQKydhmdHDZJdUMrVkmVSnmwiMOolCyuhQpQ4SkmhoJUntXP1743KZppnmooIU
kCiMwKco0y1KO3G/XZFpC54qTYF4BqfwqvDOk6ltoQcbO6+G/wPWEoFnnFiofSm9
GjoXUgtCwLcjq6VNe7cm+PgG47Tv3G/NLhlYWCQ7KJhxjoyQOhXYBKTASxPytAQI
l5akZqe5anYoY2nwTVXbPGiaKWrI3m7E1mY6B3NvhdHfmITAlXRANVw+mWNGVmA1
ZN7cMXBz3ttAQzM1HJxrIczr8CnM/IT2IZPZuRFw3Q+9e6W7L67k9JgSQNNRiy6P
Dlnq7n88Nb8OWYdR4BiWH06t9Pa1LxmKfH74AnJbPOx/Q6Qcz1fMBvuqFUxpxu5V
/zwu/TkV1mnDZjALcTdBj1k/DH7VspggebU1UPVh/+eNEOvfKTjguW3bi5K63io+
OkH0pNPnodQ=
=EqV9
-----END PGP SIGNATURE-----
--- End Message ---
