Your message dated Sun, 20 May 2012 21:17:23 +0000
with message-id <[email protected]>
and subject line Bug#662256: fixed in alsa-plugins 1.0.25-2
has caused the Debian Bug report #662256,
regarding alsa-plugins: LDFLAGS hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
662256: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662256
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: alsa-plugins
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The LDFLAGS hardening flags are missing because they are
overwritten in debian/rules.
DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].
The following patch fixes the issue.
diff -Nru alsa-plugins-1.0.25/debian/rules alsa-plugins-1.0.25/debian/rules
--- alsa-plugins-1.0.25/debian/rules 2012-02-12 00:22:10.000000000
+0100
+++ alsa-plugins-1.0.25/debian/rules 2012-03-05 02:09:58.000000000
+0100
@@ -1,4 +1,7 @@
#!/usr/bin/make -f
+
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs
+
%:
dh $@ --with autoreconf
@@ -10,8 +13,7 @@
--with-plugindir=/usr/lib/$(DEB_HOST_MULTIARCH)/alsa-lib \
--with-avcodec-includedir=\$${prefix}/include/libavcodec \
--host=$(DEB_HOST_GNU_TYPE) \
- --build=$(DEB_BUILD_GNU_TYPE) \
- LDFLAGS=-Wl,-z,defs
+ --build=$(DEB_BUILD_GNU_TYPE)
override_dh_auto_install:
dh_auto_install --destdir=debian/tmp
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check
/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_rate_speexrate.so ...
/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_rate_speexrate.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_rate_samplerate.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
...
(The stack protected and fortify source warnings are fine in this
case, the flags are correctly applied.)
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVBXrAAoJEJL+/bfkTDL5wyAP/0H/xUWytjIHnamDguoz0FbO
tgGXWT36tmQpON1rLv+yStg9efygBBk9JdqS1IDkLr1rJyPOYi4fpvd9jTSqAh7+
27hdjfNGv3ZmxiDMrIfPhULk9O0KV3pkBI2CaCq9bdBHYyaCqtBRwluDP9HUlyhu
L1REAO1QWu1PrXHOEYXe+b/0gqMlItwwcvk43VPB7/zJoVzQKx9hR6mhg2g4ACxX
uqCRj16VlyD9z8NvGu8DmVjM5YcMJO0OTouZtTRKM7375OqPqzKnOCQhv4S3rc8U
/Y7rAengqxAJi62J/Qn0R0slTrQea0lTklPtgNZ9ihc4PL67++jSLV7UJ7VQ34eu
GI7c9LJHm7R/KKbuBETy3YMXJ2FZ+UAtok+k0EK3OAzDlOJPgEKlQvPXqeK0DccO
JtxQphh50RRPRKyAoxnDiwpVXqCNii4s8ljkE4KPIaa4sHQ7saGlRnuhhd3N5LDw
j3aGYy9WWDD2QNQPIPH6UNt1nmwQsj4f3LgshKyH/pAXaAYEu1smp9Lg0rbKWOC/
Gs37JrHXWCz9qC0q1/eOfOcQoXXobtPwU8F5qxVVdsm3/ijCo6MYUxYSBFvPufL2
4ZxET0tuetTHgtujHz0BWfgyVKIH5JFaT6nmbob7JS3w+1rXi5D0taSJ+QKpqt9O
RcuQhfHbLkhk25TZwV9k
=CUzv
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: alsa-plugins
Source-Version: 1.0.25-2
We believe that the bug you reported is fixed in the latest version of
alsa-plugins, which is due to be installed in the Debian FTP archive:
alsa-plugins_1.0.25-2.debian.tar.gz
to main/a/alsa-plugins/alsa-plugins_1.0.25-2.debian.tar.gz
alsa-plugins_1.0.25-2.dsc
to main/a/alsa-plugins/alsa-plugins_1.0.25-2.dsc
libasound2-plugins_1.0.25-2_amd64.deb
to main/a/alsa-plugins/libasound2-plugins_1.0.25-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jordi Mallach <[email protected]> (supplier of updated alsa-plugins package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 20 May 2012 21:44:23 +0200
Source: alsa-plugins
Binary: libasound2-plugins
Architecture: source amd64
Version: 1.0.25-2
Distribution: unstable
Urgency: low
Maintainer: Debian ALSA Maintainers <[email protected]>
Changed-By: Jordi Mallach <[email protected]>
Description:
libasound2-plugins - ALSA library additional plugins
Closes: 659665 662256 667473
Changes:
alsa-plugins (1.0.25-2) unstable; urgency=low
.
* Do not overwrite LDFLAGS, use DEB_LDFLAGS_MAINT_APPEND instead.
Thanks to Simon Ruderich for the report and fix (closes: #662256).
* Replace hardcoded configure call with dh_auto_configure, and remove
default flags handled by debhelper.
* Add missing ${misc:Pre-Depends} for multiarch-support (closes: #667473).
* Bump Standards-Version to 3.9.3, with no changes needed.
* This rebuild should fix M-A installability problems caused by a
single-arch binnmu (closes: #659665).
* Drop d/source/options, use the standard compression.
Checksums-Sha1:
ce33c425633a7462417c49238cea167ca8ced8d9 1621 alsa-plugins_1.0.25-2.dsc
e6fe015229be519524708b7295e05cfff2df6cdd 11846
alsa-plugins_1.0.25-2.debian.tar.gz
e0b2107c8ee6c5b5830356f012269c51c4afa7b3 91448
libasound2-plugins_1.0.25-2_amd64.deb
Checksums-Sha256:
b6b8d11934bc86960c04f13c2cdc839e50222598cec64792345708a145f10547 1621
alsa-plugins_1.0.25-2.dsc
f8aef37a0f17672503232de487e51d7063897ff8d17e21d05620fdbb518a8736 11846
alsa-plugins_1.0.25-2.debian.tar.gz
d9655d550517f4965ac1d043be40579b2ff67e85d4e24e24d1b8b89aeeb0b6b6 91448
libasound2-plugins_1.0.25-2_amd64.deb
Files:
ddefa352b7b128b4a2c1d68f3fb1798e 1621 libs optional alsa-plugins_1.0.25-2.dsc
52fe1d9f57b8ae7ce6bd7e512c35a60c 11846 libs optional
alsa-plugins_1.0.25-2.debian.tar.gz
f0348e2066d313807de0e906867d85f3 91448 libs optional
libasound2-plugins_1.0.25-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk+5S/kACgkQJYSUupF6Il6DDgCbBizVpTBoBQWRYHiSsuapf+z1
TQQAnRMD1cNHjkH0nuMhnVoVdcGJqJSV
=GrHG
-----END PGP SIGNATURE-----
--- End Message ---
