Your message dated Tue, 04 Sep 2012 09:47:39 +0000 with message-id <[email protected]> and subject line Bug#663625: fixed in zgv 5.9-5 has caused the Debian Bug report #663625, regarding zgv: Hardening flags missing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 663625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663625 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: zgv Version: 5.9-4 Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear Maintainer, The hardening flags are missing because the build system ignores them. For more hardening information please have a look at [1], [2] and [3]. The attached patch fixes the issue. If possible it should be sent upstream. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/bin/zgv /usr/bin/zgv: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPXk5CAAoJEJL+/bfkTDL5+bgP/0wOW+QJElAOLjZT3M7h0Pls Cj9GDwmgmXQxP9WHIE4khVftha2ZqqGgFAawRHmmgdtseK8e1M0VcIjGzL24TtJO rHRlRImDQ+zfJTTq/pM2h0VS2HKbqIev8RdCTdDYDojm/yOMzrxythxbOKYlHR4J OotYFMOQHgtV6tImFusgJhUVkfSYBcf1f73ju+X/1FiJ6bPjvVY/IeUUiNsVmMfi iUm63Mu1nFaLrswFxe6JZbV3yeOxnaaDiGV8y2riWEJ4LPvoq3ljmbb6mTqeSqT3 y+o7mz+9ZhK4mDZPosmvbBvfUB/qBOo7bUV9fcvwl51H3gj2E9nh29kruE+qZqYj RjBsNLIFbHgXzMyk6x2jPF9QoAJfPHzynmpVLyr41ZsEQ/Nn04JnQjvJcuKlLIpR eWi0xH3u2JlXUzGKjV2Ce2W+v37Bggh5JFA6qo0YPkiyf3ar0jGCZpV34Leaxz/O vgduNkEVMu4zBhR6XhGA5/mzK/E/lur8tjatFqK+t4qQNHCSdaay7m8YzVgqg/mp Jtigx2MsUxpF3o8oZI7kRoyMNiL7NT3c+Tr/x1uKr80EHWOtyLE+5NvT5lwsbzCY 4mOi8mgUVjaT80uxlELMCGJAH/IYbnoiMaC9g9Yoz8MAmJTDN3wvjhTBDc0wsfAY 6fjt0NcrGbUgMHmraCFD =Ods2 -----END PGP SIGNATURE-----diff -u zgv-5.9/config.mk zgv-5.9/config.mk --- zgv-5.9/config.mk +++ zgv-5.9/config.mk @@ -8,7 +8,7 @@ # This is likely to be what you'll want for most systems: # CC=gcc -CFLAGS=$(shell dpkg-buildflags --get CFLAGS) -O2 -Wall -fomit-frame-pointer -finline-functions +CFLAGS+=-O2 -Wall -fomit-frame-pointer -finline-functions # # If you're brave enough to try compiling zgv on a non-x86 system :-), # this might be a better bet: diff -u zgv-5.9/src/Makefile zgv-5.9/src/Makefile --- zgv-5.9/src/Makefile +++ zgv-5.9/src/Makefile @@ -47,13 +47,13 @@ modesel.o readpcd.o readtiff.o readprf.o zgv_io.o zgv: $(ZGV_OBJS) - $(CC) $(CFLAGS) -o zgv $(ZGV_OBJS) $(ZGV_LIBS) + $(CC) $(LDFLAGS) -o zgv $(ZGV_OBJS) $(ZGV_LIBS) bdf2h: bdf2h.o - $(CC) $(CFLAGS) -o bdf2h bdf2h.o + $(CC) $(LDFLAGS) -o bdf2h bdf2h.o install-info: install-info.c - $(CC) $(INFODIRDEF) -o install-info install-info.c + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(INFODIRDEF) -o install-info install-info.c # explicitly removes /usr/bin/{zgv,zgv-sdl} in case of old # installation. Not nice to put this in the install target, diff -u zgv-5.9/debian/rules zgv-5.9/debian/rules --- zgv-5.9/debian/rules +++ zgv-5.9/debian/rules @@ -7,7 +7,10 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +CFLAGS := $(shell dpkg-buildflags --get CFLAGS) +CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS) LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS) +export CFLAGS CPPFLAGS LDFLAGS build: build-stamp build-stamp:
--- End Message ---
--- Begin Message ---Source: zgv Source-Version: 5.9-5 We believe that the bug you reported is fixed in the latest version of zgv, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Boris Pek <[email protected]> (supplier of updated zgv package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 30 Jun 2012 04:09:42 +0300 Source: zgv Binary: zgv Architecture: source i386 Version: 5.9-5 Distribution: unstable Urgency: low Maintainer: Debian QA Group <[email protected]> Changed-By: Boris Pek <[email protected]> Description: zgv - SVGAlib graphics viewer Closes: 379319 438363 662575 663625 Changes: zgv (5.9-5) unstable; urgency=low . * QA upload. * Updated debian/watch: changed regexp. * Bumped Standards-Version to 3.9.3 (was 3.9.2). * Added debhelper version (9 is used); updated debian/compat. Fixed lintian note package-lacks-versioned-build-depends-on-debhelper. * Added file debian/source/format: format 1.0 is still used in this package. * Patched files config.mk and src/Makefile to respect build with hardening flags. [Thanks to Mario 'BitKoenig' Holbe] (Closes: #663625) * Patched Makefile: cut permanent launching strip command. Fixed not handling nostrip build option [policy 10.1]. (Closes: #438363) * Patched file debian/zgv.mime. [Thanks to Mario 'BitKoenig' Holbe] Fixed problem that mailcap entries did not work on plain consoles. (Closes: #379319) * Rewritten debian/rules: - now dh is used instead of direct dh_* commands - added --as-needed option to LDFLAGS - added section get-orig-source (uscan is used) - fixed lintian warnings: + hardening-no-relro + hardening-no-fortify-functions + dh-clean-k-is-deprecated + debian-rules-ignores-make-clean-error + debian-rules-missing-recommended-target build-arch + debian-rules-missing-recommended-target build-indep * Updated debian/control: - added Homepage field - added ${misc:Depends} to package zgv - changed build dependency from libpng12-dev to libpng-dev (Closes: #662575) * Updated debian/menu: fixed lintian warnings: - unquoted-string-in-menu-item - menu-item-uses-apps-section * Updated doc/zgv.1: fixed lintian notes hyphen-used-as-minus-sign. * Deleted file debian/postinst: generated automatically. Checksums-Sha1: 0281eb8c9191319fec164e111ea407d10c42694a 1752 zgv_5.9-5.dsc bcfc2c9b87bb3e455db1eedb1baca9e0ec08e3d3 11673 zgv_5.9-5.diff.gz a53f8700f1bf7581b12e133ac5d3712e426346f8 279796 zgv_5.9-5_i386.deb Checksums-Sha256: 43ea04fae25b2f9ab7e1e5fc3dfc28b7bdecf7dcfaca9ca05cf8db8a019df264 1752 zgv_5.9-5.dsc 17969d2a806e672cd0f8e06815c1fe481d02fd0954a490123784edb21a0dbd73 11673 zgv_5.9-5.diff.gz c030fcf2e849f894276e5471dd329f040b0fb8717b3781a5fc502294efe5f72f 279796 zgv_5.9-5_i386.deb Files: 6e698b676dbd7eaf74a67ee22cb0476a 1752 graphics optional zgv_5.9-5.dsc f4ccaab1909d1f6b4ecd7f504d6385cf 11673 graphics optional zgv_5.9-5.diff.gz a9ee02d7e428b1e1ffd67e6ebc5c171b 279796 graphics optional zgv_5.9-5_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Colin Watson <[email protected]> -- Debian developer iQIVAwUBUEXNrTk1h9l9hlALAQhYHRAAtI8ndY0dFpyZioQ0luZ2GBfgYlz3CXBp 5yR4wxjCRjGi2qUXtzeCtSd8csR8OL46m8dG6TX0LNZJi1xPj1jL6QljsjzhWpsE oYmfd40iRfN/r27xCBEVwuy+Dr+dH3qyVGJlND7nYL5SFbnReT6KfIwPbmHXmJ+4 UTWFjb6a8TudEzlYc9njdU0z/RZyqdQBvdruL2IP/FcW9gTYbtw5WJsHgw7nzcne 2njbTAMH/D7GLtPIgFWCqj2C58GSaBDVd0urx/oN8GWh6viZEjQnmULfRIq1oGf9 codflLIijBMkbLuqJkRSRQXQkgO5VhB5BlY6IgJPNY+RCFgC9xfE94Tum+onDHCj go+wYxIoj6ocPH9hvSWLPanhvraYql6M9gye++fSQj4d3UZ7dAlCQ8+TbeV8sw/P U3aE3sP22gUb46sxqG6t7iwbK9RX47Bx/lK7ksQEByXxXnHlOCozsp903WenZVuG xIVSG777tS4PbZPazzIJECjv4UvhvB1UDmvNNxZAdW47A8aExuSO6suq9dlMFw3h sp74hzufqabQR+w7OfqPUpS4XHY/twJgibtbzGL6nFAcDQsJpS4+th4O80SJZB7q gpSzGH7a3+Kk2lxOL/EbEoN8toK6t/L/cEDauhmyGPHtCGyzGgAzlVCw7t5x4Eov R3+tMxzpJ/g= =INHo -----END PGP SIGNATURE-----
--- End Message ---

