Bug#687508: marked as done (chktex: CFLAGS hardening flags missing)

[Debian Bug Tracking System]

Your message dated Fri, 14 Sep 2012 21:17:37 +0000
with message-id <e1tcdgb-0001sj...@franck.debian.org>
and subject line Bug#687508: fixed in chktex 1.6.6-2
has caused the Debian Bug report #687508,
regarding chktex: CFLAGS hardening flags missing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
687508: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: chktex
Version: 1.6.6-1
Severity: normal
Tags: patch

Dear Maintainer,

The CFLAGS (hardening) flags (which include -g) are missing
because they are overwritten in debian/rules. For more hardening
information please have a look at [1], [2] and [3].

The following patch fixes the issue.

diff -Nru chktex-1.6.6/debian/rules chktex-1.6.6/debian/rules
--- chktex-1.6.6/debian/rules   2012-09-10 15:44:04.000000000 +0200
+++ chktex-1.6.6/debian/rules   2012-09-13 12:58:02.000000000 +0200
@@ -14,10 +14,9 @@
 
 CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
 TMPCFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
-CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS)
 LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
 
-CFLAGS = -Wall -fstack-protector --param=ssp-buffer-size=4 -Wformat $(CPPFLAGS)
+CFLAGS = $(CPPFLAGS) $(TMPCFLAGS) -Wall
 INSTALL = install
 INSTALL_FILE    = $(INSTALL) -p    -o root -g root  -m  644
 INSTALL_PROGRAM = $(INSTALL) -p    -o root -g root  -m  755

The patch also removes CXXFLAGS because they are not used in
debian/rules.

When compiling with all flags some -Werror=format-security errors
occurred, the attached patch fixes them. If possible it should be
forwarded to upstream (they are not dangerous though).

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):

    $ hardening-check /usr/bin/chktex
    /usr/bin/chktex:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Fix compiling with -Werror=format-security.
 Prevents format string attacks.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-09-13

Index: chktex-1.6.6/ChkTeX.c
===================================================================
--- chktex-1.6.6.orig/ChkTeX.c	2010-12-18 22:18:13.000000000 +0100
+++ chktex-1.6.6/ChkTeX.c	2012-09-13 13:01:20.539787455 +0200
@@ -350,7 +350,7 @@
         }
 
         if (!Quiet || LicenseOnly)
-            fprintf(stderr, Banner);
+            fprintf(stderr, "%s", Banner);
 
         if (CurArg == argc)
             UsingStdIn = TRUE;
@@ -368,7 +368,7 @@
 
         if ((UsingStdIn && StdInTTY && !Quiet) || LicenseOnly)
         {
-            fprintf(stderr, BigBanner);
+            fprintf(stderr, "%s", BigBanner);
         }
 
         if (!StdOutTTY && PipeOutputFormat)
@@ -376,7 +376,7 @@
 
         if (LicenseOnly)
         {
-            fprintf(stderr, Distrib);
+            fprintf(stderr, "%s", Distrib);
         }
         else
         {
@@ -953,7 +953,7 @@
                 nextc = ParseBoolArg(&HeadErrOut, &optarg);
                 break;
             case 'W':
-                printf(Banner);
+                printf("%s", Banner);
                 exit(EXIT_SUCCESS);
             case '?':
             default:

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: chktex
Source-Version: 1.6.6-2

We believe that the bug you reported is fixed in the latest version of
chktex, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 687...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated chktex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 14 Sep 2012 18:00:03 +0200
Source: chktex
Binary: chktex
Architecture: source amd64
Version: 1.6.6-2
Distribution: unstable
Urgency: low
Maintainer: Thorsten Alteholz <deb...@alteholz.de>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Description: 
 chktex     - Finds typographic errors in LaTeX
Closes: 687508
Changes: 
 chktex (1.6.6-2) unstable; urgency=low
 .
   [ Simon Ruderic ]
   * take care of hardening flags (Closes: #687508)
   * patch to fix -Werror=format-security errors
Checksums-Sha1: 
 adf1df9e69bf0b53e5bf26ec7ce97f12296d3d91 1147 chktex_1.6.6-2.dsc
 97cdeb54cbda148c40ba2d7fe941901d114199f2 55253 chktex_1.6.6-2.debian.tar.gz
 082200d6b21b89383fb1a038d92a7f83d26ec54a 93114 chktex_1.6.6-2_amd64.deb
Checksums-Sha256: 
 1734c1ceb45b7e6b2ef48ca46259ec2c5b6bcacddf10eab2b51a6108806fa4cf 1147 
chktex_1.6.6-2.dsc
 68a236fee54876dbd96bbd26c8dbcb1bcc046557bd91acdc86ede8feb882dec3 55253 
chktex_1.6.6-2.debian.tar.gz
 d6abe71908588781952c02ecd5b4afd973a53589303dd6b0a0f9928f36805f6d 93114 
chktex_1.6.6-2_amd64.deb
Files: 
 bdff528bd091fb55f77c23dcdc4a6eb0 1147 tex optional chktex_1.6.6-2.dsc
 067543d2d1e468be66bb8df7299ea435 55253 tex optional 
chktex_1.6.6-2.debian.tar.gz
 6d4ae0a56a7f9dea1c732f5f782cded9 93114 tex optional chktex_1.6.6-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBTmmYACgkQ02K2KlS5mJCH+ACcDsHDnrlMWVSPHRXkpInhsxTQ
LAMAnA4mxuxdpIQeLBOd7IHzbBk7JlcX
=tO1p
-----END PGP SIGNATURE-----

--- End Message ---