Your message dated Sat, 25 May 2013 03:22:24 +0000 with message-id <[email protected]> and subject line Bug#681490: fixed in nasm 2.10.07-1 has caused the Debian Bug report #681490, regarding nasm: CPPFLAGS hardening flags missing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 681490: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681490 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: nasm Version: 2.10.01-1 Severity: normal Tags: patch Dear Maintainer, The CPPFLAGS hardening flags are missing because they are ignored by the build system. For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue. dpkg-buildflags (used by buildflags.mk) automatically takes care of debug in DEB_BUILD_OPTIONS and passes -O2 by default. Therefore I removed it in the patch. diff -Nru nasm-2.10.01/debian/rules nasm-2.10.01/debian/rules --- nasm-2.10.01/debian/rules 2012-06-14 03:11:20.000000000 +0200 +++ nasm-2.10.01/debian/rules 2012-07-13 17:22:10.000000000 +0200 @@ -4,10 +4,8 @@ DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk -CFLAGS += -O2 -ifneq ($(findstring debug,$(DEB_BUILD_OPTIONS)),) -CFLAGS += -g -endif +# The build system ignores CPPFLAGS, pass them through CFLAGS instead. +CFLAGS += $(CPPFLAGS) clean: dh_testdir To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log with `blhc` (hardening-check doesn't catch everything): $ hardening-check /usr/bin/rdf2bin /usr/bin/rdflib /usr/bin/rdx /usr/bin/ldrdf ... /usr/bin/rdf2bin: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/rdflib: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/rdx: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/ldrdf: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: nasm Source-Version: 2.10.07-1 We believe that the bug you reported is fixed in the latest version of nasm, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Anibal Monsalve Salazar <[email protected]> (supplier of updated nasm package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 25 May 2013 12:37:46 +1000 Source: nasm Binary: nasm Architecture: source amd64 Version: 2.10.07-1 Distribution: unstable Urgency: low Maintainer: Anibal Monsalve Salazar <[email protected]> Changed-By: Anibal Monsalve Salazar <[email protected]> Description: nasm - General-purpose x86 assembler Closes: 681490 Changes: nasm (2.10.07-1) unstable; urgency=low . * New upstream version 2.10.07 * Debian policy version is 3.9.4 * debian/rules: pass CPPFLAGS through CFLAGS Patch by Simon Ruderich Closes: #681490 Checksums-Sha1: ce992320f6cf922ed1d9b4eff82137aa7dcc5d31 1741 nasm_2.10.07-1.dsc 2eb839c25ad0aa43a0d2d48146fd8ac708d9aabf 814134 nasm_2.10.07.orig.tar.bz2 4b6758a42e39e5866adbe1e22c6b4c560687a099 15058 nasm_2.10.07-1.debian.tar.bz2 1f610848ea173219ab9f222a3bb9cdd0502ef993 1465338 nasm_2.10.07-1_amd64.deb Checksums-Sha256: 1d09bf4b760bfe03ad85783fed4514ac19cd34756a9ea20d2ce1d447ff2c8d27 1741 nasm_2.10.07-1.dsc c056e2abc83816892e448f9e9e95a3d21e9e096f44341b9d4853f62a443bba82 814134 nasm_2.10.07.orig.tar.bz2 b5e9b33e9553e99cc42a4f1b41237cabf0431ab32ac5f468d7c69e15b76e39a8 15058 nasm_2.10.07-1.debian.tar.bz2 afe3acdae2f0731d8b79ff8cd6096faf1c173737f7fae618c9050af5ae546b74 1465338 nasm_2.10.07-1_amd64.deb Files: 5382ed134b83f99d884f838969eb9c28 1741 devel optional nasm_2.10.07-1.dsc af1cd6669f5e98148cd5ec42dee90f19 814134 devel optional nasm_2.10.07.orig.tar.bz2 920af209d487c4dec0ef840fcf53b1ca 15058 devel optional nasm_2.10.07-1.debian.tar.bz2 92a09cb82a66c10a244309484033d0d3 1465338 devel optional nasm_2.10.07-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRoCaOAAoJEHxWrP6UeJfYczMP/32sJa/liaeVGpRitVlhjM6l cvc6UfaCmZXMZUmsqdWoafJJA+Xl+XqBl2BQcANgAQdQn+HXfIasTk9i0R6baVin iQ4jaTXweMG7nlT3ob+DpVp70O2Wr4onyQWYPgEMw1evC8QewxHxLwpd2P/o35oU z9rWE8sA4IAPgDo7s1t6JLUtG9n+FXZLTlxD+tYHUXdfquIe0lJosEyQ+Rbr72Zg 0TbNC53ZO2UPKfK/Nje8PzrmREmQkWoP2fw6jMZDI41HHNCiqX/0HGlw8cN1RlFd 5JO26AjTi+GPa1cZuJkWisDGbG6tN4lyy1+GoUX0ejrc8+3/FxCFkAihKvJvqEkI 9o7frFKmgSb3Jl+J4uJwzs7mngs7qUbSLTbkR1I2CcsvCwsie1mXc894UUsKOVQn 3RHP/045FqLJNnevA9qa87Cce1nvDyC+S3pnfkfir4rSpiiNj5aAESOcHd7zgdm4 niaOrNB0Rv72fKiKyxHFt12Aqz83buYR6fH5/UvihIzwQvoqZmgxSb5ulLRcUnNJ dVpndZbFmVaW5qqD4YCmxWCTNirWpLsRQCwnCaZ+GcjR0Dx7s9KD0hgjm5sewqJr 7gu4onS7os7+nJpB7jBBC2RV7iPSTvng/UyP6ZZAiL4O05xoSShVCkICjWWmKjv4 d5N/hKa+qLx77AQ+7ZN2 =bBK6 -----END PGP SIGNATURE-----
--- End Message ---
