Bug#688697: marked as done (texmaker: CPPFLAGS hardening flags missing)

Fri, 09 Aug 2013 08:25:35 -0700 

Your message dated Fri, 09 Aug 2013 15:21:06 +0000
with message-id <[email protected]>
and subject line Bug#688697: fixed in texmaker 4.0.3-1
has caused the Debian Bug report #688697,
regarding texmaker: CPPFLAGS hardening flags missing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
688697: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688697
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: texmaker
Version: 3.4-1
Severity: normal
Tags: patch

Dear Maintainer,

The following CPPFLAGS hardening flags are missing because they
are not correctly set in debian/rules:

    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c -g -O2 -fstack-protector 
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -w -D_REENTRANT 
-DQT_WEBKIT -DTEXMAKERVERSION=\"3.4\" -DHAVE_SPLASH -DPREFIX=\"/usr\" 
-DDEBIAN_SPELLDIR -DQT_NO_DEBUG -DQT_WEBKIT_LIB -DQT_XML_LIB -DQT_GUI_LIB 
-DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ 
-I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork 
-I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtWebKit 
-I/usr/include/qt4 -I/usr/include/poppler/qt4 -I.moc -I.ui -o .obj/main.o 
main.cpp
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c -g -O2 -fstack-protector 
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -w -D_REENTRANT 
-DQT_WEBKIT -DTEXMAKERVERSION=\"3.4\" -DHAVE_SPLASH -DPREFIX=\"/usr\" 
-DDEBIAN_SPELLDIR -DQT_NO_DEBUG -DQT_WEBKIT_LIB -DQT_XML_LIB -DQT_GUI_LIB 
-DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ 
-I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork 
-I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtWebKit 
-I/usr/include/qt4 -I/usr/include/poppler/qt4 -I.moc -I.ui -o 
.obj/texmakerapp.o texmakerapp.cpp
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c -g -O2 -fstack-protector 
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -w -D_REENTRANT 
-DQT_WEBKIT -DTEXMAKERVERSION=\"3.4\" -DHAVE_SPLASH -DPREFIX=\"/usr\" 
-DDEBIAN_SPELLDIR -DQT_NO_DEBUG -DQT_WEBKIT_LIB -DQT_XML_LIB -DQT_GUI_LIB 
-DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ 
-I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork 
-I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtWebKit 
-I/usr/include/qt4 -I/usr/include/poppler/qt4 -I.moc -I.ui -o .obj/texmaker.o 
texmaker.cpp
    [...]

For more hardening information please have a look at [1], [2] and
[3].

The problem is that Qt doesn't respect CPPFLAGS by default.
However dh_auto_build automatically handles that for you. I
haven't tested the resulting binary, but it should work fine.

The following patch fixes the issue by using the default
dh_auto_build, if that doesn't work you have to pass the flags
manually (best way is to look what dh_auto_build uses by setting
export DH_VERBOSE=1 in the rules file) - or call dh_auto_build
with the necessary flags.

diff -Nru texmaker-3.4/debian/rules texmaker-3.4/debian/rules
--- texmaker-3.4/debian/rules   2012-07-19 12:13:26.000000000 +0200
+++ texmaker-3.4/debian/rules   2012-09-24 23:05:44.000000000 +0200
@@ -11,9 +11,6 @@
        $(RM) .obj/* .moc/* .ui/* 
        dh_auto_clean
 
-override_dh_auto_build:
-       qmake-qt4 -unix PREFIX=/usr QMAKE_CFLAGS="$(CPPFLAGS)" 
QMAKE_CXXFLAGS="$(CXXFLAGS)" QMAKE_LFLAGS="$(LDFLAGS)" texmaker.pro
-
 override_dh_auto_test:
        # do not try testing
 

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):

    $ hardening-check --verbose /usr/bin/texmaker
    /usr/bin/texmaker:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
            unprotected: strncpy
            unprotected: memset
            unprotected: strcat
            unprotected: fgets
            unprotected: memmove
            unprotected: strcpy
            unprotected: memcpy
            unprotected: fprintf
            unprotected: fread
            protected: strncpy
            protected: vfprintf
            protected: stpcpy
            protected: strcpy
            protected: memcpy
            protected: printf
            protected: sprintf
            protected: fprintf
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: texmaker
Source-Version: 4.0.3-1

We believe that the bug you reported is fixed in the latest version of
texmaker, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julián Moreno Patiño <[email protected]> (supplier of updated texmaker package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Aug 2013 08:05:11 -0500
Source: texmaker
Binary: texmaker texmaker-data
Architecture: source amd64 all
Version: 4.0.3-1
Distribution: unstable
Urgency: low
Maintainer: Debian Science Maintainers 
<[email protected]>
Changed-By: Julián Moreno Patiño <[email protected]>
Description: 
 texmaker   - cross-platform LaTeX editor
 texmaker-data - Texmaker LaTeX editor -- arch-independent files
Closes: 688697 701366
Changes: 
 texmaker (4.0.3-1) unstable; urgency=low
 .
   * Team upload.
   * New upstream release. (Closes: #701366)
   * Rename d/texmaker.links to d/texmaker-data.links
     to avoid broken symlinks.
   * d/control:
     + Bump Standards-Version to 3.9.4 (no changes).
     + Remove DM-Upload-Allowed.
     + Use canonical URIs for Vcs-* fields.
   * d/rules: Remove override_dh_auto_build to get
     hardening flags. Thanks to Simon Ruderich. (Closes: #688697)
   * Add 20-add-keywords-desktop-file.patch patch to add
     missing keywords entry to the desktop file.
   * Update 10_spelling_dict.patch patch.
   * Update d/copyright.
     + Add missing copyright holders.
   * Update d/menu to use absolute icon path.
Checksums-Sha1: 
 18d37fe4152c39d2d34fa72c1336b2039d73f9fe 2126 texmaker_4.0.3-1.dsc
 130cfd588eb0fd023ac3726522cfe456c2c4094c 9697288 texmaker_4.0.3.orig.tar.bz2
 b46da6c5dd9e65147f67ea67920c2a5fe26fe09f 11523 texmaker_4.0.3-1.debian.tar.bz2
 0e6ea3f980b6b03ca01b00dd922a9facec2ec627 1983430 texmaker_4.0.3-1_amd64.deb
 977bce5a56eb691dadee31777544c168808d641b 1478430 texmaker-data_4.0.3-1_all.deb
Checksums-Sha256: 
 cb2112a971be23e5e777c7020946e9c93d1b2b7f446f2f5ab7ed78a79df508d9 2126 
texmaker_4.0.3-1.dsc
 7b157645914fcb8ad4475c2c6010ffeb52a6547a8ee17bcfdcf720369bbb24bd 9697288 
texmaker_4.0.3.orig.tar.bz2
 3ce5e6a6e6569e03590c9675ef7a81369a2eca44337bd69b76867907ee9d6fba 11523 
texmaker_4.0.3-1.debian.tar.bz2
 f4cde38c0f32a69c995f04a5579150a2c9b5b36983f35967ecd195babf6e547c 1983430 
texmaker_4.0.3-1_amd64.deb
 625935a02b9dd828d39d02000f4c55c8236bf10f9f20d71481ea4c5ba10d2452 1478430 
texmaker-data_4.0.3-1_all.deb
Files: 
 b014e409891f7666422045053b29ed87 2126 tex optional texmaker_4.0.3-1.dsc
 fe33120eef6d6ae6dcbf949d5d5c7a4f 9697288 tex optional 
texmaker_4.0.3.orig.tar.bz2
 2b2de89c2bb83b366d46c9a190e353b2 11523 tex optional 
texmaker_4.0.3-1.debian.tar.bz2
 d2034edbfb9f2800069baf7c100b257d 1983430 tex optional 
texmaker_4.0.3-1_amd64.deb
 e7af65052de96374ce7242d8836211df 1478430 tex optional 
texmaker-data_4.0.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSBPfGAAoJENX9/BVhaL9gwx0P/jd7SZjYl+b5zyphWOZzSOVx
J3Z1nJwhxIXknje+Bc8TVU0kavEmhFCHfZRtmbe1Q5wd8NqRp+rG6PNe7okqi0us
Q5ucg1fjU83qDDOmv5dN0IBE+5FcLEVMb1UOvIDlssMz5ZfBXqOTMroCyoxv+7SF
heaTp7wL4tC+3FubcwDOf6AMcYLoG8+nOt31E3jduC/Dd52Iz7d0icz/A8Kg2IXI
C1GCx/7ZhEvpi3trkF/U+p7K2t5KU0rC6ILmQ2A+qoXK5QM7kV1Wvbx9F8V3bDjn
24U5rQstOkdDeIleg2nuK29xNbf2FHji0xJLgHKwVYW0iYTb3Ctt7VjJ7Sdz9m1r
3s2wM6ou92kFmMxjP9YIaosE1FR+oqFWtO92F7Rdep8L8WSz6aga7wMfvS4T3LPT
Bx8XXFsc6+sPhxHcUfC1qA06ptv4V2yqTDtOn4XFuk+xcXrchurwkDJO/uWKx4eq
fyCo/fQHOPxk6gE1xK8tNyqFzI6XEXdJl9ykQwruSPkowOw4DFmm4kVrBdXAGwcG
HOwfKPbSoVVdOub2AKdvhYlStewMz1MMkgSU5zEuZ+O0FwUq5Xf3VU7Y0Ehn5UPA
Ea4zh+EjzcKxZZj7eukMd8WCZzXS7tu4GGhxsCp4UcsqyFRbbZojmtJn15Dc9bFa
XDnfcuh6tyXyB/F03EZr
=Y/Xs
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to