Bug#664512: xvidcore: CPPFLAGS hardening flags missing

[Simon Ruderich]

Source: xvidcore
Version: 2:1.3.2.-8
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because the build system
ignores them.

The following patch fixes the issue by adding them to CFLAGS. For
more hardening information please have a look at [1], [2] and
[3].

diff -Nru xvidcore-1.3.2/debian/confflags xvidcore-1.3.2/debian/confflags
--- xvidcore-1.3.2/debian/confflags     2012-03-17 18:49:16.000000000 +0100
+++ xvidcore-1.3.2/debian/confflags     2012-03-18 14:58:51.000000000 +0100
@@ -8,6 +8,10 @@
   HARDENED_CFLAGS = -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Wformat-security -Werror=format-security
 endif
 
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the
+# missing (hardening) flags.
+HARDENED_CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS) -g
+
 # Set CFLAGS from DEB_CFLAGS if defined, otherwise let xvidcore's build system
 # set CFLAGS to use.
 DEFAULT_CFLAGS = -Wall -O3 -fstrength-reduce -finline-functions -ffast-math \

The attached patch enables verbose builds to make it easy to
(automatically) spot missing hardening flags. Please add it too.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
    /usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Immediate binding is not enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Show compiler messages when compiling.
 Necessary to detect missing (hardening) flags during build.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-03-18

Index: xvidcore-1.3.2/vfw/bin/Makefile
===================================================================
--- xvidcore-1.3.2.orig/vfw/bin/Makefile	2012-03-18 14:46:11.048562931 +0100
+++ xvidcore-1.3.2/vfw/bin/Makefile	2012-03-18 14:48:57.420569263 +0100
@@ -60,12 +60,12 @@
 
 $(BUILD_DIR):
 	@echo "  D: $(BUILD_DIR)"
-	@mkdir -p $(BUILD_DIR)
+	mkdir -p $(BUILD_DIR)
 
 .rc.obj:
 	@echo "  W: $(@D)/$(<F)"
 	@mkdir -p $(BUILD_DIR)/$(@D)
-	@$(WINDRES) \
+	$(WINDRES) \
 		--include-dir=$(SRC_DIR) \
 		--input-format=rc \
 		--output-format=coff \
@@ -74,12 +74,12 @@
 .c.obj:
 	@echo "  C: $(@D)/$(<F)"
 	@mkdir -p $(BUILD_DIR)/$(@D)
-	@$(CC) $(CFLAGS) -c -o $(BUILD_DIR)/$@ $<
+	$(CC) $(CFLAGS) -c -o $(BUILD_DIR)/$@ $<
 
 $(LIBSO): $(BUILD_DIR) $(OBJECTS)
 	@echo "  L: $(@F)"
 	@cp $(SRC_DIR)/driverproc.def $(BUILD_DIR)/driverproc.def
-	@cd $(BUILD_DIR) && \
+	cd $(BUILD_DIR) && \
 		$(CC) $(LDFLAGS) \
 			-mno-cygwin -shared -Wl,-dll,--out-implib,$@.a,--enable-stdcall-fixup \
 			-o $@ \
@@ -88,13 +88,13 @@
 
 clean:
 	@echo "  Cl: Object files and target lib"
-	@$(RM) $(BUILD_DIR)
+	$(RM) $(BUILD_DIR)
 
 install:
 	@echo "  I: xvid.dll"
-	@cp $(BUILD_DIR)/$(LIBSO) $(LIBSO)
-	@rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 ./xvid.inf
-	@rm $(LIBSO)
+	cp $(BUILD_DIR)/$(LIBSO) $(LIBSO)
+	rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 ./xvid.inf
+	rm $(LIBSO)
 
 uninstall:
 	@rundll32.exe setupapi,InstallHinfSection Remove_XviD 132 ./xvid.inf
Index: xvidcore-1.3.2/build/generic/Makefile
===================================================================
--- xvidcore-1.3.2.orig/build/generic/Makefile	2012-03-18 14:47:22.036565634 +0100
+++ xvidcore-1.3.2/build/generic/Makefile	2012-03-18 14:48:57.420569263 +0100
@@ -85,7 +85,7 @@
 
 $(BUILD_DIR):
 	@echo "  D: $(BUILD_DIR)"
-	@$(INSTALL) -d $(BUILD_DIR)
+	$(INSTALL) -d $(BUILD_DIR)
 
 #-----------------------------------------------------------------------------
 # Generic assembly rule
@@ -94,7 +94,7 @@
 .$(ASSEMBLY_EXTENSION).$(OBJECT_EXTENSION):
 	@echo "  A: $(@D)/$(<F)"
 	@$(INSTALL) -d $(BUILD_DIR)/$(@D)
-	@$(AS) $(AFLAGS) $< -o $(BUILD_DIR)/$@
+	$(AS) $(AFLAGS) $< -o $(BUILD_DIR)/$@
 
 #-----------------------------------------------------------------------------
 # Generic C rule
@@ -105,7 +105,7 @@
 .c.$(OBJECT_EXTENSION):
 	@echo "  C: $(@D)/$(<F)"
 	@$(INSTALL) -d $(BUILD_DIR)/$(@D)
-	@$(CC) -c $(ARCHITECTURE) $(BUS) $(ENDIANNESS) $(FEATURES) $(SPECIFIC_CFLAGS) $(CFLAGS) $< -o $(BUILD_DIR)/$@
+	$(CC) -c $(ARCHITECTURE) $(BUS) $(ENDIANNESS) $(FEATURES) $(SPECIFIC_CFLAGS) $(CFLAGS) $< -o $(BUILD_DIR)/$@
 
 #-----------------------------------------------------------------------------
 # Static Library
@@ -113,7 +113,7 @@
 
 $(STATIC_LIB): $(BUILD_DIR) $(OBJECTS)
 	@echo "  L: $(@F)"
-	@cd $(BUILD_DIR) && $(AR) rc $(@F) $(OBJECTS) && $(RANLIB) $(@F)
+	cd $(BUILD_DIR) && $(AR) rc $(@F) $(OBJECTS) && $(RANLIB) $(@F)
 
 #-----------------------------------------------------------------------------
 # Shared Library
@@ -132,9 +132,9 @@
 
 $(SHARED_LIB): $(BUILD_DIR) $(OBJECTS)
 	@echo "  L: $(@F)"
-	@$(INSTALL) -m 644 libxvidcore.def $(BUILD_DIR)/libxvidcore.def
-	@$(INSTALL) -m 644 libxvidcore.ld $(BUILD_DIR)/libxvidcore.ld
-	@cd $(BUILD_DIR) && $(CC) $(LDFLAGS) $(OBJECTS) -o $(PRE_SHARED_LIB) $(SPECIFIC_LDFLAGS)
+	$(INSTALL) -m 644 libxvidcore.def $(BUILD_DIR)/libxvidcore.def
+	$(INSTALL) -m 644 libxvidcore.ld $(BUILD_DIR)/libxvidcore.ld
+	cd $(BUILD_DIR) && $(CC) $(LDFLAGS) $(OBJECTS) -o $(PRE_SHARED_LIB) $(SPECIFIC_LDFLAGS)
 
 #-----------------------------------------------------------------------------
 # Installation
@@ -142,19 +142,19 @@
 
 install: $(BUILD_DIR)/$(STATIC_LIB) $(BUILD_DIR)/$(SHARED_LIB)
 	@echo "  D: $(libdir)"
-	@$(INSTALL) -d $(DESTDIR)$(libdir)
+	$(INSTALL) -d $(DESTDIR)$(libdir)
 	@echo "  I: $(libdir)/$(SHARED_LIB)"
-	@$(INSTALL) -m 644 $(BUILD_DIR)/$(SHARED_LIB) $(DESTDIR)$(libdir)/$(SHARED_LIB)
-	@test -z "$(SO_API_MAJOR_LINK)" || \
+	$(INSTALL) -m 644 $(BUILD_DIR)/$(SHARED_LIB) $(DESTDIR)$(libdir)/$(SHARED_LIB)
+	test -z "$(SO_API_MAJOR_LINK)" || \
 		$(LN_S) $(SHARED_LIB) $(DESTDIR)$(libdir)/$(SO_API_MAJOR_LINK)
-	@test -z "$(SO_LINK)" || \
+	test -z "$(SO_LINK)" || \
 		$(LN_S) $(SHARED_LIB) $(DESTDIR)$(libdir)/$(SO_LINK)
 	@echo "  I: $(libdir)/$(STATIC_LIB)"
-	@$(INSTALL) -m 644 $(BUILD_DIR)/$(STATIC_LIB) $(DESTDIR)$(libdir)/$(STATIC_LIB)
+	$(INSTALL) -m 644 $(BUILD_DIR)/$(STATIC_LIB) $(DESTDIR)$(libdir)/$(STATIC_LIB)
 	@echo "  D: $(includedir)"
-	@$(INSTALL) -d $(DESTDIR)$(includedir)
+	$(INSTALL) -d $(DESTDIR)$(includedir)
 	@echo "  I: $(includedir)/xvid.h"
-	@$(INSTALL) -m 644 $(SRC_DIR)/xvid.h $(DESTDIR)$(includedir)/xvid.h
+	$(INSTALL) -m 644 $(SRC_DIR)/xvid.h $(DESTDIR)$(includedir)/xvid.h
 
 #-----------------------------------------------------------------------------
 # Platorm specific file -- dumb rules for people executing make before
@@ -176,23 +176,23 @@
 
 clean:
 	@echo "  Cl: Build directory"
-	@$(RM) $(BUILD_DIR)
+	$(RM) $(BUILD_DIR)
 
 distclean: clean
 	@echo "  Cl: Generated build files"
-	@$(RM) platform.inc
-	@$(RM) config.log
-	@$(RM) config.status
-	@$(RM) autom4te.cache
+	$(RM) platform.inc
+	$(RM) config.log
+	$(RM) config.status
+	$(RM) autom4te.cache
 
 mrproper: distclean
 	@echo "  Cl: Bootstrapped build files"
-	@$(RM) configure
-	@$(RM) install-sh
-	@$(RM) missing
-	@$(RM) config.guess
-	@$(RM) mkinstalldirs
-	@$(RM) config.sub
+	$(RM) configure
+	$(RM) install-sh
+	$(RM) missing
+	$(RM) config.guess
+	$(RM) mkinstalldirs
+	$(RM) config.sub
 
 list-objects:
 	@echo
Index: xvidcore-1.3.2/dshow/Makefile
===================================================================
--- xvidcore-1.3.2.orig/dshow/Makefile	2012-03-18 14:46:11.048562931 +0100
+++ xvidcore-1.3.2/dshow/Makefile	2012-03-18 14:48:57.420569263 +0100
@@ -81,12 +81,12 @@
 
 $(BUILD_DIR):
 	@echo "  D: $(BUILD_DIR)"
-	@mkdir -p $(BUILD_DIR)
+	mkdir -p $(BUILD_DIR)
 
 .rc.obj:
 	@echo "  W: $(@D)/$(<F)"
 	@mkdir -p $(BUILD_DIR)/$(@D)
-	@$(WINDRES) \
+	$(WINDRES) \
 		--include-dir=$(SRC_DIR) \
 		--input-format=rc \
 		--output-format=coff \
@@ -95,17 +95,17 @@
 .c.obj:
 	@echo "  C: $(@D)/$(<F)"
 	@mkdir -p $(BUILD_DIR)/$(@D)
-	@$(CC) $(CFLAGS) -c -o $(BUILD_DIR)/$@ $<
+	$(CC) $(CFLAGS) -c -o $(BUILD_DIR)/$@ $<
 
 .cpp.obj:
 	@echo "  C: $(@D)/$(<F)"
 	@mkdir -p $(BUILD_DIR)/$(@D)
-	@$(CXX) $(CXXFLAGS) -c -o $(BUILD_DIR)/$@ $<
+	$(CXX) $(CXXFLAGS) -c -o $(BUILD_DIR)/$@ $<
 
 $(LIBSO): $(BUILD_DIR) $(OBJECTS)
 	@echo "  L: $(@F)"
 	@cp $(SRC_DIR)/xvid.ax.def $(BUILD_DIR)/xvid.ax.def
-	@cd $(BUILD_DIR) && \
+	cd $(BUILD_DIR) && \
 		$(CC) $(LDFLAGS) \
 			-mno-cygwin -shared -Wl,-dll,--out-implib,$@.a,--enable-stdcall-fixup \
 			-o $@ \
@@ -116,7 +116,7 @@
 
 clean:
 	@echo "  Cl: Object files and target lib"
-	@$(RM) $(BUILD_DIR)
+	$(RM) $(BUILD_DIR)
 
 install:
 

signature.asc
Description: Digital signature