Package: kwstyle Version: 1.0.0+cvs20120330-1 Severity: important Tags: patch
Dear Maintainer, The CPPFLAGS hardening flags are missing because CMake ignores them by default. The following patch fixes the issue by adding them to CFLAGS/CXXFLAGS. For more hardening information please have a look at [1], [2] and [3]. diff -Nru kwstyle-1.0.0+cvs20120330/debian/rules kwstyle-1.0.0+cvs20120330/debian/rules --- kwstyle-1.0.0+cvs20120330/debian/rules 2012-03-30 15:51:12.000000000 +0200 +++ kwstyle-1.0.0+cvs20120330/debian/rules 2012-03-31 16:09:51.000000000 +0200 @@ -3,6 +3,11 @@ DPKG_EXPORT_BUILDFLAGS = 1 -include /usr/share/dpkg/buildflags.mk +# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the +# missing (hardening) flags. +CFLAGS += $(CPPFLAGS) +CXXFLAGS += $(CPPFLAGS) + %: dh $@ To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/bin/KWStyle /usr/bin/KWStyle: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature