Package: epm Version: 4.2-3 Severity: important Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because the build system
ignores them.
The attached patch (dpkg-buildflags.patch) fixes the issue by
patching the build system to respect CPPFLAGS and all build flags
in doc/. If possible it should be sent upstream. It applies
cleanly to the original source and thus should be used first in
series, a refreshed version of build-cleanup and
manpage-build-fixes is also attached.
The flags for doc/ are not strictly necessary but make automatic
checks for missing hardening flags possible and prevent possible
problems in the future.
The following patch enables all hardening flags for the complete
package. They were partially used already because fltk sets them:
diff -Nru epm-4.2/debian/rules epm-4.2/debian/rules
--- epm-4.2/debian/rules 2012-04-01 18:54:46.000000000 +0200
+++ epm-4.2/debian/rules 2012-04-07 17:35:34.000000000 +0200
@@ -11,8 +11,8 @@
# The FLTK static libs are built position-independent, so we need
# to enable the same for our setup tool. It's easier to just enable
-# it all around.
-DEB_BUILD_MAINT_OPTIONS="hardening=+pie"
+# it all around. +all includes PIE.
+DEB_BUILD_MAINT_OPTIONS="hardening=+all"
# Set build flags. For wheezy+1, we will switch to using debhelper 9.
# For now, preserve compatibility with squeeze.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/epm/uninst /usr/lib/epm/setup /usr/bin/mkepmlist
/usr/bin/epminstall /usr/bin/epm
/usr/lib/epm/uninst:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/epm/setup:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/mkepmlist:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/epminstall:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/epm:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-04-07 Index: epm-4.2/Makefile.in =================================================================== --- epm-4.2.orig/Makefile.in 2012-04-07 17:50:29.572096713 +0200 +++ epm-4.2/Makefile.in 2012-04-07 17:50:34.248096734 +0200 @@ -43,6 +43,7 @@ ARCHFLAGS = @ARCHFLAGS@ CFLAGS = $(ARCHFLAGS) @CFLAGS@ $(OPTIM) CXXFLAGS = $(ARCHFLAGS) @CXXFLAGS@ $(OPTIM) +CPPFLAGS = @CPPFLAGS@ GUILIBS = @GUILIBS@ LDFLAGS = $(ARCHFLAGS) @LDFLAGS@ $(OPTIM) LIBS = @LIBS@ @@ -75,10 +76,10 @@ .SUFFIXES: .c .cxx .h .o .c.o: echo Compiling $<... - $(CC) $(CFLAGS) -I. -I$(srcdir) -c $< + $(CC) $(CFLAGS) $(CPPFLAGS) -I. -I$(srcdir) -c $< .cxx.o: echo Compiling $<... - $(CXX) $(CXXFLAGS) -I. -I$(srcdir) -c $< + $(CXX) $(CXXFLAGS) $(CPPFLAGS) -I. -I$(srcdir) -c $< # Index: epm-4.2/doc/Makefile.in =================================================================== --- epm-4.2.orig/doc/Makefile.in 2012-04-07 17:50:29.572096713 +0200 +++ epm-4.2/doc/Makefile.in 2012-04-07 17:50:34.248096734 +0200 @@ -25,6 +25,13 @@ NROFF = @NROFF@ RM = @RM@ -f +# +# Build flags... +# + +CFLAGS = @CFLAGS@ +CPPFLAGS = @CPPFLAGS@ +LDFLAGS = @LDFLAGS@ # # Man page generation... @@ -55,7 +62,7 @@ $(HTMLDOC) --batch epm-book.book -f epm-book.html mantohtml: mantohtml.o - $(CC) -o $@ mantohtml.o + $(CC) -o $@ $(CFLAGS) $(LDFLAGS) mantohtml.o $(MANPAGES): mantohtml
Description: Build clean-ups
This patch makes build output more useful when things go wrong.
Author: Jeff Licquia <licq...@debian.org>
Forwarded: not-needed
Last-Update: 2011-02-19
Index: epm-4.2/Makefile.in
===================================================================
--- epm-4.2.orig/Makefile.in 2012-04-07 17:50:34.248096734 +0200
+++ epm-4.2/Makefile.in 2012-04-07 17:50:37.468096748 +0200
@@ -71,14 +71,10 @@
# Rules...
#
-.SILENT:
-
.SUFFIXES: .c .cxx .h .o
.c.o:
- echo Compiling $<...
$(CC) $(CFLAGS) $(CPPFLAGS) -I. -I$(srcdir) -c $<
.cxx.o:
- echo Compiling $<...
$(CXX) $(CXXFLAGS) $(CPPFLAGS) -I. -I$(srcdir) -c $<
@@ -169,7 +165,7 @@
#
install: all @INSTALL_GUIS@ @INSTALL_OSX@
- echo Installing EPM programs in $(bindir)
+ @echo Installing EPM programs in $(bindir)
-$(MKDIR) $(bindir)
$(RM) $(bindir)/epm
$(CP) epm $(bindir)
@@ -179,7 +175,7 @@
$(STRIP) $(bindir)/epminstall
$(RM) $(bindir)/mkepmlist
$(CP) mkepmlist $(bindir)
- echo Installing EPM manpages in $(mandir)/man1
+ @echo Installing EPM manpages in $(mandir)/man1
-$(MKDIR) $(mandir)/man1
$(RM) $(mandir)/man1/epm.1
$(CP) $(srcdir)/doc/epm.man $(mandir)/man1/epm.1
@@ -189,13 +185,13 @@
$(CP) $(srcdir)/doc/mkepmlist.man $(mandir)/man1/mkepmlist.1
$(RM) $(mandir)/man1/setup.1
$(CP) $(srcdir)/doc/setup.man $(mandir)/man1/setup.1
- echo Installing EPM manpages in $(mandir)/man5
+ @echo Installing EPM manpages in $(mandir)/man5
-$(MKDIR) $(mandir)/man5
$(RM) $(mandir)/man5/epm.list.5
$(CP) $(srcdir)/doc/epm.list.man $(mandir)/man5/epm.list.5
$(RM) $(mandir)/man5/setup.types.5
$(CP) $(srcdir)/doc/setup.types.man $(mandir)/man5/setup.types.5
- echo Installing EPM documentation in $(docdir)
+ @echo Installing EPM documentation in $(docdir)
-$(MKDIR) $(docdir)
$(RM) $(docdir)/COPYING
$(CP) $(srcdir)/COPYING $(docdir)
@@ -205,7 +201,7 @@
$(CP) $(srcdir)/doc/epm-book.html $(docdir)
install-guis: setup uninst
- echo Installing EPM setup/uninst in $(libdir)/epm
+ @echo Installing EPM setup/uninst in $(libdir)/epm
$(RM) -r $(libdir)/epm
-$(MKDIR) $(libdir)/epm
$(CP) setup $(libdir)/epm
@@ -214,7 +210,7 @@
-$(STRIP) $(libdir)/epm/uninst
install-osx:
- echo Installing EPM OSX data files in $(datadir)/epm
+ @echo Installing EPM OSX data files in $(datadir)/epm
$(RM) -r $(datadir)/epm
-$(MKDIR) $(datadir)/epm
$(CP) macosx/setup.icns $(datadir)/epm
@@ -228,23 +224,23 @@
#
uninstall:
- echo Uninstalling EPM programs from $(bindir)
+ @echo Uninstalling EPM programs from $(bindir)
$(RM) $(bindir)/epm
$(RM) $(bindir)/epminstall
$(RM) $(bindir)/mkepmlist
- echo Uninstalling EPM manpages from $(mandir)/man1
+ @echo Uninstalling EPM manpages from $(mandir)/man1
$(RM) $(mandir)/man1/epm.1
$(RM) $(mandir)/man1/epminstall.1
$(RM) $(mandir)/man1/mkepmlist.1
$(RM) $(mandir)/man1/setup.1
- echo Uninstalling EPM manpages from $(mandir)/man5
+ @echo Uninstalling EPM manpages from $(mandir)/man5
$(RM) $(mandir)/man5/epm.list.5
$(RM) $(mandir)/man5/setup.types.5
- echo Uninstalling EPM documentation from $(docdir)
+ @echo Uninstalling EPM documentation from $(docdir)
$(RM) -r $(docdir)
- echo Uninstalling EPM setup/uninstall from $(libdir)/epm
+ @echo Uninstalling EPM setup/uninstall from $(libdir)/epm
$(RM) -r $(libdir)/epm
- echo Uninstalling EPM OSX data files from $(datadir)/epm
+ @echo Uninstalling EPM OSX data files from $(datadir)/epm
$(RM) -r $(datadir)/epm
@@ -281,15 +277,15 @@
#
test: $(TARGETS)
- echo Starting portable distribution build test...
- if ./epm -vv epm >test.log; then \
+ @echo Starting portable distribution build test...
+ @if ./epm -vv epm >test.log; then \
echo Portable distribution build test PASSED.; \
else \
echo Portable distribution build test FAILED.; \
cat test.log; \
fi
- echo Starting native distribution build test...
- if ./epm -vv -s doc/epmlogo.tif -f native epm >test.log; then \
+ @echo Starting native distribution build test...
+ @if ./epm -vv -s doc/epmlogo.tif -f native epm >test.log; then \
echo Native distribution build test PASSED.; \
else \
echo Native distribution build test FAILED.; \
@@ -343,7 +339,6 @@
#
libepm.a: $(EPM_OBJS)
- echo Archiving libepm.a...
$(RM) libepm.a
$(AR) $(ARFLAGS) libepm.a $(EPM_OBJS)
$(RANLIB) libepm.a
@@ -356,7 +351,6 @@
#
epm: epm.o $(EPM_OBJS)
- echo Linking epm...
$(CC) $(LDFLAGS) -o epm epm.o libepm.a $(LIBS)
epm.o: epm.h epmstring.h
@@ -367,7 +361,6 @@
#
epminstall: epminstall.o libepm.a
- echo Linking epminstall...
$(CC) $(LDFLAGS) -o epminstall epminstall.o libepm.a $(LIBS)
epminstall.o: epm.h epmstring.h
@@ -378,7 +371,6 @@
#
mkepmlist: mkepmlist.o libepm.a
- echo Linking mkepmlist...
$(CC) $(LDFLAGS) -o mkepmlist mkepmlist.o libepm.a $(LIBS)
mkepmlist.o: epm.h epmstring.h
@@ -389,7 +381,6 @@
#
setup: $(SETUP_OBJS) libepm.a
- echo Linking setup...
$(CXX) $(LDFLAGS) -o setup $(SETUP_OBJS) libepm.a $(GUILIBS) $(LIBS)
setup.o: setup.h gui-common.h epmstring.h
@@ -402,7 +393,6 @@
#
uninst: $(UNINST_OBJS) libepm.a
- echo Linking uninst...
$(CXX) $(LDFLAGS) -o uninst $(UNINST_OBJS) libepm.a $(GUILIBS) $(LIBS)
uninst.o: uninst.h epmstring.h gui-common.h
Description: Build proper set of man pages
For some reason, upstream does not build all of the available man
pages. This patch fixes that.
Author: Jeff Licquia <licq...@debian.org>
Last-Update: 2011-02-19
Index: epm-4.2/doc/Makefile.in
===================================================================
--- epm-4.2.orig/doc/Makefile.in 2012-04-07 17:50:34.248096734 +0200
+++ epm-4.2/doc/Makefile.in 2012-04-07 17:50:39.460096757 +0200
@@ -47,7 +47,8 @@
# Targets...
#
-MANPAGES = epm.html epminstall.html mkepmlist.html setup.html
+MANPAGES = epm.html epminstall.html mkepmlist.html setup.html \
+ epm.list.html setup.types.html
HTMLFILES = preface.html 1-intro.html 2-building.html \
3-packaging.html 4-advanced.html 5-examples.html \
a-license.html b-manpages.html c-reference.html \
signature.asc
Description: Digital signature
