reopen 654807 thanks Dear Maintainer,
The hardening flags are missing for links2 because the build system doesn't respect them. For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue, $(shell ...) is necessary as make doesn't expand `..` which causes a build failure. diff -Nru links2-2.6/debian/rules links2-2.6/debian/rules --- links2-2.6/debian/rules 2012-01-05 22:54:41.000000000 +0100 +++ links2-2.6/debian/rules 2012-04-24 12:14:45.000000000 +0200 @@ -7,15 +7,18 @@ DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) -CFLAGS = `dpkg-buildflags --get CFLAGS` +CFLAGS = $(shell dpkg-buildflags --get CFLAGS) CFLAGS += -Wall -LDFLAGS = `dpkg-buildflags --get LDFLAGS` -CPPFLAGS = `dpkg-buildflags --get CPPFLAGS` +LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) +CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) +# The build system reruns ./configure which removes the hardening flags if +# they are only passed to ./configure. +export CFLAGS CPPFLAGS LDFLAGS config.status: configure dh_testdir dh_autotools-dev_updateconfig - CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) \ + ./configure --host=$(DEB_HOST_GNU_TYPE) \ --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr \ --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \ --enable-graphics --with-x --with-fb @@ -57,7 +60,7 @@ cp debian/links2.desktop debian/links2/usr/share/applications/ # build the textmode only version - CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) \ + ./configure --host=$(DEB_HOST_GNU_TYPE) \ --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr \ --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \ --without-svgalib --without-x --without-fb --without-directfb --without-libjpeg --without-libtiff To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/bin/links /usr/bin/links2 /usr/bin/links: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/links2: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature