reopen 654807 thanks Dear Maintainer,
The hardening flags are missing for links2 because the build
system doesn't respect them. For more hardening information
please have a look at [1], [2] and [3].
The following patch fixes the issue, $(shell ...) is necessary as
make doesn't expand `..` which causes a build failure.
diff -Nru links2-2.6/debian/rules links2-2.6/debian/rules
--- links2-2.6/debian/rules 2012-01-05 22:54:41.000000000 +0100
+++ links2-2.6/debian/rules 2012-04-24 12:14:45.000000000 +0200
@@ -7,15 +7,18 @@
DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
-CFLAGS = `dpkg-buildflags --get CFLAGS`
+CFLAGS = $(shell dpkg-buildflags --get CFLAGS)
CFLAGS += -Wall
-LDFLAGS = `dpkg-buildflags --get LDFLAGS`
-CPPFLAGS = `dpkg-buildflags --get CPPFLAGS`
+LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
+CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS)
+# The build system reruns ./configure which removes the hardening flags if
+# they are only passed to ./configure.
+export CFLAGS CPPFLAGS LDFLAGS
config.status: configure
dh_testdir
dh_autotools-dev_updateconfig
- CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)"
./configure --host=$(DEB_HOST_GNU_TYPE) \
+ ./configure --host=$(DEB_HOST_GNU_TYPE) \
--build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr \
--mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
--enable-graphics --with-x --with-fb
@@ -57,7 +60,7 @@
cp debian/links2.desktop debian/links2/usr/share/applications/
# build the textmode only version
- CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)"
./configure --host=$(DEB_HOST_GNU_TYPE) \
+ ./configure --host=$(DEB_HOST_GNU_TYPE) \
--build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr \
--mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
--without-svgalib --without-x --without-fb --without-directfb
--without-libjpeg --without-libtiff
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):
$ hardening-check /usr/bin/links /usr/bin/links2
/usr/bin/links:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/links2:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
