Bug#649817: sniffit: please enable hardening options

Fri, 04 May 2012 03:21:19 -0700 

Dear Maintainer,

The attached patch fixes the missing hardening flags, if
possible it should be sent to upstream.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [1]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/sbin/sniffit
    /usr/sbin/sniffit:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Use build flags from environment (dpkg-buildflags).
 Necessary for hardening flags.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-05-04

Index: sniffit-0.3.7.beta/Makefile.in
===================================================================
--- sniffit-0.3.7.beta.orig/Makefile.in	2012-05-04 12:10:08.632049736 +0200
+++ sniffit-0.3.7.beta/Makefile.in	2012-05-04 12:16:27.172051409 +0200
@@ -10,9 +10,9 @@
 LIBS       = @LIBS@
 DEFS	   = @DEFS@
 OS_OPT     = @OS_OPT@
-OBJ_FLAG   = -O2 -c
+OBJ_FLAG   = -O2 -c @CPPFLAGS@ @CFLAGS@
 OBJ_OPT    = -I./libpcap -L./libpcap
-EXE_FLAG   = -O2 -o sniffit
+EXE_FLAG   = -O2 @CFLAGS@ @LDFLAGS@ -o sniffit
 EXE_OPT    = -I./libpcap -L./libpcap -lpcap
 EXE_OBJ    = sn_packets.o sn_generation.o sn_interface.o sn_cfgfile.o \
              sn_logfile.o sn_resolv.o
@@ -27,7 +27,7 @@
 
 sniffit: $(SNIFFIT) $(DEP_FILES)
 #	cd libpcap; make; cd ..
-	$(CC) $(EXE_FLAG) $(SNIFFIT) $(EXE_OBJ) $(EXE_OPT) $(LIBS) $(DEFS) $(OS_OPT) 
+	$(CC) @CPPFLAGS@ $(EXE_FLAG) $(SNIFFIT) $(EXE_OBJ) $(EXE_OPT) $(LIBS) $(DEFS) $(OS_OPT) 
 
 sn_cfgfile.o: sn_cfgfile.h sn_cfgfile.c sn_defines.h sn_structs.h sn_config.h
 	$(CC) $(OBJ_FLAG) sn_cfgfile.c $(OBJ_OPT) $(DEFS)

Attachment: signature.asc
Description: Digital signature

Reply via email to