reopen 656861 thanks Dear Maintainer,
The hardening flags are missing for the polarssl library. For more hardening information please have a look at [1], [2] and [3]. The attached patches fix the issue (polarssl-use-dpkg-buildflags.patch should be applied first). The second enables a verbose build for polarssl - otherwise missing flags are not detected. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/bin/pdnssec /usr/bin/zone2sql /usr/bin/pdns_control /usr/sbin/pdns_server ... /usr/bin/pdnssec: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/zone2sql: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/pdns_control: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/sbin/pdns_server: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-05-11 Index: pdns-3.0/pdns/ext/polarssl/library/Makefile =================================================================== --- pdns-3.0.orig/pdns/ext/polarssl/library/Makefile 2012-05-11 13:01:01.000000000 +0200 +++ pdns-3.0/pdns/ext/polarssl/library/Makefile 2012-05-11 13:01:03.000000000 +0200 @@ -2,7 +2,10 @@ # Also see "include/polarssl/config.h" CFLAGS = -I../include -D_FILE_OFFSET_BITS=64 -Wall -Wdeclaration-after-statement -OFLAGS = -O +#OFLAGS = -O +CFLAGS += $(shell dpkg-buildflags --get CFLAGS) +CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) +LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) # MicroBlaze specific options: # CFLAGS += -mno-xl-soft-mul -mxl-barrel-shift @@ -43,15 +46,15 @@ libpolarssl.so: libpolarssl.a echo " LD $@" - $(CC) -shared -Wl,-soname,$@ -o $@ $(OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname,$@ -o $@ $(OBJS) libpolarssl.dylib: libpolarssl.a echo " LD $@" - $(CC) -dynamiclib -o $@ $(OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -dynamiclib -o $@ $(OBJS) .c.o: echo " CC $<" - $(CC) $(CFLAGS) $(OFLAGS) -c $< + $(CC) $(CPPFLAGS) $(CFLAGS) $(OFLAGS) -c $< clean: rm -f *.o libpolarssl.*
Description: Display compiler commands when compiling. Necessary to detect missing (hardening) flags. . The echo lines were removed to prevent false positives when checking the build log. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-05-11 Index: pdns-3.0/pdns/ext/polarssl/library/Makefile =================================================================== --- pdns-3.0.orig/pdns/ext/polarssl/library/Makefile 2012-05-11 13:01:03.000000000 +0200 +++ pdns-3.0/pdns/ext/polarssl/library/Makefile 2012-05-11 13:01:06.000000000 +0200 @@ -30,8 +30,6 @@ timing.o x509parse.o xtea.o \ camellia.o -.SILENT: - all: static static: libpolarssl.a @@ -39,21 +37,16 @@ shared: libpolarssl.$(DLEXT) libpolarssl.a: $(OBJS) - echo " AR $@" ar r $@ $(OBJS) - echo " RL $@" ranlib $@ libpolarssl.so: libpolarssl.a - echo " LD $@" $(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname,$@ -o $@ $(OBJS) libpolarssl.dylib: libpolarssl.a - echo " LD $@" $(CC) $(CFLAGS) $(LDFLAGS) -dynamiclib -o $@ $(OBJS) .c.o: - echo " CC $<" $(CC) $(CPPFLAGS) $(CFLAGS) $(OFLAGS) -c $< clean:
signature.asc
Description: Digital signature