Package: onscripter Version: 20120520-1 Severity: normal Tags: patch Dear Maintainer,
The CPPFLAGS and LDFLAGS hardening flags are missing because they are not set in debian/rules. Setting only CFLAGS is not enough. For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue. diff -Nru onscripter-20120520/debian/rules onscripter-20120520/debian/rules --- onscripter-20120520/debian/rules 2012-05-20 18:00:06.000000000 +0200 +++ onscripter-20120520/debian/rules 2012-05-21 04:06:24.000000000 +0200 @@ -9,11 +9,12 @@ DEB_FONTCONFIG_FLAG := $(findstring ok installed,$(shell dpkg-query -W -f='$${Status}' libfontconfig1-dev)) DEB_LUA_FLAG := $(findstring ok installed,$(shell dpkg-query -W -f='$${Status}' liblua5.1-0-dev)) -M_CFLAGS = $(shell dpkg-buildflags --get CFLAGS) -Wall +M_CFLAGS = $(shell dpkg-buildflags --get CFLAGS) $(shell dpkg-buildflags --get CPPFLAGS) -Wall +M_LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) CONFDEFS := -DLINUX CONFINCS := $(M_CFLAGS) `sdl-config --cflags` -CONFLIBS := $(M_CFLAGS) `sdl-config --libs` -lSDL_ttf -lSDL_image -lSDL_mixer -lbz2 -ljpeg -lm +CONFLIBS := $(M_CFLAGS) $(M_LDFLAGS) `sdl-config --libs` -lSDL_ttf -lSDL_image -lSDL_mixer -lbz2 -ljpeg -lm CONFEXT_OBJS := CONFTARGET := onscripter sardec nsadec sarconv nsaconv To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/games/sardec /usr/games/nsadec /usr/games/nsaconv ... /usr/games/sardec: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/games/nsadec: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/games/nsaconv: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature