Package: onscripter Version: 20120520-1 Severity: normal Tags: patch Dear Maintainer,
The CPPFLAGS and LDFLAGS hardening flags are missing because they
are not set in debian/rules. Setting only CFLAGS is not enough.
For more hardening information please have a look at [1], [2] and
[3].
The following patch fixes the issue.
diff -Nru onscripter-20120520/debian/rules onscripter-20120520/debian/rules
--- onscripter-20120520/debian/rules 2012-05-20 18:00:06.000000000 +0200
+++ onscripter-20120520/debian/rules 2012-05-21 04:06:24.000000000 +0200
@@ -9,11 +9,12 @@
DEB_FONTCONFIG_FLAG := $(findstring ok installed,$(shell dpkg-query -W
-f='$${Status}' libfontconfig1-dev))
DEB_LUA_FLAG := $(findstring ok installed,$(shell dpkg-query -W
-f='$${Status}' liblua5.1-0-dev))
-M_CFLAGS = $(shell dpkg-buildflags --get CFLAGS) -Wall
+M_CFLAGS = $(shell dpkg-buildflags --get CFLAGS) $(shell dpkg-buildflags --get
CPPFLAGS) -Wall
+M_LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
CONFDEFS := -DLINUX
CONFINCS := $(M_CFLAGS) `sdl-config --cflags`
-CONFLIBS := $(M_CFLAGS) `sdl-config --libs` -lSDL_ttf -lSDL_image -lSDL_mixer
-lbz2 -ljpeg -lm
+CONFLIBS := $(M_CFLAGS) $(M_LDFLAGS) `sdl-config --libs` -lSDL_ttf -lSDL_image
-lSDL_mixer -lbz2 -ljpeg -lm
CONFEXT_OBJS :=
CONFTARGET := onscripter sardec nsadec sarconv nsaconv
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):
$ hardening-check /usr/games/sardec /usr/games/nsadec /usr/games/nsaconv ...
/usr/games/sardec:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/games/nsadec:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/games/nsaconv:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
