-=| Moritz Muehlenhoff, 05.01.2012 21:46:12 +0100 |=- > I'm currently checking all packages, which had a DSA in the last > year to enable hardened build flags. firebird2.5 has already been > updated to use dpkg-buildflags, but I noticed that not all flags > are fully in effect. You can use the hardening-check scripts from > the package hardening includes: > > Out of the three hardening features from the Wheezy default set > (protected stack, fortified source and relro) not all are fully > applied, e.g. > > root@pisco:~# hardening-check /usr/sbin/fb_inet_server > /usr/sbin/fb_inet_server: > Stack protected: no, not found! > Fortify Source functions: unknown, no protectable libc functions used > Read-only relocations: yes
Just to make sure: we are aiming at having "yes" for these three, right? Does the "no protectable libc functions used" part mean that this item is OK? > The reason is likely that some parts of Firebird build system > hardcode specific flags, which nullify the hardened build flags? This is quite possible. I try to patch it already so that it accepts things like optimization flags from the environment, but maybe the linking rules need more work.
signature.asc
Description: Digital signature