Bug#662226: cvsd: Please enable hardening flags

Simon Ruderich Sun, 04 Mar 2012 11:53:12 -0800

Package: cvsd
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Dear Maintainer,

Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].

The following patch bumps debian/compat to 9 to automatically
enable the hardening flags and enables all flags (including PIE
because cvsd is a server); you could also enable them without
changing compat (see [2]), but compat=9 is the preferred and
simplest solution.

    diff -Nru cvsd-1.0.23/debian/compat cvsd-1.0.23.1~hardening1/debian/compat
    --- cvsd-1.0.23/debian/compat       2011-08-07 21:40:23.000000000 +0200
    +++ cvsd-1.0.23.1~hardening1/debian/compat  2012-03-04 20:36:19.000000000 
+0100
    @@ -1 +1 @@
    -8
    +9
    diff -Nru cvsd-1.0.23/debian/rules cvsd-1.0.23.1~hardening1/debian/rules
    --- cvsd-1.0.23/debian/rules        2011-08-07 22:05:56.000000000 +0200
    +++ cvsd-1.0.23.1~hardening1/debian/rules   2012-03-04 20:45:44.000000000 
+0100
    @@ -1,5 +1,7 @@
     #!/usr/bin/make -f
     
    +export DEB_BUILD_MAINT_OPTIONS = hardening=+all
    +
     export DH_VERBOSE=1
     
     %:

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:

    $ hardening-check /usr/sbin/cvsd
    /usr/sbin/cvsd:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPU8eoAAoJEJL+/bfkTDL5hdUP/20rCYhKH6j2i2zH47vB7nJX
fBCvVzgrqAMtHwlh8r/H6tOnjj7A8XiKk9fuO0ige5O3uRMXXNySvFNj2U3cWGe8
BcwA7cEivVhlGHsZmaliFLpqUgUST0EXl1a3IPEMFX+ix7Re9UUe+0MdQdx/erv6
MUOKTP2O3Wb9eORRQHXiNivAGr+yD0oE1j0LEZxarBXKdFzdwWIC9naaHMlP003C
1YCEG++uLsyU1cKn+Ytbt2DUYZq39OpQ1GcgnK5Pvjxtb0Oao2+Wh/Ct+deADVLU
XiQFKGvDoxvIY8ziCEDSs9Aoxye2/q15O7mmQzE+3YVDyomFshrV0XvT63kDdi00
pxtb6361HhLLgoXibRY4tzEMUTqo93SfDn+7nRFVBNeV5vpkW2Y6nART8/aqiz7r
RUH+plUNQPcILk4MLPwMZbHaQn8yl4cfIIyTi8J+zeDIUFSoKRIv7QiXJ2sRF+EG
jFofB4EdNLoRNtOhAuq1IEbvx8zGF2FSlxsSd/ZhOJgJ7RsG2NGxlROSU36TzLRZ
4Ecj5/c8TvoB61T2wmja41Oq41i+UgNYQ7F0JNGNw6Gu+dXOG2LAqVdn4swkQymB
m7EMbRymJJSABQQhnxGnpSJIGEdHqALWEtv8pkqkPvJ0vkwz5rYHhk5rVKzaCfG9
p9cJGyKkEa8GTZ6DsToS
=QRUX
-----END PGP SIGNATURE-----



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#662226: cvsd: Please enable hardening flags

Reply via email to