Package: alsa-plugins Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Dear Maintainer, The LDFLAGS hardening flags are missing because they are overwritten in debian/rules. DEB_*_MAINT_APPEND is the preferred way to set additional flags (see man dpkg-buildflags for more information). For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue. diff -Nru alsa-plugins-1.0.25/debian/rules alsa-plugins-1.0.25/debian/rules --- alsa-plugins-1.0.25/debian/rules 2012-02-12 00:22:10.000000000 +0100 +++ alsa-plugins-1.0.25/debian/rules 2012-03-05 02:09:58.000000000 +0100 @@ -1,4 +1,7 @@ #!/usr/bin/make -f + +export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs + %: dh $@ --with autoreconf @@ -10,8 +13,7 @@ --with-plugindir=/usr/lib/$(DEB_HOST_MULTIARCH)/alsa-lib \ --with-avcodec-includedir=\$${prefix}/include/libavcodec \ --host=$(DEB_HOST_GNU_TYPE) \ - --build=$(DEB_BUILD_GNU_TYPE) \ - LDFLAGS=-Wl,-z,defs + --build=$(DEB_BUILD_GNU_TYPE) override_dh_auto_install: dh_auto_install --destdir=debian/tmp To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package: $ hardening-check /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_rate_speexrate.so ... /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_rate_speexrate.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: no not found! /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_rate_samplerate.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: no not found! ... (The stack protected and fortify source warnings are fine in this case, the flags are correctly applied.) Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPVBXrAAoJEJL+/bfkTDL5wyAP/0H/xUWytjIHnamDguoz0FbO tgGXWT36tmQpON1rLv+yStg9efygBBk9JdqS1IDkLr1rJyPOYi4fpvd9jTSqAh7+ 27hdjfNGv3ZmxiDMrIfPhULk9O0KV3pkBI2CaCq9bdBHYyaCqtBRwluDP9HUlyhu L1REAO1QWu1PrXHOEYXe+b/0gqMlItwwcvk43VPB7/zJoVzQKx9hR6mhg2g4ACxX uqCRj16VlyD9z8NvGu8DmVjM5YcMJO0OTouZtTRKM7375OqPqzKnOCQhv4S3rc8U /Y7rAengqxAJi62J/Qn0R0slTrQea0lTklPtgNZ9ihc4PL67++jSLV7UJ7VQ34eu GI7c9LJHm7R/KKbuBETy3YMXJ2FZ+UAtok+k0EK3OAzDlOJPgEKlQvPXqeK0DccO JtxQphh50RRPRKyAoxnDiwpVXqCNii4s8ljkE4KPIaa4sHQ7saGlRnuhhd3N5LDw j3aGYy9WWDD2QNQPIPH6UNt1nmwQsj4f3LgshKyH/pAXaAYEu1smp9Lg0rbKWOC/ Gs37JrHXWCz9qC0q1/eOfOcQoXXobtPwU8F5qxVVdsm3/ijCo6MYUxYSBFvPufL2 4ZxET0tuetTHgtujHz0BWfgyVKIH5JFaT6nmbob7JS3w+1rXi5D0taSJ+QKpqt9O RcuQhfHbLkhk25TZwV9k =CUzv -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org