Package: dash Version: 0.5.7-3 Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Dear Maintainer, Please consider enabling hardening flags which are a release goal for wheezy. For more information please have a look at [1], [2] and [3]. The attached patch enables the hardening flags and fixes a format string vulnerability detected by -Wformat-security. -g and -O2 is automatically set by dpkg-buildflags (noopt is respected). I've been using the patched version for some time now and it works fine for me. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package: $ hardening-check /bin/dash /bin/dash: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dash depends on: ii debianutils 4.2.1 ii dpkg 1.16.1.2 ii libc6 2.13-27 dash recommends no packages. dash suggests no packages. - -- debconf information excluded -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPVVVTAAoJEJL+/bfkTDL5GjQP/0RVCtUjx0QmqLtiLlAbYG8f uX1t/SEBZ6VbpaUzJtoac3AN3h3x0ByE3T+tZlmC+CAdpP1EnSOskhtOCZF2qsNn 7HtaNSu6Mdi4etrbbKa4C9W/dJwA+sKwWDCyHuL+A8D8Pv1ObkQBnToRhQcCkB0m yngp66vfQC739SiQjl5TyMAlrlvlxZDNiYI0Dc3rIHYFyjTLp35zckwidbB64gco zdlfhp7RSwKhY6f1iSVr7TSZMSU7yMYjJET+Hzv9uPfGwih9G76/WZ4MjHv4QOcb NAVYiv+TGGE737bSZG8+Zi9c+PR+OlQz0dXntscKn6U9GYzhdJBDK5FMv09E5abV /+NS4uBrzCF5r+qcKxVQWoT2LET7pTkM5Bi+bojFOcAqi9jRXhik4rFuW6r/B6S+ aGvOvE78aZhhi3W7TkBQpTYYGHoZCn5BZsm0tdQMyxco8sljxTcDOQGtAeItWXb3 X61ICbSkHfzmMEcOqp0xG0fWoGrZg1HD9CSp5zOFw9pM5QLcLJav8QqPCcZ0iymK CqSpYH0Y4q9Qw1c4DxEa76TKeVi8hX93DM39CI4Xx221AbJcMl1gkrtoPTC/pR/C pVtg9LcPvw+LB8pvNXvQDGum48LBaad5Hh1UADcPZE8DS2wzvYwY1GOtgY1i3OJg AjHQFW1H6IxB+15CtsPf =tzaV -----END PGP SIGNATURE-----
diff -u dash-0.5.7/debian/control dash-0.5.7/debian/control --- dash-0.5.7/debian/control +++ dash-0.5.7/debian/control @@ -2,7 +2,7 @@ Section: shells Priority: optional Maintainer: Gerrit Pape <p...@smarden.org> -Build-Depends: po-debconf +Build-Depends: po-debconf, dpkg-dev (>= 1.16.1) Standards-Version: 3.9.3.0 Homepage: http://gondor.apana.org.au/~herbert/dash/ Vcs-Git: http://smarden.org/git/dash.git/ diff -u dash-0.5.7/debian/rules dash-0.5.7/debian/rules --- dash-0.5.7/debian/rules +++ dash-0.5.7/debian/rules @@ -1,7 +1,10 @@ #!/usr/bin/make -f +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + CC =gcc -CFLAGS =-g -O2 -Wall +CFLAGS +=-Wall STRIP =strip DEB_HOST_GNU_TYPE =$(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) only in patch2: unchanged: --- dash-0.5.7.orig/src/jobs.c +++ dash-0.5.7/src/jobs.c @@ -427,7 +427,7 @@ goto out; #endif } - col = fmtstr(s, 32, strsignal(st)); + col = fmtstr(s, 32, "%s", strsignal(st)); #ifdef WCOREDUMP if (WCOREDUMP(status)) { col += fmtstr(s + col, 16, " (core dumped)");