Package: pngcheck
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
The CPPFLAGS hardening flags are missing because they are not
enabled in debian/rules.
DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].
The attached patch fixes the issue, debian/debian-compile.mk was
updated to prevent CFLAGS from overwriting the hardening flags.
dpkg-buildflags automatically handles noopt, setting it manually
is no longer necessary.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/bin/pngcheck
/usr/bin/pngcheck:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVhrxAAoJEJL+/bfkTDL5IKEP/A/gZHvv+W3MV18m7OYm1jOO
7w3RvWT09cw6t7uxfiyoAvr9ztx+VBn1HdWw8Vc+Q1W1KTWOZjMCgLWOHNPbVmcF
LzbJQhQcJe9+KJLelENJyTMgjAu1mpGFp5rmnckJNAZ0xI02HzTQ1L0KPCkBW4Pv
sutrKNC1bj0CfUyl6GuKZnQYtMdqsDmkpTcpt0kmyotQaV8awLVzNrc39m4eQU4U
APQCHojExWQebULv6XfbX2IC2pDRqzO2uApcyauCF9vlX3IMecGgNPTcGERagTxv
9cX0y+ISo2Uvi7vJSpgg2csT3dgB9JSJxu9V4s5G2tge5fOztJDuzcfMS755epv3
/VToopiMQsHrCuaY2iTHoAQoars/FfRcf/1mDf2gtF50M9+NkaB53kVFvtop/qqa
qkqJJrIw7kz5I3tyUZ2VUwl8CX9lklLoTpNGHzR9HHSxAHJo6/F1RlNc+OWKZ6Hb
5Vp7Tjl4vpD1jnRq1XyZTf/kPuXleEejVExPe6hRRvFvMufjf8VOdyrqoSLpKyXk
3uoYw2zhyTjyGvO+iFg7pr4+gqNCFBCF6f6orxM4nvlnWRBQu9vus8pNPWNlcD0P
67IWp8HeLiMKHL940JnlUOI2nA/JMkVr0REgRNb4rvgrBZcd2Z0zfC5RDKnBUzW8
jiDrLnvYqIUpsQus7PxC
=KIev
-----END PGP SIGNATURE-----
diff -Nru pngcheck-2.3.0/debian/debian-compile.mk pngcheck-2.3.0/debian/debian-compile.mk
--- pngcheck-2.3.0/debian/debian-compile.mk 2012-02-14 21:10:37.000000000 +0100
+++ pngcheck-2.3.0/debian/debian-compile.mk 2012-03-06 15:02:08.000000000 +0100
@@ -45,16 +45,6 @@
export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
#######################################################################
-
-CFLAGS = -Wall -g
-
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
-
-#######################################################################
# [Add this to use multiple CPU cores]
# build-stamp:
# $(MAKE) $(MAKE_FLAGS)
diff -Nru pngcheck-2.3.0/debian/rules pngcheck-2.3.0/debian/rules
--- pngcheck-2.3.0/debian/rules 2012-03-05 10:01:09.000000000 +0100
+++ pngcheck-2.3.0/debian/rules 2012-03-06 14:59:50.000000000 +0100
@@ -4,17 +4,15 @@
include debian/debian-compile.mk
-include /usr/share/dpkg/buildflags.mk
-CFLAGS += -Wall -pedantic
-CFLAGS += -DUSE_ZLIB
-LDFLAGS += -Wl,--as-needed
+export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -DUSE_ZLIB
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
LIBS = -lz
man:
$(MAKE) -C debian -f pod2man.mk PACKAGE=$(PACKAGE) makeman
override_dh_auto_build: man
- gcc $(CFLAGS) $(LDFLAGS) -o $(PACKAGE) $(PACKAGE).c $(LIBS)
+ gcc $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $(PACKAGE) $(PACKAGE).c $(LIBS)
%:
dh $@
