Package: picolisp Version: 3.0.9.4-1 Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Dear Maintainer, Please consider enabling hardening flags which are a release goal for wheezy. For more information please have a look at [1], [2] and [3]. The attached patch updates the build system to respect the hardening flags, necessary for CFLAGS and LDFLAGS. If possible this patch should be sent to upstream. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/bin/picolisp /usr/lib/picolisp/lib/ht /usr/lib/picolisp/lib/ext /usr/bin/picolisp: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: yes /usr/lib/picolisp/lib/ht: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: yes /usr/lib/picolisp/lib/ext: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: yes (Position Independent Executable is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. picolisp, ht and ext have an executable stack which might cause security problems. But I'm not sure if this is required by the program - if it's not adding -Wl,-z,noexecstack to LDFLAGS fixes that. I haven't tested picolisp with these new flags, please test it before uploading a new package with these changes. Normally everything works fine, but picolisp uses assembly which might cause problems. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPW31LAAoJEJL+/bfkTDL5TXwQAIV8ZWFAQ+zgjJDpH//Nr41X 1gM/VB4zxC6V8aDVdshNLQhtkZZOCH4cd3+Cx2bUNSzBofRXgQu6LENgR8r9M1gT uYMCxozCN5TJmCl1k+TSHYYUSwLvFVpWF+IWiQH5LmGD+ZS4WspXAApDsKY+FeFB FgS7nmA1w+LcM/jrsyLCJOw44dWyHRmUeV9lJRquc16vWkjqwzEkNw+Nlu86Fagq RabIpKenLFcMFp2M4rt/BMYppjAR5JSM0KnEGtjGqzTYqMD9QuaRaOKAAxfG2C1Z ZwNBx9mv6ojKPqmAyp4GbdUlX2isZtLq74shVCEfZBN+wYRGnSR9qHW/s2xl7elQ 66hNtSoiXotU4PY8viUmXQhbIz7FvnzwSe2yRdMNmi4XrL2xnrrv/w9ntlzRywUH yKRy6evT66hD+B66hOpufQ/tDoucIB/zWVDAqP+hYbVsmZW2Qnzlaex3dEPNJ+fq ejVP7MwAM3rntwyyS+O2jiN2HVscKy8yLm3kbN69Qru7OPMmjkCx4il1CYjGzOYm HXLrd/erUKrK3G4Hy3eE7ZjQUaZvNvG1SLLcPvldUTiKh8K8YViGLmOr7aD5JKoH ssn/MuGs/FwSkpXKDN9WAZ/04/ACPtHPAIw9yZQz/uq43vF0a2VF14bq+KhWkcXU QadvlQsQqDN1JouGwYVD =Xe0P -----END PGP SIGNATURE-----
Description: Always use $CFLAGS and $LDFLAGS. Necessary for hardening flags and noopt support. Author: Simon Ruderich <si...@ruderich.org. Last-Update: 2012-03-06 Index: picolisp-3.0.9.4/src64/Makefile =================================================================== --- picolisp-3.0.9.4.orig/src64/Makefile 2012-03-06 16:47:29.000000000 +0100 +++ picolisp-3.0.9.4/src64/Makefile 2012-03-06 16:47:29.000000000 +0100 @@ -34,7 +34,7 @@ MKASM-LIB = -fpic AS = as LD-MAIN = -m64 -rdynamic -lc -lm -ldl $(LDFLAGS) - LD-SHARED = -m64 -shared -export-dynamic + LD-SHARED = -m64 -shared -export-dynamic $(LDFLAGS) STRIP = : else ifeq (solaris,$(OS)) @@ -44,7 +44,7 @@ MKASM-LIB = -fpic AS = as LD-MAIN = -m64 -lc -lm -ldl -lsocket -lnsl $(LDFLAGS) - LD-SHARED = -m64 -shared + LD-SHARED = -m64 -shared $(LDFLAGS) STRIP = strip else ifeq (kopensolaris,$(OS)) @@ -54,7 +54,7 @@ MKASM-LIB = -fpic AS = as LD-MAIN = -m64 -rdynamic -lc -lm $(LDFLAGS) - LD-SHARED = -m64 -shared + LD-SHARED = -m64 -shared $(LDFLAGS) STRIP = strip endif endif @@ -78,8 +78,8 @@ AS = as -mppc64 -a64 endif endif - LD-MAIN = -m64 -rdynamic -lc -lm -ldl - LD-SHARED = -m64 -shared -export-dynamic + LD-MAIN = -m64 -rdynamic -lc -lm -ldl $(LDFLAGS) + LD-SHARED = -m64 -shared -export-dynamic $(LDFLAGS) STRIP = strip else ifeq ($(UNAME), SunOS) @@ -89,8 +89,8 @@ MKASM-BASE = MKASM-LIB = -fpic AS = gas --64 - LD-MAIN = -m64 -lc -lm -ldl -lsocket -lnsl - LD-SHARED = -m64 -shared + LD-MAIN = -m64 -lc -lm -ldl -lsocket -lnsl $(LDFLAGS) + LD-SHARED = -m64 -shared $(LDFLAGS) STRIP = strip endif endif Index: picolisp-3.0.9.4/src/Makefile =================================================================== --- picolisp-3.0.9.4.orig/src/Makefile 2012-03-06 16:47:29.000000000 +0100 +++ picolisp-3.0.9.4/src/Makefile 2012-03-10 16:45:23.228809000 +0100 @@ -19,7 +19,7 @@ LDFLAGS ?= PICOLISP-FLAGS = -rdynamic LIB-FLAGS = -lc -lm -ldl $(LDFLAGS) -DYNAMIC-LIB-FLAGS = -shared -export-dynamic +DYNAMIC-LIB-FLAGS = -shared -export-dynamic $(LDFLAGS) STRIP = : ifeq (amd64,$(CPU)) @@ -33,36 +33,36 @@ ifeq ($(shell uname), Linux) OS = Linux PICOLISP-FLAGS = -m32 -rdynamic - LIB-FLAGS = -lc -lm -ldl - DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic + LIB-FLAGS = -lc -lm -ldl $(LDFLAGS) + DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic $(LDFLAGS) STRIP = strip else ifeq ($(shell uname), OpenBSD) OS = OpenBSD PICOLISP-FLAGS = -m32 -rdynamic -Wl,-E - LIB-FLAGS = -lc -lm - DYNAMIC-LIB-FLAGS = -Wl,-E -Wl,-shared + LIB-FLAGS = -lc -lm $(LDFLAGS) + DYNAMIC-LIB-FLAGS = -Wl,-E -Wl,-shared $(LDFLAGS) STRIP = strip else ifeq ($(shell uname), FreeBSD) OS = FreeBSD PICOLISP-FLAGS = -m32 -rdynamic - LIB-FLAGS = -lc -lm - DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic + LIB-FLAGS = -lc -lm $(LDFLAGS) + DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic $(LDFLAGS) STRIP = strip else ifeq ($(shell uname), NetBSD) OS = NetBSD PICOLISP-FLAGS = -m32 -rdynamic - LIB-FLAGS = -lc -lm - DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic + LIB-FLAGS = -lc -lm $(LDFLAGS) + DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic $(LDFLAGS) STRIP = strip else ifeq ($(shell uname), Darwin) OS = Darwin PICOLISP-FLAGS = -m32 - LIB-FLAGS = -lc -lm -ldl - DYNAMIC-LIB-FLAGS = -m32 -dynamiclib -undefined dynamic_lookup + LIB-FLAGS = -lc -lm -ldl $(LDFLAGS) + DYNAMIC-LIB-FLAGS = -m32 -dynamiclib -undefined dynamic_lookup $(LDFLAGS) STRIP = : else ifeq ($(shell uname -o), Cygwin) @@ -134,27 +134,27 @@ $(bin)/lat1: lat1.c - gcc -o $(bin)/lat1$(exe) lat1.c + gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/lat1$(exe) lat1.c $(STRIP) $(bin)/lat1$(exe) $(bin)/utf2: utf2.c - gcc -o $(bin)/utf2$(exe) utf2.c + gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/utf2$(exe) utf2.c $(STRIP) $(bin)/utf2$(exe) $(bin)/balance: balance.c - gcc -o $(bin)/balance$(exe) balance.c + gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/balance$(exe) balance.c $(STRIP) $(bin)/balance$(exe) $(bin)/ssl: ssl.c - gcc -o $(bin)/ssl$(exe) ssl.c -lssl -lcrypto + gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/ssl$(exe) ssl.c -lssl -lcrypto $(STRIP) $(bin)/ssl$(exe) $(bin)/httpGate: httpGate.c - gcc -o $(bin)/httpGate$(exe) httpGate.c -lssl -lcrypto + gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/httpGate$(exe) httpGate.c -lssl -lcrypto $(STRIP) $(bin)/httpGate$(exe) $(bin)/z3dClient: z3dClient.c - gcc -o $(bin)/z3dClient$(exe) z3dClient.c -L/usr/X11R6/lib -lXext -lX11 + gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/z3dClient$(exe) z3dClient.c -L/usr/X11R6/lib -lXext -lX11 $(STRIP) $(bin)/z3dClient$(exe)