Your message dated Sat, 19 May 2012 15:27:55 +0200 with message-id <201205191528.31688.panfa...@gmail.com> and subject line Closing some hardening flags bugs has caused the Debian Bug report #667925, regarding bluedevil: CPPFLAGS hardening flags missing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 667925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667925 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: bluedevil Version: 1.2.2-1 Severity: important Tags: patch Dear Maintainer, The CPPFLAGS hardening flags are missing because CMake ignores them by default. The following patch fixes the issue by adding them to CFLAGS/CXXFLAGS. For more hardening information please have a look at [1], [2] and [3]. diff -Nru bluedevil-1.2.2/debian/rules bluedevil-1.2.2/debian/rules --- bluedevil-1.2.2/debian/rules 2012-03-30 20:36:51.000000000 +0200 +++ bluedevil-1.2.2/debian/rules 2012-04-07 16:49:43.000000000 +0200 @@ -2,5 +2,10 @@ export DEB_LDFLAGS_MAINT_APPEND := -Wl,--as-needed +# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the +# missing (hardening) flags. +export DEB_CFLAGS_MAINT_APPEND := $(shell dpkg-buildflags --get CPPFLAGS) +export DEB_CXXFLAGS_MAINT_APPEND := $(shell dpkg-buildflags --get CPPFLAGS) + %: dh $@ --parallel --with kde To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/lib/kde4/bluetoothfiletiemaction.so /usr/lib/kde4/kio_obexftp.so /usr/lib/kde4/kio_bluetooth.so ... /usr/lib/kde4/bluetoothfiletiemaction.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! /usr/lib/kde4/kio_obexftp.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: yes Read-only relocations: yes Immediate binding: no not found! /usr/lib/kde4/kio_bluetooth.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: yes Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---I'm closing these bugs because the involved packages are using the dh sequencer addon for kde. While cmake still doesn't respect CPPFLAGS, a workaround was added to the mentioned addon, so if you build any of the packages involved it will include the hardening flags. At least one of the involved packages (amarok) was built before the workaround mentioned above was done. Therefore if you think it's really important to get any of them built with the hardening flags feel free to request a binNMU.signature.asc
Description: This is a digitally signed message part.
--- End Message ---
_______________________________________________ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras