Your message dated Wed, 12 Sep 2012 23:18:02 +0000 with message-id <e1tbwc2-00044w...@franck.debian.org> and subject line Bug#669189: fixed in kvirc 4:4.1.3+20111124.svn5988-2 has caused the Debian Bug report #669189, regarding kvirc: Hardening flags missing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 669189: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669189 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: kvirc Version: 4:4.1.3+20111124.svn5988-1 Severity: normal Tags: patch Dear Maintainer, The LDFLAGS hardening flags are missing because they are overwritten in debian/rules. The other hardening flags are missing because they are overwritten by the build system. DEB_*_MAINT_APPEND is the preferred way to set additional flags (see man dpkg-buildflags for more information). For more hardening information please have a look at [1], [2] and [3]. The attached patch fixes the overwrite by the build system. The following patch fixes the LDFLAGS issue: diff -Nru kvirc-4.1.3+20111124.svn5988/debian/rules kvirc-4.1.3+20111124.svn5988/debian/rules --- kvirc-4.1.3+20111124.svn5988/debian/rules 2011-09-29 16:26:40.000000000 +0200 +++ kvirc-4.1.3+20111124.svn5988/debian/rules 2012-04-18 02:28:16.000000000 +0200 @@ -2,6 +2,8 @@ # DH_ALWAYS_EXCLUDE:=CVS:.svn:.svnignore:.hg:.hgignore +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--no-undefined -Wl,--as-needed + DEBVERSION = $(shell head -n 1 debian/changelog | sed -e 's/^[^(]*(\([^)]*\)).*/\1/') UPVERSION = $(shell echo $(DEBVERSION) | sed -r -e 's/^.*://' -e 's/-[0-9.]*(\+b[0-9])?$$//' -e 's/.dfsg[0-9]*$$//') REV = $(shell echo $(UPVERSION) | sed -e 's/^.*svn//' -e 's/\+rc[0-9]$$//') @@ -21,9 +23,6 @@ dh_auto_configure --parallel -Skde -- -DWANT_COEXISTENCE=OFF \ -DWANT_ESD=OFF -DWANT_OSS=OFF \ -DWANT_STRIP=OFF \ - -DCMAKE_SHARED_LINKER_FLAGS="-Wl,--no-undefined -Wl,--as-needed" \ - -DCMAKE_MODULE_LINKER_FLAGS="-Wl,--no-undefined -Wl,--as-needed" \ - -DCMAKE_EXE_LINKER_FLAGS="-Wl,--no-undefined -Wl,--as-needed" \ -DMANUAL_REVISION=$(REV) \ -DLIB_SUFFIX="/$(DEB_HOST_MULTIARCH)" To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/bin/kvirc /usr/lib/x86_64-linux-gnu/kvirc/4.1/modules/libkviwindow.so /usr/lib/x86_64-linux-gnu/kvirc/4.1/modules/libkviuserlist.so ... /usr/bin/kvirc: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! /usr/lib/x86_64-linux-gnu/kvirc/4.1/modules/libkviwindow.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! /usr/lib/x86_64-linux-gnu/kvirc/4.1/modules/libkviuserlist.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-04-17 --- kvirc-4.1.3+20111124.svn5988.orig/CMakeLists.txt +++ kvirc-4.1.3+20111124.svn5988/CMakeLists.txt @@ -220,8 +220,8 @@ ELSE() ENDIF() IF(CMAKE_COMPILER_IS_GNUCXX) #force gdb options - SET(CMAKE_CXX_FLAGS "-O3 -fomit-frame-pointer -DNDEBUG --no-enforce-eh-specs -pipe --exec-charset=UTF-8 --input-charset=UTF-8 --no-implement-inlines --unit-at-a-time --fast-math") - SET(CMAKE_C_FLAGS "-O3 -fomit-frame-pointer -DNDEBUG --no-enforce-eh-specs -pipe --exec-charset=UTF-8 --input-charset=UTF-8 --no-implement-inlines --unit-at-a-time --fast-math") + SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -O3 -fomit-frame-pointer -DNDEBUG --no-enforce-eh-specs -pipe --exec-charset=UTF-8 --input-charset=UTF-8 --no-implement-inlines --unit-at-a-time --fast-math") + SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O3 -fomit-frame-pointer -DNDEBUG --no-enforce-eh-specs -pipe --exec-charset=UTF-8 --input-charset=UTF-8 --no-implement-inlines --unit-at-a-time --fast-math") INCLUDE(CheckCXXCompilerFlag) CHECK_CXX_COMPILER_FLAG("-fvisibility-inlines-hidden" CXX_HAS_VIH_FLAG) #gcc doesn't support visibility on PE/win32signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: kvirc Source-Version: 4:4.1.3+20111124.svn5988-2 We believe that the bug you reported is fixed in the latest version of kvirc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 669...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Raúl Sánchez Siles <rasas...@gmail.com> (supplier of updated kvirc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 19 Jul 2012 21:56:08 +0200 Source: kvirc Binary: kvirc libkvilib4 kvirc-modules kvirc-data kvirc-dbg Architecture: source amd64 all Version: 4:4.1.3+20111124.svn5988-2 Distribution: unstable Urgency: low Maintainer: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org> Changed-By: Raúl Sánchez Siles <rasas...@gmail.com> Description: kvirc - KDE-based next generation IRC client with module support kvirc-data - Data files for KVIrc kvirc-dbg - KVIrc (IRC client) debugging symbols kvirc-modules - KVIrc (IRC client) modules libkvilib4 - KVIrc (IRC client) base library Closes: 658058 669189 Changes: kvirc (4:4.1.3+20111124.svn5988-2) unstable; urgency=low . * Updated debhelper build-depends to better cope with multiarch. * Fix "must not be "Multi-Arch: same"" kvirc is Multi-Arch: foreign (Closes: #658058) * Actually provide valid -dbg package. Added 30_upstream_build-g * Fix "Hardening flags missing". Applying suggested changes. (Closes: #669189) Thanks to Simon Ruderich. Checksums-Sha1: 4582a1e96c98a86efc08d0082946aca985ee28e1 1815 kvirc_4.1.3+20111124.svn5988-2.dsc 31784852b1b05daf0e147596e2ece3b232181b19 27910 kvirc_4.1.3+20111124.svn5988-2.debian.tar.bz2 cce67ffbb8b3ae307249d01201b74290b5bfe1ff 1093074 kvirc_4.1.3+20111124.svn5988-2_amd64.deb 984bc847f6fa649461bb73ac7d50619629edfd14 310356 libkvilib4_4.1.3+20111124.svn5988-2_amd64.deb 399fbae1a28a02a66e10588071377590b99716ba 1986576 kvirc-modules_4.1.3+20111124.svn5988-2_amd64.deb b718b85c7a2764886e9dd142d0f6d8b428f5b8b4 3902348 kvirc-data_4.1.3+20111124.svn5988-2_all.deb de64a799038badd1b0e65c413dda131af29bb3ae 44474236 kvirc-dbg_4.1.3+20111124.svn5988-2_amd64.deb Checksums-Sha256: 89ef77217ded80684a12206c115581b8e12db8e8a5619e7cf0bef0882f52c57a 1815 kvirc_4.1.3+20111124.svn5988-2.dsc f758fd642714f533b67b2ac84a1283971e38b1304c536fc3043eb875285bafcb 27910 kvirc_4.1.3+20111124.svn5988-2.debian.tar.bz2 e81c43144daf8d5286c8eb1e44a2f944896c9d9bd41c974e785ec9d470084f21 1093074 kvirc_4.1.3+20111124.svn5988-2_amd64.deb b7afc45218b3197d4a26e82de3e3a83faf7fcd35bff89a2a9a2d274bc7afb088 310356 libkvilib4_4.1.3+20111124.svn5988-2_amd64.deb 5dd2b1ca7904babfdcdece9bddac520dc4883eb4a7e4ce81a7b44f12a756466c 1986576 kvirc-modules_4.1.3+20111124.svn5988-2_amd64.deb 25f685ca8a43b9bdc12331055ced0153b2d956ae2b16bf053c90ce3ca60b766e 3902348 kvirc-data_4.1.3+20111124.svn5988-2_all.deb 4a38eb5833f0f1d5e2f935c5d5b1ff3dcbd54837467ab88a9a5480ee36990643 44474236 kvirc-dbg_4.1.3+20111124.svn5988-2_amd64.deb Files: 2e1d8dba8db492573098f6a786803285 1815 net optional kvirc_4.1.3+20111124.svn5988-2.dsc 6c10ca1af58f0663e6b3b10a0a3af6e4 27910 net optional kvirc_4.1.3+20111124.svn5988-2.debian.tar.bz2 7a3cf41554fcb575c100c574560fb777 1093074 net optional kvirc_4.1.3+20111124.svn5988-2_amd64.deb 24b2e54ecc200f3c7a450d42c1b09b3a 310356 libs optional libkvilib4_4.1.3+20111124.svn5988-2_amd64.deb 21344073a891868c382803243e535260 1986576 libs optional kvirc-modules_4.1.3+20111124.svn5988-2_amd64.deb 037ab546ebf664ce0f27d2a4cd968450 3902348 net optional kvirc-data_4.1.3+20111124.svn5988-2_all.deb 5296642c49963afa71247382ff9bb011 44474236 debug extra kvirc-dbg_4.1.3+20111124.svn5988-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBRDd4ACgkQLARVQsm1XazYrACdG65ik5x8k9bfXFmbmVhOb5gs pOwAn0ii/XIoL3E2S4ICTGD0LM2ELH8y =Cpu0 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras