Package: crtmpserver Version: 1.0~dfsg-1 Severity: important Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because CMake ignores them by default. The following patch fixes the issue by adding them to CFLAGS/CXXFLAGS. For more hardening information please have a look at [1], [2] and [3]. The -O2 removal is not necessary as gcc uses the last flag, which is -O3 as set by CMake. compat=9 automatically exports the flags so it's not necessary to pass them configure manually. diff -Nru crtmpserver-1.0~dfsg/debian/rules crtmpserver-1.0~dfsg/debian/rules --- crtmpserver-1.0~dfsg/debian/rules 2012-03-22 01:52:51.000000000 +0100 +++ crtmpserver-1.0~dfsg/debian/rules 2012-03-23 02:53:16.000000000 +0100 @@ -2,16 +2,17 @@ #export DH_VERBOSE=1 -CFLAGS = $(shell dpkg-buildflags --get CFLAGS 2>/dev/null | sed -e 's/-O2//g') -CXXFLAGS = $(shell dpkg-buildflags --get CXXFLAGS 2>/dev/null | sed -e 's/-O2//g') +# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the +# missing (hardening) flags. +export DEB_CFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS) +export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS) + DEB_BUILDDIR = obj-$(DEB_BUILD_GNU_TYPE) DEB_PACKAGE_VERSION := $(shell dpkg-parsechangelog | awk '/^Version/ {print $$2}') DEB_UPSTREAM_VERSION := $(shell echo $(DEB_PACKAGE_VERSION) | cut -d '-' -f 1 | sed s,~,_, ) DEB_CONFIGURE_FLAGS = \ -DCMAKE_BUILD_TYPE=Release \ -DCMAKE_VERBOSE_MAKEFILE=ON \ - -DCMAKE_C_FLAGS="$(CFLAGS)" \ - -DCMAKE_CXX_FLAGS="$(CXXFLAGS)" \ -DCRTMPSERVER_INSTALL_PREFIX=/usr \ -DTEMP_FRAMEWORK_VER="$(DEB_UPSTREAM_VERSION)" \ -DCRTMPSERVER_SOURCES_ROOT=$(CURDIR) \ To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/sbin/crtmpserver /usr/lib/crtmpserver/libthelib.so /usr/lib/crtmpserver/libcommon.so ... /usr/sbin/crtmpserver: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: no not found! /usr/lib/crtmpserver/libthelib.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! /usr/lib/crtmpserver/libcommon.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers