Bug#653853: Please enabled hardened build flags
On Fri, 2 Mar 2012, Moritz Muehlenhoff wrote: > The output of hardening-check is correct for the default flags for > Wheezy. Please see the section "Testing your packages after conversion" > on the Hardening walkthrough page: > http://wiki.debian.org/HardeningWalkthrough > > You can add PIE and bind by selecting all hardening flags as outlined > in the walkthrough. For diffutils the performance should be identical. Ok, I'm going to use hardening=+all then. Thanks a lot. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#653853: Please enabled hardened build flags
On Fri, Mar 02, 2012 at 11:50:35AM +0100, Santiago Vila wrote: > On Sat, 31 Dec 2011, Moritz Muehlenhoff wrote: > > > Package: diffutils > > Version: 1:3.2-1 > > Severity: important > > Tags: patch > > > > Please enabled hardened build flags through dpkg-buildflags. > > > > Patch attached. (dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS) > > Applied the patch and this is what hardening-check now tells me: > > /usr/bin/diff: > Position Independent Executable: no, normal executable! > Stack protected: yes > Fortify Source functions: yes (some protected functions found) > Read-only relocations: yes > Immediate binding: no not found! > > Thw wiki page, namely: > > http://wiki.debian.org/Hardening#Validation > > has a paragraph explaning "Stack protected" and another one explaining > "Fortify Source functions", but does not say anything about "Position > Independent Executable" or "Immediate binding". > > So: Am I doing anything wrong, or maybe the web page should also tell > something about cases where Position Independent Executable is "no" > but it's also ok? (resp. Immediate binding). The output of hardening-check is correct for the default flags for Wheezy. Please see the section "Testing your packages after conversion" on the Hardening walkthrough page: http://wiki.debian.org/HardeningWalkthrough You can add PIE and bind by selecting all hardening flags as outlined in the walkthrough. For diffutils the performance should be identical. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#653853: Please enabled hardened build flags
On Sat, 31 Dec 2011, Moritz Muehlenhoff wrote: > Package: diffutils > Version: 1:3.2-1 > Severity: important > Tags: patch > > Please enabled hardened build flags through dpkg-buildflags. > > Patch attached. (dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS) Applied the patch and this is what hardening-check now tells me: /usr/bin/diff: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! Thw wiki page, namely: http://wiki.debian.org/Hardening#Validation has a paragraph explaning "Stack protected" and another one explaining "Fortify Source functions", but does not say anything about "Position Independent Executable" or "Immediate binding". So: Am I doing anything wrong, or maybe the web page should also tell something about cases where Position Independent Executable is "no" but it's also ok? (resp. Immediate binding). Thanks. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#653853: Please enabled hardened build flags
Package: diffutils Version: 1:3.2-1 Severity: important Tags: patch Please enabled hardened build flags through dpkg-buildflags. Patch attached. (dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS) Cheers, Moritz diff -aur diffutils-3.2.orig/debian/rules diffutils-3.2/debian/rules --- diffutils-3.2.orig/debian/rules 2011-08-04 20:27:24.0 +0200 +++ diffutils-3.2/debian/rules 2011-12-31 15:46:20.0 +0100 @@ -3,12 +3,13 @@ package = diffutils docdir = debian/tmp/usr/share/doc/$(package) -CFLAGS = -g -Wall +CFLAGS = `dpkg-buildflags --get CFLAGS` +CFLAGS += -Wall +LDFLAGS = `dpkg-buildflags --get LDFLAGS` +CPPFLAGS = `dpkg-buildflags --get CPPFLAGS` + STRIP = true -ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O2 -endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) STRIP = strip --remove-section=.comment --remove-section=.note endif @@ -23,7 +24,7 @@ endif build: - ./configure $(confflags) --prefix=/usr + ./configure CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" $(confflags) --prefix=/usr $(MAKE) CFLAGS="$(CFLAGS)" touch build Nur in diffutils-3.2/debian: rules~.