Bug#654807: Please enabled hardened build flags

2012-04-24 Thread Axel Beckert 
Hi Simon,

Simon Ruderich wrote:
> Dear Maintainer,
> 
> The hardening flags are missing for links2 because the build
> system doesn't respect them.

Thanks for checking. IIRC I applied just Moritz' suggested patch.

> The following patch fixes the issue, $(shell ...) is necessary as
> make doesn't expand `..` which causes a build failure.

Now that you mention it...

> (Position Independent Executable and Immediate binding is not
> enabled by default.)
> 
> Use find -type f \( -executable -o -name \*.so\* \) -exec
> hardening-check {} + on the build result to check all files.

Thanks for these two tips!

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-|  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#654807: Please enabled hardened build flags

2012-04-24 Thread Simon Ruderich 
reopen 654807
thanks

Dear Maintainer,

The hardening flags are missing for links2 because the build
system doesn't respect them. For more hardening information
please have a look at [1], [2] and [3].

The following patch fixes the issue, $(shell ...) is necessary as
make doesn't expand `..` which causes a build failure.

diff -Nru links2-2.6/debian/rules links2-2.6/debian/rules
--- links2-2.6/debian/rules 2012-01-05 22:54:41.0 +0100
+++ links2-2.6/debian/rules 2012-04-24 12:14:45.0 +0200
@@ -7,15 +7,18 @@
 DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 
-CFLAGS = `dpkg-buildflags --get CFLAGS`
+CFLAGS = $(shell dpkg-buildflags --get CFLAGS)
 CFLAGS += -Wall
-LDFLAGS = `dpkg-buildflags --get LDFLAGS`
-CPPFLAGS = `dpkg-buildflags --get CPPFLAGS`
+LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
+CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS)
+# The build system reruns ./configure which removes the hardening flags if
+# they are only passed to ./configure.
+export CFLAGS CPPFLAGS LDFLAGS
 
 config.status: configure
dh_testdir
dh_autotools-dev_updateconfig
-   CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" 
./configure --host=$(DEB_HOST_GNU_TYPE) \
+   ./configure --host=$(DEB_HOST_GNU_TYPE) \
 --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr \
 --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
 --enable-graphics --with-x --with-fb
@@ -57,7 +60,7 @@
cp debian/links2.desktop debian/links2/usr/share/applications/
 
 #  build the textmode only version
-   CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" 
./configure --host=$(DEB_HOST_GNU_TYPE) \
+   ./configure --host=$(DEB_HOST_GNU_TYPE) \
--build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr \
--mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
--without-svgalib --without-x --without-fb --without-directfb 
--without-libjpeg --without-libtiff

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

$ hardening-check /usr/bin/links /usr/bin/links2
/usr/bin/links:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!
/usr/bin/links2:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9


signature.asc
Description: Digital signature

Bug#654807: Please enabled hardened build flags

2012-01-05 Thread Axel Beckert 
tag 654807 + pending
kthxbye

Hi Moritz,

Moritz Muehlenhoff wrote:
> Package: links2
> Version: 2.5-1
> Severity: important
> Tags: patch
> 
> Please enabled hardened build flags through dpkg-buildflags.

Committed and pushed. Will be part of the next upload.

> Patch attached. (dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS)

Thanks for the ready to use patch!

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-|  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#654807: Please enabled hardened build flags

2012-01-05 Thread Moritz Muehlenhoff 
Package: links2
Version: 2.5-1
Severity: important
Tags: patch

Please enabled hardened build flags through dpkg-buildflags.

Patch attached. (dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS)

Cheers,
Moritz
--- links2-2.5.orig/debian/rules	2011-12-06 22:05:21.0 +0100
+++ links2-2.5/debian/rules	2012-01-05 22:35:21.0 +0100
@@ -7,18 +7,15 @@
 DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 
-CFLAGS = -Wall -g
-
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-	CFLAGS += -O0
-else
-	CFLAGS += -O2
-endif
+CFLAGS = `dpkg-buildflags --get CFLAGS`
+CFLAGS += -Wall
+LDFLAGS = `dpkg-buildflags --get LDFLAGS`
+CPPFLAGS = `dpkg-buildflags --get CPPFLAGS`
 
 config.status: configure
 	dh_testdir
 	dh_autotools-dev_updateconfig
-	CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) \
+	CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) \
 --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr \
 --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
 --enable-graphics --with-x --with-fb
@@ -60,7 +57,7 @@
 	cp debian/links2.desktop debian/links2/usr/share/applications/
 
 #	build the textmode only version
-	CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) \
+	CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) \
 	--build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr \
 	--mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
 	--without-svgalib --without-x --without-fb --without-directfb --without-libjpeg --without-libtiff