Bug#667939: last-align: Hardening flags missing
Hi Charles and all, thanks again: Debian is teaching me how to do these things better. I used part of your patch in LASTv199. (I didn't include the += changes, because I think the purpose of those flag variables is to let you override them if you want to. You might consider including -O3 in your override.) By the way, in your rules file, I think clean is no longer needed (now in the upstream makefile), nor is --directory src (there is now a top-level makefile). Please let me know if I misunderstood something. Have a nice day, Martin http://www.cbrc.jp/~martin/ On Mon, Apr 30, 2012 at 11:16 AM, Charles Plessy ple...@debian.org wrote: Hi Martin, please consider the patch below for the makefile of LAST. It allows to set the compiler, preprocessor and linker separately, which is the way Debian follows when passing 'hardening' flags (see below). Cheers, -- Charles Le Sat, Apr 07, 2012 at 06:47:11PM +0200, Simon Ruderich a écrit : Package: last-align Version: 198-1 Severity: important Tags: patch Dear Maintainer, The hardening flags are missing because the build system ignores them. The attached patch fixes the issue, if possible it should be sent to upstream. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/bin/lastdb /usr/bin/lastal /usr/bin/lastdb: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! /usr/bin/lastal: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich si...@ruderich.org Last-Update: 2012-04-07 --- last-align-198.orig/makefile +++ last-align-198/makefile @@ -1,4 +1,4 @@ -CXXFLAGS = -O3 +CXXFLAGS += -O3 all: @cd src $(MAKE) CXXFLAGS=$(CXXFLAGS) --- last-align-198.orig/src/makefile +++ last-align-198/src/makefile @@ -1,12 +1,12 @@ CXX = g++ CC = gcc -CXXFLAGS = -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef \ +CXXFLAGS += -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef\ -Wcast-align -Wno-long-long -ansi -pedantic # -Wconversion # -fomit-frame-pointer ? -CFLAGS = -Wall +CFLAGS += -Wall DBSRC = Alphabet.cc MultiSequence.cc CyclicSubsetSeed.cc \ SubsetSuffixArray.cc LastdbArguments.cc io.cc fileMap.cc \ @@ -50,16 +50,16 @@ OBJ = lambda_calculator.o all: lastdb lastal lastex lastdb: $(DBSRC) $(DBINC) makefile - $(CXX) $(CXXFLAGS) -o $@ $(DBSRC) + $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(DBSRC) lastal: $(ALSRC) $(ALINC) makefile $(OBJ) - $(CXX) $(CXXFLAGS) -o $@ $(ALSRC) $(OBJ) + $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(ALSRC) $(OBJ) lastex: $(EXSRC) $(EXINC) makefile - $(CXX) -Igumbel_params $(CXXFLAGS) -o $@ $(EXSRC) + $(CXX) -Igumbel_params $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(EXSRC) $(OBJ): CA_code/*.c CA_code/*.h makefile - $(CC) $(CFLAGS) -c CA_code/lambda_calculator.c + $(CC) $(CPPFLAGS) $(CFLAGS) -c CA_code/lambda_calculator.c clean: rm -f lastdb lastal lastex $(OBJ)
Bug#667939: last-align: Hardening flags missing
reopen 667939 thanks Hello Charles, The hardening flags are not working because the build system ignores them - which is why I opened this bug report for 198-1. Please apply the patch - and if possible sent it to upstream to fix their build system. Regards, Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 signature.asc Description: Digital signature
Bug#667939: last-align: Hardening flags missing
Hi Martin, please consider the patch below for the makefile of LAST. It allows to set the compiler, preprocessor and linker separately, which is the way Debian follows when passing 'hardening' flags (see below). Cheers, -- Charles Le Sat, Apr 07, 2012 at 06:47:11PM +0200, Simon Ruderich a écrit : Package: last-align Version: 198-1 Severity: important Tags: patch Dear Maintainer, The hardening flags are missing because the build system ignores them. The attached patch fixes the issue, if possible it should be sent to upstream. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/bin/lastdb /usr/bin/lastal /usr/bin/lastdb: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! /usr/bin/lastal: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich si...@ruderich.org Last-Update: 2012-04-07 --- last-align-198.orig/makefile +++ last-align-198/makefile @@ -1,4 +1,4 @@ -CXXFLAGS = -O3 +CXXFLAGS += -O3 all: @cd src $(MAKE) CXXFLAGS=$(CXXFLAGS) --- last-align-198.orig/src/makefile +++ last-align-198/src/makefile @@ -1,12 +1,12 @@ CXX = g++ CC = gcc -CXXFLAGS = -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef \ +CXXFLAGS += -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef\ -Wcast-align -Wno-long-long -ansi -pedantic # -Wconversion # -fomit-frame-pointer ? -CFLAGS = -Wall +CFLAGS += -Wall DBSRC = Alphabet.cc MultiSequence.cc CyclicSubsetSeed.cc \ SubsetSuffixArray.cc LastdbArguments.cc io.cc fileMap.cc \ @@ -50,16 +50,16 @@ OBJ = lambda_calculator.o all: lastdb lastal lastex lastdb: $(DBSRC) $(DBINC) makefile - $(CXX) $(CXXFLAGS) -o $@ $(DBSRC) + $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(DBSRC) lastal: $(ALSRC) $(ALINC) makefile $(OBJ) - $(CXX) $(CXXFLAGS) -o $@ $(ALSRC) $(OBJ) + $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(ALSRC) $(OBJ) lastex: $(EXSRC) $(EXINC) makefile - $(CXX) -Igumbel_params $(CXXFLAGS) -o $@ $(EXSRC) + $(CXX) -Igumbel_params $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(EXSRC) $(OBJ): CA_code/*.c CA_code/*.h makefile - $(CC) $(CFLAGS) -c CA_code/lambda_calculator.c + $(CC) $(CPPFLAGS) $(CFLAGS) -c CA_code/lambda_calculator.c clean: rm -f lastdb lastal lastex $(OBJ) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#667939: last-align: Hardening flags missing
Package: last-align Version: 198-1 Severity: important Tags: patch Dear Maintainer, The hardening flags are missing because the build system ignores them. The attached patch fixes the issue, if possible it should be sent to upstream. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/bin/lastdb /usr/bin/lastal /usr/bin/lastdb: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! /usr/bin/lastal: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich si...@ruderich.org Last-Update: 2012-04-07 --- last-align-198.orig/makefile +++ last-align-198/makefile @@ -1,4 +1,4 @@ -CXXFLAGS = -O3 +CXXFLAGS += -O3 all: @cd src $(MAKE) CXXFLAGS=$(CXXFLAGS) --- last-align-198.orig/src/makefile +++ last-align-198/src/makefile @@ -1,12 +1,12 @@ CXX = g++ CC = gcc -CXXFLAGS = -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef \ +CXXFLAGS += -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef \ -Wcast-align -Wno-long-long -ansi -pedantic # -Wconversion # -fomit-frame-pointer ? -CFLAGS = -Wall +CFLAGS += -Wall DBSRC = Alphabet.cc MultiSequence.cc CyclicSubsetSeed.cc \ SubsetSuffixArray.cc LastdbArguments.cc io.cc fileMap.cc \ @@ -50,16 +50,16 @@ OBJ = lambda_calculator.o all: lastdb lastal lastex lastdb: $(DBSRC) $(DBINC) makefile - $(CXX) $(CXXFLAGS) -o $@ $(DBSRC) + $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(DBSRC) lastal: $(ALSRC) $(ALINC) makefile $(OBJ) - $(CXX) $(CXXFLAGS) -o $@ $(ALSRC) $(OBJ) + $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(ALSRC) $(OBJ) lastex: $(EXSRC) $(EXINC) makefile - $(CXX) -Igumbel_params $(CXXFLAGS) -o $@ $(EXSRC) + $(CXX) -Igumbel_params $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(EXSRC) $(OBJ): CA_code/*.c CA_code/*.h makefile - $(CC) $(CFLAGS) -c CA_code/lambda_calculator.c + $(CC) $(CPPFLAGS) $(CFLAGS) -c CA_code/lambda_calculator.c clean: rm -f lastdb lastal lastex $(OBJ) signature.asc Description: Digital signature