subject:"Bug#674967\: letterize\: CPPFLAGS hardening flags missing"

Bug#674967: letterize: CPPFLAGS hardening flags missing

2012-05-29 Thread Francois Marier

On 2012-05-29 at 03:50:23, Simon Ruderich wrote:
 The CPPFLAGS hardening flags are missing due to a typo in
 makefile_add_flags.patch. For more hardening information please
 have a look at [1], [2] and [3].

Thanks for catching that. I've fixed it in git:

  http://anonscm.debian.org/gitweb/?p=collab-maint/letterize.git

and now it includes the right options on the build line:

  gcc -o letterize -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro letterize.c

However, the check tool is still reporting a problem:

  /usr/bin/letterize:
   Position Independent Executable: no, normal executable!
   Stack protected: no, not found!
   Fortify Source functions: unknown, no protectable libc functions used
   Read-only relocations: yes
   Immediate binding: no, not found!

This is a one-file program, so I'm not quite sure what else I can tweak...

Cheers,
Francois



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#674967: letterize: CPPFLAGS hardening flags missing

2012-05-29 Thread Simon Ruderich

On Tue, May 29, 2012 at 07:24:46PM +1200, Francois Marier wrote:
 Thanks for catching that. I've fixed it in git:

   http://anonscm.debian.org/gitweb/?p=collab-maint/letterize.git

 and now it includes the right options on the build line:

   gcc -o letterize -g -O2 -fstack-protector --param=ssp-buffer-size=4 
 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro letterize.c

Thank you for fixing it so quickly.

 However, the check tool is still reporting a problem:

   /usr/bin/letterize:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no, not found!

 This is a one-file program, so I'm not quite sure what else I can tweak...

That's fine, hardening-check has a few false positives. Check [1]
for details.

Regards,
Simon

[1]: 
https://wiki.debian.org/HardeningWalkthrough#Testing_your_packages_after_conversion
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9


pgpHevFthMHDQ.pgp
Description: PGP signature

Bug#674967: letterize: CPPFLAGS hardening flags missing

2012-05-28 Thread Simon Ruderich

Package: letterize
Version: 1.3-2
Severity: normal
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing due to a typo in
makefile_add_flags.patch. For more hardening information please
have a look at [1], [2] and [3].

The following patch fixes the issue. Btw. CXXFLAGS are not
necessary in this case because no C++ files are built.

diff -Nru letterize-1.3/debian/patches/makefile_add_flags.patch 
letterize-1.3/debian/patches/makefile_add_flags.patch
--- letterize-1.3/debian/patches/makefile_add_flags.patch   2012-05-28 
05:48:49.0 +0200
+++ letterize-1.3/debian/patches/makefile_add_flags.patch   2012-05-29 
03:45:52.0 +0200
@@ -3,13 +3,15 @@
 Author: Francois Marier franc...@debian.org
 Last-Update: 2012-05-28
 
 a/Makefile
-+++ b/Makefile
-@@ -6,6 +6,7 @@ VERS=$(shell sed letterize.spec -n -e '/Version: 
\(.*\)/s//\1/p')
+Index: letterize-1.3/Makefile
+===
+--- letterize-1.3.orig/Makefile2012-05-29 03:43:16.0 +0200
 letterize-1.3/Makefile 2012-05-29 03:45:44.324712366 +0200
+@@ -6,6 +6,7 @@
  all: letterize
  
  letterize: letterize.c
-+  gcc -o letterize $(CFLAGS) $(CPPFLAGES) $(CXXFLAGS) $(LDFLAGS) 
letterize.c
++  gcc -o letterize $(CFLAGS) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) 
letterize.c
  
  SOURCES = README COPYING letterize.xml Makefile letterize.c letterize.spec
  

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

$ hardening-check /usr/bin/letterize
/usr/bin/letterize:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9


signature.asc
Description: Digital signature

Bug#674967: letterize: CPPFLAGS hardening flags missing

Bug#674967: letterize: CPPFLAGS hardening flags missing

Bug#674967: letterize: CPPFLAGS hardening flags missing

3 matches

Site Navigation

Mail list logo

Footer information