Bug#674967: letterize: CPPFLAGS hardening flags missing
On 2012-05-29 at 03:50:23, Simon Ruderich wrote: The CPPFLAGS hardening flags are missing due to a typo in makefile_add_flags.patch. For more hardening information please have a look at [1], [2] and [3]. Thanks for catching that. I've fixed it in git: http://anonscm.debian.org/gitweb/?p=collab-maint/letterize.git and now it includes the right options on the build line: gcc -o letterize -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro letterize.c However, the check tool is still reporting a problem: /usr/bin/letterize: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: no, not found! This is a one-file program, so I'm not quite sure what else I can tweak... Cheers, Francois -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#674967: letterize: CPPFLAGS hardening flags missing
On Tue, May 29, 2012 at 07:24:46PM +1200, Francois Marier wrote: Thanks for catching that. I've fixed it in git: http://anonscm.debian.org/gitweb/?p=collab-maint/letterize.git and now it includes the right options on the build line: gcc -o letterize -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro letterize.c Thank you for fixing it so quickly. However, the check tool is still reporting a problem: /usr/bin/letterize: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: no, not found! This is a one-file program, so I'm not quite sure what else I can tweak... That's fine, hardening-check has a few false positives. Check [1] for details. Regards, Simon [1]: https://wiki.debian.org/HardeningWalkthrough#Testing_your_packages_after_conversion -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 pgpHevFthMHDQ.pgp Description: PGP signature
Bug#674967: letterize: CPPFLAGS hardening flags missing
Package: letterize Version: 1.3-2 Severity: normal Tags: patch Dear Maintainer, The CPPFLAGS hardening flags are missing due to a typo in makefile_add_flags.patch. For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue. Btw. CXXFLAGS are not necessary in this case because no C++ files are built. diff -Nru letterize-1.3/debian/patches/makefile_add_flags.patch letterize-1.3/debian/patches/makefile_add_flags.patch --- letterize-1.3/debian/patches/makefile_add_flags.patch 2012-05-28 05:48:49.0 +0200 +++ letterize-1.3/debian/patches/makefile_add_flags.patch 2012-05-29 03:45:52.0 +0200 @@ -3,13 +3,15 @@ Author: Francois Marier franc...@debian.org Last-Update: 2012-05-28 a/Makefile -+++ b/Makefile -@@ -6,6 +6,7 @@ VERS=$(shell sed letterize.spec -n -e '/Version: \(.*\)/s//\1/p') +Index: letterize-1.3/Makefile +=== +--- letterize-1.3.orig/Makefile2012-05-29 03:43:16.0 +0200 letterize-1.3/Makefile 2012-05-29 03:45:44.324712366 +0200 +@@ -6,6 +6,7 @@ all: letterize letterize: letterize.c -+ gcc -o letterize $(CFLAGS) $(CPPFLAGES) $(CXXFLAGS) $(LDFLAGS) letterize.c ++ gcc -o letterize $(CFLAGS) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) letterize.c SOURCES = README COPYING letterize.xml Makefile letterize.c letterize.spec To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/bin/letterize /usr/bin/letterize: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 signature.asc Description: Digital signature