Package: readline6 Version: 6.2-8 Severity: normal Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because they are not set in debian/rules; the format string hardening flags are missing because they are disabled in debian/rules. For more hardening information please have a look at [1], [2] and [3]. The attached patches fix the issues. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log with `blhc` (hardening-check doesn't catch everything): $ hardening-check /usr/bin/rlfe /lib/x86_64-linux-gnu/libreadline.so.6.2 /lib/x86_64-linux-gnu/libhistory.so.6.2 /usr/lib/debug/libhistory.so.6.2 ... /usr/bin/rlfe: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /lib/x86_64-linux-gnu/libreadline.so.6.2: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /lib/x86_64-linux-gnu/libhistory.so.6.2: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/lib/debug/libhistory.so.6.2: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
diff -Nru readline6-6.2/debian/rules readline6-6.2/debian/rules --- readline6-6.2/debian/rules 2011-10-09 11:30:10.000000000 +0200 +++ readline6-6.2/debian/rules 2012-09-15 13:47:15.000000000 +0200 @@ -58,6 +58,7 @@ endif CFLAGS := $(shell dpkg-buildflags --get CFLAGS) +CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS) LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS) CFLAGS := $(CFLAGS) -I/usr/include/ncursesw @@ -107,7 +108,7 @@ mkdir $(builddir) find . -type d | xargs chmod g-s cd $(builddir) && \ - CC=$(CC) CFLAGS="$(CFLAGS)" $(srcdir)/configure \ + CC=$(CC) CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" $(srcdir)/configure \ --prefix=/usr\ --host=$(DEB_HOST_GNU_TYPE) \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) @@ -116,7 +117,7 @@ rm -rf $(builddir32) mkdir $(builddir32) cd $(builddir32) && \ - CC="$(CC32)" CFLAGS="$(CFLAGS)" $(srcdir)/configure \ + CC="$(CC32)" CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" $(srcdir)/configure \ --host=$(HOST32) --prefix=/usr endif @@ -124,7 +125,7 @@ rm -rf $(builddir64) mkdir $(builddir64) cd $(builddir64) && \ - CC="$(CC64)" CFLAGS="$(CFLAGS)" $(srcdir)/configure \ + CC="$(CC64)" CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" $(srcdir)/configure \ --host=$(HOST64) --prefix=/usr endif @@ -141,7 +142,7 @@ build-stamp: configure-stamp dh_testdir $(MAKE) -C $(builddir) \ - CFLAGS="$(CFLAGS)" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" \ SHOBJ_CFLAGS="-fPIC -D_REENTRANT" \ SHOBJ_LDFLAGS='$(LDFLAGS) -shared' \ SHLIB_LIBS="-ltinfo" @@ -149,7 +150,7 @@ ifneq ($(build32),) $(MAKE) -C $(builddir32) \ CC="$(CC32)" \ - CFLAGS="$(CFLAGS)" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" \ SHOBJ_CFLAGS="-fPIC -D_REENTRANT" \ SHOBJ_LDFLAGS='$(LDFLAGS) -shared' \ SHLIB_LIBS="-ltinfo" @@ -159,7 +160,7 @@ ifneq ($(build64),) $(MAKE) -C $(builddir64) \ CC="$(CC64)" \ - CFLAGS="$(CFLAGS)" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" \ SHOBJ_CFLAGS="-fPIC -D_REENTRANT" \ SHOBJ_LDFLAGS='$(LDFLAGS) -shared' \ SHLIB_LIBS="-ltinfo" @@ -183,7 +184,7 @@ cd $(builddir)/examples/rlfe \ && ./configure --prefix=/usr --host=$(DEB_HOST_GNU_TYPE) $(MAKE) -C $(builddir)/examples/rlfe \ - CFLAGS="$(filter-out -Werror=%,$(CFLAGS))" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" \ LDFLAGS="$(LDFLAGS) -g -L$(builddir)/shlib" \ LIBS="-lreadline -ltinfo -lutil" rlfe touch build-rlfe-stamp @@ -209,7 +210,7 @@ rm -rf $(d) mkdir -p $(d)/usr/bin $(MAKE) -C $(builddir) install \ - CFLAGS="$(CFLAGS) -D_REENTRANT" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS) -D_REENTRANT" \ SHOBJ_LDFLAGS='-shared $(LDFLAGS)' \ DESTDIR=$(CURDIR)/$(d) \ mandir=/usr/share/man \ @@ -295,7 +296,7 @@ mkdir -p $(d32)/usr/bin $(MAKE) -C $(builddir32) install \ CC="$(CC32)" \ - CFLAGS="$(CFLAGS) -D_REENTRANT" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS) -D_REENTRANT" \ SHOBJ_LDFLAGS='-shared $(LDFLAGS)' \ SHLIB_XLDFLAGS='-soname,`echo $$@ | sed s/\\..$$$$//`' \ SHLIB_LIBS=-lncurses \ @@ -328,7 +329,7 @@ mkdir -p $(d64)/usr/bin $(MAKE) -C $(builddir64) install \ CC="$(CC64)" \ - CFLAGS="$(CFLAGS) -D_REENTRANT" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS) -D_REENTRANT" \ SHOBJ_LDFLAGS='-shared $(LDFLAGS)' \ SHLIB_XLDFLAGS='-soname,`echo $$@ | sed s/\\..$$$$//`' \ SHLIB_LIBS=-lncurses \
Description: Fix compiling with -Werror=format-security. Prevents format string attacks. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-09-15 --- readline6-6.2.orig/examples/rlfe/rlfe.c +++ readline6-6.2/examples/rlfe/rlfe.c @@ -273,7 +273,7 @@ static void maybe_emphasize_input (int o if (on == current_emphasize_input || (on && ! do_emphasize_input)) return; - fprintf (rl_outstream, on ? start_input_mode : end_input_mode); + fprintf (rl_outstream, "%s", on ? start_input_mode : end_input_mode); fflush (rl_outstream); current_emphasize_input = on; }
signature.asc
Description: Digital signature