Bug#879669: agetty: use full hardening flags
It seems that even though only `export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow` is used in d/rules, the build runs with all hardening flags [1]. Also can not spot any missing parts via checksec on the binary/process. $ checksec --file=/sbin/agetty RELRO STACK CANARY NXPIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabledPIE enabled No RPATH No RUNPATH No Symbols Yes 7 14 /sbin/agetty [1]: see for example https://buildd.debian.org/status/fetch.php?pkg=util-linux&arch=amd64&ver=2.34-0.1&stamp=1564330426&raw=0 the configure script reports using cflags:-g -O2 -fdebug-prefix-map=/<>=. -fstack-protector-strong -Wformat -Werror=format-security suid cflags: ldflags: -Wl,-z,relro -Wl,-z,now
Bug#879669: agetty: use full hardening flags
Control: tags -1 + moreinfo Hello, On Tue, Oct 24, 2017 at 10:13:27AM +0200, Christian Göttsche wrote: > Package: util-linux > Version: 2.30.2-0.1 > Tags: patch security > > Please activate full hardening flags for the agetty binary, e.g. use > `export DEB_BUILD_MAINT_OPTIONS = hardening=+all`. Have you done any testing on how much breakage this causes? What was your testing strategy and how does it make us sure that it's safe to enable these build options? Regards, Andreas Henriksson
Bug#879669: agetty: use full hardening flags
Package: util-linux Version: 2.30.2-0.1 Tags: patch security Please activate full hardening flags for the agetty binary, e.g. use `export DEB_BUILD_MAINT_OPTIONS = hardening=+all`.
