Package: pdfcube Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Dear Maintainer, The LDFLAGS hardening flags are missing because export LDFLAGS += in debian/rules overwrites the default hardening flags. DEB_*_MAINT_APPEND is the preferred way to set additional flags (see man dpkg-buildflags for more information). For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue. diff -u pdfcube-0.0.4/debian/rules pdfcube-0.0.4/debian/rules --- pdfcube-0.0.4/debian/rules +++ pdfcube-0.0.4/debian/rules @@ -1,7 +1,7 @@ #!/usr/bin/make -f #export DH_VERBOSE=1 -export LDFLAGS += -Wl,--as-needed +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed %: dh $@ --parallel To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package: $ hardening-check /usr/bin/pdfcube /usr/bin/pdfcube: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no not found! (The stack protected and fortify source warnings are fine in this case, the flags are correctly applied.) Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPU952AAoJEJL+/bfkTDL5UHIQAIG97RSw5fn2iM0lP8R0ZOYq sJPrzZUs2t6TWh7gzm59GTY9ZS6Enelxb2kxhG7QB3ypOqt/tvbuTg7g+ZS7ohVz YQu3hyeOK5L0dKhmwI/GoCOtQYA+gfcLp4Czn5ba+9On9OLbukV2MiXp6SRxtyjf Hl5DzKJjn9l+vuM8wi2GlMCDYYe0QbJDn5wvnVwODZCSaol+fqvc2V4O6Zk9zuPD MnuoS26tLTC52oljIoK6aAvtWSo+XaZ5FcSDGJxpnd2EdaIyLvTbPKo5hkCpRA5x 9/3T4NeLLrkFNE/VLbFruIxwr1BvTN/JOK4Xtqx7yosO5GooLNQuOe3ZFdqBwu+S xHjUSrlXr0u+OvlA7O1OEPwDRkIbPvf4ET8uq5iEXokZsW9XsnmTW377kPbVtF4G xwsFVvHmQDGVrjedKg7e+he3c+U1W+aiM5CzDB8Tc5AojIl+0SQF2AgEx7PIIxZ6 zgLXRTI4+4VZD7MBOMnt2BPuUqrLnu5/AuGSnytX0mbxitvkD2c5tDDQdbDHjA1H GeEnS5a5NdgpmKLf+Ll4+n0khhp4bx1RJvW/3RgpYG0WCN9hTX6YoZUSwuhQtfXL OEBs2R2Pw8fWPPYZ4LMjyWEoaibMXVlbjADm42tzPOi+4jKpZJaa5pxtbtKAf0/w UwBqsniVVsd22uSXzl3n =zQcm -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org