Bug#662235: pdfcube: LDFLAGS hardening flags missing

[Simon Ruderich]

Package: pdfcube
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The LDFLAGS hardening flags are missing because export LDFLAGS +=
in debian/rules overwrites the default hardening flags.

DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].

The following patch fixes the issue.

    diff -u pdfcube-0.0.4/debian/rules pdfcube-0.0.4/debian/rules
    --- pdfcube-0.0.4/debian/rules
    +++ pdfcube-0.0.4/debian/rules
    @@ -1,7 +1,7 @@
     #!/usr/bin/make -f
     #export DH_VERBOSE=1
     
    -export LDFLAGS += -Wl,--as-needed
    +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
     
     %:
            dh $@ --parallel

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:

    $ hardening-check /usr/bin/pdfcube
    /usr/bin/pdfcube:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: no, only unprotected functions found!
     Read-only relocations: yes
     Immediate binding: no not found!

(The stack protected and fortify source warnings are fine in this
case, the flags are correctly applied.)

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPU952AAoJEJL+/bfkTDL5UHIQAIG97RSw5fn2iM0lP8R0ZOYq
sJPrzZUs2t6TWh7gzm59GTY9ZS6Enelxb2kxhG7QB3ypOqt/tvbuTg7g+ZS7ohVz
YQu3hyeOK5L0dKhmwI/GoCOtQYA+gfcLp4Czn5ba+9On9OLbukV2MiXp6SRxtyjf
Hl5DzKJjn9l+vuM8wi2GlMCDYYe0QbJDn5wvnVwODZCSaol+fqvc2V4O6Zk9zuPD
MnuoS26tLTC52oljIoK6aAvtWSo+XaZ5FcSDGJxpnd2EdaIyLvTbPKo5hkCpRA5x
9/3T4NeLLrkFNE/VLbFruIxwr1BvTN/JOK4Xtqx7yosO5GooLNQuOe3ZFdqBwu+S
xHjUSrlXr0u+OvlA7O1OEPwDRkIbPvf4ET8uq5iEXokZsW9XsnmTW377kPbVtF4G
xwsFVvHmQDGVrjedKg7e+he3c+U1W+aiM5CzDB8Tc5AojIl+0SQF2AgEx7PIIxZ6
zgLXRTI4+4VZD7MBOMnt2BPuUqrLnu5/AuGSnytX0mbxitvkD2c5tDDQdbDHjA1H
GeEnS5a5NdgpmKLf+Ll4+n0khhp4bx1RJvW/3RgpYG0WCN9hTX6YoZUSwuhQtfXL
OEBs2R2Pw8fWPPYZ4LMjyWEoaibMXVlbjADm42tzPOi+4jKpZJaa5pxtbtKAf0/w
UwBqsniVVsd22uSXzl3n
=zQcm
-----END PGP SIGNATURE-----



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org