[Pkg-alsa-devel] Bug#662685: alsa-lib: Please enable hardening flags

Simon Ruderich simon at ruderich.org
Mon Mar 5 18:07:50 UTC 2012 

Package: alsa-lib
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].

The attached patch uses dpkg-buildflags to automatically enable
the hardening flags. It also enables a verbose build so missing
flags are easily detected. DEB_*_MAINT_APPEND is the preferred
way to set additional flags (see man dpkg-buildflags for more
information). -g and noopt are automatically handled by
dpkg-buildflags.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:

    $ hardening-check /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0 /usr/lib32/libasound.so.2.0.0
    /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib32/libasound.so.2.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPVQDuAAoJEJL+/bfkTDL52CcQAKSqfwmaJP12+LmSU0eXTy/U
2TBzlfFnCxfk6UW+vSnFHx8KHaXYyPBYroEmqtkSUqNJdcMy82wu84JUb9pOSkoT
vGSRyrXhiSO2PK7Em9wYKXKcf3mDnPcDuho3ZlFNUnMJCrLy6tPBFCz4GMR0ND/w
ndxf1V/iYPqtuLNekdzoDeqgOa+sTbH9/pJ4uJ0pclXh80ZGHsxygad9YzhTuvCh
JQKWlYnSy7a80wLOY3JBHzLGfPFz3wG3MANDkaRIjL34KLAt1sZsZ9W3u5LtpQGr
W/ExsExnKsrAUikZXg5rDVr+BfnysLG2/SRd3hVDcJnf3isfXJNGh+K/sD4j6Zrx
jzdKYDpTpLtf9s1wHclPdDbM/1yq6HOUqbuT4x9rSNC2QTqZydft5o7BYK5kQqJE
t9MregDZ7J7kGf08cD3WFEFUXAbeMUsE+ZZIXLyZg+O3Bhj+6XR+pLqR2MoS1Igs
ZnDlXdxgAARhJEJWMJ5bwarzVV2e9K64/Zd8ET1QbilkSThkaBFi2FVc4ywMUmpr
0XNt3BYZmhlFOpRaBukEPZMqq6XyS2ulVBeAjO2Ww9FrrGj0QKICwYHp7cAtYBoH
zMJFrqKY8iDyVd2+BzHFKsgOdLe3o9rjmAaaGIJh0oPDL5l8XCLQVRcaIzS9ODbI
9Wfc1BdIMRm01bo+cMTz
=SFRd
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alsa-lib-hardening.patch
Type: text/x-diff
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-alsa-devel/attachments/20120305/c5c88872/attachment-0001.patch>

More information about the Pkg-alsa-devel mailing list