[Debian-med-packaging] Bug#667939: last-align: Hardening flags missing

Charles Plessy plessy at debian.org
Mon Apr 30 02:16:12 UTC 2012 

Hi Martin,

please consider the patch below for the makefile of LAST.  It
allows to set the compiler, preprocessor and linker separately,
which is the way Debian follows when passing 'hardening' flags
(see below).

Cheers,

-- Charles

Le Sat, Apr 07, 2012 at 06:47:11PM +0200, Simon Ruderich a écrit :
> Package: last-align
> Version: 198-1
> Severity: important
> Tags: patch
> 
> Dear Maintainer,
> 
> The hardening flags are missing because the build system ignores
> them.
> 
> The attached patch fixes the issue, if possible it should be sent
> to upstream.
> 
> To check if all flags were correctly enabled you can use
> `hardening-check` from the hardening-includes package and check
> the build log (hardening-check doesn't catch everything):
> 
>     $ hardening-check /usr/bin/lastdb /usr/bin/lastal
>     /usr/bin/lastdb:
>      Position Independent Executable: no, normal executable!
>      Stack protected: yes
>      Fortify Source functions: no, only unprotected functions found!
>      Read-only relocations: yes
>      Immediate binding: no not found!
>     /usr/bin/lastal:
>      Position Independent Executable: no, normal executable!
>      Stack protected: yes
>      Fortify Source functions: yes (some protected functions found)
>      Read-only relocations: yes
>      Immediate binding: no not found!
> 
> (Position Independent Executable and Immediate binding is not
> enabled by default.)
> 
> Use find -type f \( -executable -o -name \*.so\* \) -exec
> hardening-check {} + on the build result to check all files.
> 
> Regards,
> Simon
> 
> [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
> [2]: https://wiki.debian.org/HardeningWalkthrough
> [3]: https://wiki.debian.org/Hardening
> -- 
> + privacy is necessary
> + using gnupg http://gnupg.org
> + public key id: 0x92FEFDB7E44C32F9

Description: Use build flags from environment (dpkg-buildflags).
 Necessary for hardening flags.
Author: Simon Ruderich <simon at ruderich.org>
Last-Update: 2012-04-07

--- last-align-198.orig/makefile
+++ last-align-198/makefile
@@ -1,4 +1,4 @@
-CXXFLAGS = -O3
+CXXFLAGS += -O3
 all:
 	@cd src && $(MAKE) CXXFLAGS="$(CXXFLAGS)"
 
--- last-align-198.orig/src/makefile
+++ last-align-198/src/makefile
@@ -1,12 +1,12 @@
 CXX = g++
 CC  = gcc
 
-CXXFLAGS = -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef	\
+CXXFLAGS += -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef	\
 -Wcast-align -Wno-long-long -ansi -pedantic
 # -Wconversion
 # -fomit-frame-pointer ?
 
-CFLAGS = -Wall
+CFLAGS += -Wall
 
 DBSRC = Alphabet.cc MultiSequence.cc CyclicSubsetSeed.cc	\
 SubsetSuffixArray.cc LastdbArguments.cc io.cc fileMap.cc	\
@@ -50,16 +50,16 @@ OBJ = lambda_calculator.o
 all: lastdb lastal lastex
 
 lastdb: $(DBSRC) $(DBINC) makefile
-	$(CXX) $(CXXFLAGS) -o $@ $(DBSRC)
+	$(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(DBSRC)
 
 lastal: $(ALSRC) $(ALINC) makefile $(OBJ)
-	$(CXX) $(CXXFLAGS) -o $@ $(ALSRC) $(OBJ)
+	$(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(ALSRC) $(OBJ)
 
 lastex: $(EXSRC) $(EXINC) makefile
-	$(CXX) -Igumbel_params $(CXXFLAGS) -o $@ $(EXSRC)
+	$(CXX) -Igumbel_params $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(EXSRC)
 
 $(OBJ): CA_code/*.c CA_code/*.h makefile
-	$(CC) $(CFLAGS) -c CA_code/lambda_calculator.c
+	$(CC) $(CPPFLAGS) $(CFLAGS) -c CA_code/lambda_calculator.c
 
 clean:
 	rm -f lastdb lastal lastex $(OBJ)

More information about the Debian-med-packaging mailing list