[Debian-med-packaging] Bug#662252: aeskulap: Please enable hardening flags
Simon Ruderich
simon at ruderich.org
Mon Mar 5 00:36:28 UTC 2012
Package: aeskulap
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
The following "patch" bumps debian/compat to 9 to automatically
enable the hardening flags; you could also enable them without
changing compat (see [2]), but compat=9 is the preferred and
simplest solution.
- --- aeskulap-0.2.2b1/debian/compat 2011-12-15 20:12:21.000000000 +0100
+++ aeskulap-0.2.2b1/debian/compat 2012-03-05 01:22:36.000000000 +0100
@@ -1 +1 @@
- -8
+9
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/lib/x86_64-linux-gnu/aeskulap/libimagepool.so /usr/lib/x86_64-linux-gnu/aeskulap/libconfiguration.so /usr/bin/aeskulap
/usr/lib/x86_64-linux-gnu/aeskulap/libimagepool.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/x86_64-linux-gnu/aeskulap/libconfiguration.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/aeskulap:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
(The Fortify source warning is fine in this case, the flags are
correctly applied.)
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVAqFAAoJEJL+/bfkTDL5PuEP/j76DTTqIxbFV5U4AluLjrWz
zaGqP6cAC5dEMiDtSm5V/mj8rOF2KZPlkEFuRirc7ihGG8xAqvMdZBu+MaPxcuTp
byjudcN43CoPKMM1lMUgcR+qtXRE9c4LzMKUF+hWhbpI9kIeivwuL6qojXR6V/uO
TUP/CH8a1fyptxlvyaK/fq4Tyft7D4v4hGlX/ljLEpjDK/0DiOu3vXIhrARDNydH
mBkUpZj1ppNQS2MNZrJe58BqgMSjX8gY3R5HWwf1oJ8yUhS6xNj6mJf0xhEsqfG0
xF3wlEDSVysf9Kw9U5mS9g2R5dcQ15A1OvdvmTXMzvUYzMJVj1DBzwWFB/F0Fwv3
/etcxc8FKeBpNG5mDNBE9XlcC3PaiMaFRji7k+yCrGo9soyRPvXuonL4zsoqNS+T
82KzjxArOgdTxzL0fD4t8qP+URL5z6ZrMVCMticQXbpkJJuZ/lSA6f98n1zwoe18
rUu7bE9Hgofh3Ys/N2laJTh/L1i2wWKqdOXakjdJadZ6ZJflUloZnO1ihRM8HotF
/vdA6awaBTurwIdaDIey4Rfb1cL3a22g6QLSqQOVr9RyeO0AAfKji+xrhw0OorF8
qzPSfyiW2OjI/9gSAkNggHZBouFZCESpdM4aQQuWwrjPIA2OySAL0ji1hOAhswpQ
QFi9cbIfMOhfJwXa1w5h
=U+Yd
-----END PGP SIGNATURE-----
More information about the Debian-med-packaging
mailing list