[Debian-med-packaging] Bug#662818: seaview: Hardening flags missing

Simon Ruderich simon at ruderich.org
Tue Mar 6 16:01:00 UTC 2012 

Package: seaview
Version: 1:4.3.3-2
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The hardening flags are missing because the build system ignores
compiler flags from the environment and doesn't use them during
the build.

The attached patch fixes the issue by patching the Makefile to
use the appropriate flags. If possible it should be send to
upstream.

The following patch updates debian/rules to correctly use LDFLAGS
to add linker flags, with the patch they work fine now.

    diff -Nru seaview-4.3.3/debian/rules seaview-4.3.3/debian/rules
    --- seaview-4.3.3/debian/rules  2012-01-08 12:42:01.000000000 +0100
    +++ seaview-4.3.3/debian/rules  2012-03-06 16:52:20.000000000 +0100
    @@ -7,7 +7,7 @@
     CFLAGS  += -DUSE_XFT -I/usr/include/freetype2 -DFLTK1 -Dunix -Icsrc -I. -DNO_PDF
    
     # Link as needed
    -CFLAGS  += -Wl,--as-needed
    +LDFLAGS += -Wl,--as-needed
    
     # Debian-specific names and paths
     CFLAGS  += -DDEFAULT_HELPFILE=\\\"/usr/share/seaview/seaview.html\\\" -DPHYMLNAME=\\\"phyml\\\"

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:

    $ hardening-check /usr/bin/seaview
    /usr/bin/seaview:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: no, only unprotected functions found!
     Read-only relocations: yes
     Immediate binding: no not found!

Due to a bug in CDBS (#651964) Fortify Source functions is not
enabled yet, but this will be automatically fixed by a package
rebuild once the bug is fixed.

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPVjS3AAoJEJL+/bfkTDL5OMYP/1rPkh/BZa1ocgJldMBvruut
p+Dj7VcIVjwj366GxDO2FKz5bAkjL5gXH56OLoKOuXqp5OPkF+/TsoVQEtAGehoZ
H5IJgzDM/EHL9zLtjHPGLnrL3TSAMcwsoOBrkpiR2aNTXLilcPslBasprvLmdY7x
9ASGfnp0OaU0h6z6WmKmtkfmvMEDWiMWbwXeR9e+6653odjWilOs8HPzgC9mhhj/
82MKPpAe0F0SbGXvK7HbNX2+cS5Snq+bNRZfE4kohqTW0d1Ppo7TurC3JTN2+Ie2
wL2sFbAPpRuYCrrIfRbdCWcAi9QVpSS5+2wTuo2rf4fMZaxZpYIzzAIjAsgKbkdv
Kzw4gr4auH/2BUsoI3By6H+DmzgBklL5qdflpG5dNQYQBzuf5R0/TfjTn/DqhfnN
qiaRLeDQpud1HQxnJk9j8gFurRqUH8yZJOWq8eFSlh0Pm3jeZCFu0LDnEkRuzWuL
ptylWKEggG2Wqfn98A2GIl5fw6ZfzRYR5o/iBp+72hYpKQZWqBfgrFtWTOdYNrbb
6KVMG6/xx5XTYuRQkzJLfJtAB00/HuIF5YlQpmO4i8GY6z6vs1mepEtqROcSIU3n
M8ZImxjZdG0zWfFhfsSaA4Ses/p//s7PC1nsAJKDAZblUHKoY2OLTcOvC21vKt5n
7Tf1PFGmELNqf08WUEKv
=s2Un
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: use-dpkg-buildflags.patch
Type: text/x-diff
Size: 2806 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20120306/017a1767/attachment.patch>

More information about the Debian-med-packaging mailing list