[Debian-med-packaging] Bug#662818: Enhancement for seaview Makefile [Was: Bug#662818: seaview: Hardening flags missing]

Andreas Tille andreas at an3as.eu
Tue Mar 6 22:01:22 UTC 2012 

Hi Manolo,

there is a bug report which includes a fix regarding to your Makefile.
Please have a look at

    http://bugs.debian.org/662818

or

    http://anonscm.debian.org/viewvc/debian-med/trunk/packages/seaview/trunk/debian/patches/

to inspect the patch which enables simple propagation of flags from
environment into seaview Makefile.

Kind regards

        Andreas.

----- Forwarded message from Simon Ruderich <simon at ruderich.org> -----

Date: Tue, 06 Mar 2012 17:01:00 +0100
From: Simon Ruderich <simon at ruderich.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: Bug#662818: seaview: Hardening flags missing

Package: seaview
Version: 1:4.3.3-2
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The hardening flags are missing because the build system ignores
compiler flags from the environment and doesn't use them during
the build.

The attached patch fixes the issue by patching the Makefile to
use the appropriate flags. If possible it should be send to
upstream.

The following patch updates debian/rules to correctly use LDFLAGS
to add linker flags, with the patch they work fine now.

    diff -Nru seaview-4.3.3/debian/rules seaview-4.3.3/debian/rules
    --- seaview-4.3.3/debian/rules  2012-01-08 12:42:01.000000000 +0100
    +++ seaview-4.3.3/debian/rules  2012-03-06 16:52:20.000000000 +0100
    @@ -7,7 +7,7 @@
     CFLAGS  += -DUSE_XFT -I/usr/include/freetype2 -DFLTK1 -Dunix -Icsrc -I. -DNO_PDF
    
     # Link as needed
    -CFLAGS  += -Wl,--as-needed
    +LDFLAGS += -Wl,--as-needed
    
     # Debian-specific names and paths
     CFLAGS  += -DDEFAULT_HELPFILE=\\\"/usr/share/seaview/seaview.html\\\" -DPHYMLNAME=\\\"phyml\\\"

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:

    $ hardening-check /usr/bin/seaview
    /usr/bin/seaview:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: no, only unprotected functions found!
     Read-only relocations: yes
     Immediate binding: no not found!

Due to a bug in CDBS (#651964) Fortify Source functions is not
enabled yet, but this will be automatically fixed by a package
rebuild once the bug is fixed.

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPVjS3AAoJEJL+/bfkTDL5OMYP/1rPkh/BZa1ocgJldMBvruut
p+Dj7VcIVjwj366GxDO2FKz5bAkjL5gXH56OLoKOuXqp5OPkF+/TsoVQEtAGehoZ
H5IJgzDM/EHL9zLtjHPGLnrL3TSAMcwsoOBrkpiR2aNTXLilcPslBasprvLmdY7x
9ASGfnp0OaU0h6z6WmKmtkfmvMEDWiMWbwXeR9e+6653odjWilOs8HPzgC9mhhj/
82MKPpAe0F0SbGXvK7HbNX2+cS5Snq+bNRZfE4kohqTW0d1Ppo7TurC3JTN2+Ie2
wL2sFbAPpRuYCrrIfRbdCWcAi9QVpSS5+2wTuo2rf4fMZaxZpYIzzAIjAsgKbkdv
Kzw4gr4auH/2BUsoI3By6H+DmzgBklL5qdflpG5dNQYQBzuf5R0/TfjTn/DqhfnN
qiaRLeDQpud1HQxnJk9j8gFurRqUH8yZJOWq8eFSlh0Pm3jeZCFu0LDnEkRuzWuL
ptylWKEggG2Wqfn98A2GIl5fw6ZfzRYR5o/iBp+72hYpKQZWqBfgrFtWTOdYNrbb
6KVMG6/xx5XTYuRQkzJLfJtAB00/HuIF5YlQpmO4i8GY6z6vs1mepEtqROcSIU3n
M8ZImxjZdG0zWfFhfsSaA4Ses/p//s7PC1nsAJKDAZblUHKoY2OLTcOvC21vKt5n
7Tf1PFGmELNqf08WUEKv
=s2Un
-----END PGP SIGNATURE-----

Description: Use build flags from environment (dpkg-buildflags).
 Add $CPPFLAGS and $LDFLAGS for (hardening) flags.
 .
 Normally $CXXFLAGS is used to compile .cxx/.cpp files, but this wasn't
 changed.
Author: Simon Ruderich <simon at ruderich.org>
Last-Update: 2012-03-06

Index: seaview-4.3.3/Makefile
===================================================================
--- seaview-4.3.3.orig/Makefile	2012-03-06 16:28:13.870242829 +0100
+++ seaview-4.3.3/Makefile	2012-03-06 16:31:48.502240913 +0100
@@ -36,7 +36,7 @@
 #DEBUG = -g
 OPT = $(shell if [ '$(DEBUG)' = '' ]; then echo '-O3'; else echo '-O0'; fi)
 
-CFLAGS  = $(USE_XFT) -DFLTK1 -Dunix $(OPT) $(IFLTK) -I$(CSRC) -I. $(DEBUG) $(HELPFILE) $(PHYMLNAME) $(PDF_PS_FLAGS)
+CFLAGS  += $(USE_XFT) -DFLTK1 -Dunix $(OPT) $(IFLTK) -I$(CSRC) -I. $(DEBUG) $(HELPFILE) $(PHYMLNAME) $(PDF_PS_FLAGS)
 
 
 OBJECTS = custom.o use_mase_files.o regions.o load_seq.o align.o xfmatpt.o comlines.o resource.o nexus.o viewasprots.o racnuc_fetch.o concatenate.o \
@@ -47,37 +47,37 @@
 
 
 seaview : seaview.cxx $(OBJECTS)
-	$(CXX) -o $@ $(DEBUG)  $(CFLAGS) seaview.cxx $(OBJECTS)  \
+	$(CXX) -o $@ $(DEBUG)  $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) seaview.cxx $(OBJECTS)  \
 	      $(LFLTK) -lfltk_images -lfltk  \
 	     $(EXTRALIBS) \
          -lX11 -lm -lz    
 
 raa_acnuc.o : $(CSRC)/raa_acnuc.c
-	$(CC) -c $(CFLAGS) $(CSRC)/raa_acnuc.c
+	$(CC) -c $(CFLAGS) $(CPPFLAGS) $(CSRC)/raa_acnuc.c
 parser.o : $(CSRC)/parser.c
-	$(CC) -c $(CFLAGS) $(CSRC)/parser.c
+	$(CC) -c $(CFLAGS) $(CPPFLAGS) $(CSRC)/parser.c
 misc_acnuc.o : $(CSRC)/misc_acnuc.c
-	$(CC) -c $(CFLAGS) $(CSRC)/misc_acnuc.c
+	$(CC) -c $(CFLAGS) $(CPPFLAGS) $(CSRC)/misc_acnuc.c
 md5.o : $(CSRC)/md5.c
-	$(CC) -c $(CFLAGS) $(CSRC)/md5.c
+	$(CC) -c $(CFLAGS) $(CPPFLAGS) $(CSRC)/md5.c
 zsockr.o : $(CSRC)/zsockr.c
-	$(CC) -c $(CFLAGS) $(CSRC)/zsockr.c
+	$(CC) -c $(CFLAGS) $(CPPFLAGS) $(CSRC)/zsockr.c
 dnapars.o : csrc/dnapars.c
-	$(CC) -c $(CFLAGS)  csrc/dnapars.c
+	$(CC) -c $(CFLAGS) $(CPPFLAGS)  csrc/dnapars.c
 protpars.o : csrc/protpars.c
-	$(CC) -c $(CFLAGS)  csrc/protpars.c
+	$(CC) -c $(CFLAGS) $(CPPFLAGS)  csrc/protpars.c
 lwl.o : csrc/lwl.c
-	$(CC) -c $(CFLAGS)  csrc/lwl.c
+	$(CC) -c $(CFLAGS) $(CPPFLAGS)  csrc/lwl.c
 bionj.o : csrc/bionj.c
-	$(CC) -c $(CFLAGS) csrc/bionj.c
+	$(CC) -c $(CFLAGS) $(CPPFLAGS) csrc/bionj.c
 phyml_util.o : csrc/phyml_util.c
-	$(CC) -c $(CFLAGS) csrc/phyml_util.c
+	$(CC) -c $(CFLAGS) $(CPPFLAGS) csrc/phyml_util.c
 Fl_Native_File_Chooser_FLTK.o : FL/Fl_Native_File_Chooser_FLTK.cxx
-	$(CC) -c $(CFLAGS) FL/Fl_Native_File_Chooser_FLTK.cxx
+	$(CC) -c $(CFLAGS) $(CPPFLAGS) FL/Fl_Native_File_Chooser_FLTK.cxx
 
 .SUFFIXES:	.c .cxx .h .o
 
 .cxx.o :
-	$(CXX) -c $(CFLAGS) $<
+	$(CXX) -c $(CFLAGS) $(CPPFLAGS) $<
 .c.o :
-	$(CC) -c $<
+	$(CC) -c $(CFLAGS) $(CPPFLAGS) $<

_______________________________________________
Debian-med-packaging mailing list
Debian-med-packaging at lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-med-packaging


----- End forwarded message -----

-- 
http://fam-tille.de

More information about the Debian-med-packaging mailing list