Bug#688697: texmaker: CPPFLAGS hardening flags missing

Simon Ruderich simon at ruderich.org
Mon Sep 24 21:07:44 UTC 2012 

Package: texmaker
Version: 3.4-1
Severity: normal
Tags: patch

Dear Maintainer,

The following CPPFLAGS hardening flags are missing because they
are not correctly set in debian/rules:

    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -w -D_REENTRANT -DQT_WEBKIT -DTEXMAKERVERSION=\"3.4\" -DHAVE_SPLASH -DPREFIX=\"/usr\" -DDEBIAN_SPELLDIR -DQT_NO_DEBUG -DQT_WEBKIT_LIB -DQT_XML_LIB -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ -I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtWebKit -I/usr/include/qt4 -I/usr/include/poppler/qt4 -I.moc -I.ui -o .obj/main.o main.cpp
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -w -D_REENTRANT -DQT_WEBKIT -DTEXMAKERVERSION=\"3.4\" -DHAVE_SPLASH -DPREFIX=\"/usr\" -DDEBIAN_SPELLDIR -DQT_NO_DEBUG -DQT_WEBKIT_LIB -DQT_XML_LIB -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ -I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtWebKit -I/usr/include/qt4 -I/usr/include/poppler/qt4 -I.moc -I.ui -o .obj/texmakerapp.o texmakerapp.cpp
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -w -D_REENTRANT -DQT_WEBKIT -DTEXMAKERVERSION=\"3.4\" -DHAVE_SPLASH -DPREFIX=\"/usr\" -DDEBIAN_SPELLDIR -DQT_NO_DEBUG -DQT_WEBKIT_LIB -DQT_XML_LIB -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ -I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtWebKit -I/usr/include/qt4 -I/usr/include/poppler/qt4 -I.moc -I.ui -o .obj/texmaker.o texmaker.cpp
    [...]

For more hardening information please have a look at [1], [2] and
[3].

The problem is that Qt doesn't respect CPPFLAGS by default.
However dh_auto_build automatically handles that for you. I
haven't tested the resulting binary, but it should work fine.

The following patch fixes the issue by using the default
dh_auto_build, if that doesn't work you have to pass the flags
manually (best way is to look what dh_auto_build uses by setting
export DH_VERBOSE=1 in the rules file) - or call dh_auto_build
with the necessary flags.

diff -Nru texmaker-3.4/debian/rules texmaker-3.4/debian/rules
--- texmaker-3.4/debian/rules	2012-07-19 12:13:26.000000000 +0200
+++ texmaker-3.4/debian/rules	2012-09-24 23:05:44.000000000 +0200
@@ -11,9 +11,6 @@
 	$(RM) .obj/* .moc/* .ui/* 
 	dh_auto_clean
 
-override_dh_auto_build:
-	qmake-qt4 -unix PREFIX=/usr QMAKE_CFLAGS="$(CPPFLAGS)" QMAKE_CXXFLAGS="$(CXXFLAGS)" QMAKE_LFLAGS="$(LDFLAGS)" texmaker.pro
-
 override_dh_auto_test:
 	# do not try testing
 

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):

    $ hardening-check --verbose /usr/bin/texmaker
    /usr/bin/texmaker:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
            unprotected: strncpy
            unprotected: memset
            unprotected: strcat
            unprotected: fgets
            unprotected: memmove
            unprotected: strcpy
            unprotected: memcpy
            unprotected: fprintf
            unprotected: fread
            protected: strncpy
            protected: vfprintf
            protected: stpcpy
            protected: strcpy
            protected: memcpy
            protected: printf
            protected: sprintf
            protected: fprintf
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/debian-science-maintainers/attachments/20120924/094bc39b/attachment.pgp>

More information about the debian-science-maintainers mailing list