Bug#711243: freecad: Hardening CPPFLAGS and LDFLAGS missing

Simon Ruderich simon at ruderich.org
Wed Jun 5 20:42:19 UTC 2013 

Package: freecad
Severity: normal
Tags: patch

Dear Maintainer,

The following CPPFLAGS and LDFLAGS hardening flags are missing
because they are not set in debian/rules:

    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cd /«PKGBUILDDIR»/obj-arm-linux-gnueabi/src/3rdParty/salomesmesh && /usr/bin/c++   -DCSFDB -DDriver_EXPORTS -DHAVE_CONFIG_H -DHAVE_LIMITS_H -DLIN -DOCC_CONVERT_SIGNALS -DQT_CORE_LIB -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_OPENGL_LIB -DQT_SVG_LIB -DQT_UITOOLS_LIB -DQT_WEBKIT_LIB -DQT_XML_LIB -Wall -DHAVE_SWIG=1 -fpermissive -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O3 -DNDEBUG -fPIC -I/«PKGBUILDDIR»/obj-arm-linux-gnueabi -isystem /usr/include/qt4 -isystem /usr/include/qt4/QtOpenGL -isystem /usr/include/qt4/QtSvg -isystem /usr/include/qt4/QtUiTools -isystem /usr/include/qt4/QtWebKit -isystem /usr/include/qt4/QtGui -isystem /usr/include/qt4/QtXml -isystem /usr/include/qt4/QtNetwork -isystem /usr/include/qt4/QtCore -I/«PKGBUILDDIR»/obj-arm-linux-gnueabi/src -I/«PKGBUILDDIR»/src -I/«PKGBUILDDIR»/src/3rdParty/salomesmesh -I/«PKGBUILDDIR»/src/3rdParty/salomesmesh/inc -I/usr/lib/oce-0.9.1/../../include/oce -I/«PKGBUILDDIR»/src/3rdParty/salomesmesh/src/SMDS -I/«PKGBUILDDIR»/src/3rdParty/salomesmesh/src/Driver -I/«PKGBUILDDIR»/src/3rdParty/salomesmesh/src/DriverSTL -I/«PKGBUILDDIR»/src/3rdParty/salomesmesh/src/DriverDAT -I/«PKGBUILDDIR»/src/3rdParty/salomesmesh/src/DriverUNV -I/«PKGBUILDDIR»/src/3rdParty/salomesmesh/src/SMESHDS -I/«PKGBUILDDIR»/src/3rdParty/salomesmesh/src/SMESH -I/«PKGBUILDDIR»/src/3rdParty/salomesmesh/src/StdMeshers    -Wno-write-strings -Wno-deprecated -o CMakeFiles/Driver.dir/src/Driver/Driver_Mesh.cpp.o -c /«PKGBUILDDIR»/src/3rdParty/salomesmesh/src/Driver/Driver_Mesh.cpp
    [...]
    LDFLAGS missing (-Wl,-z,relro): /usr/bin/c++   -Wall -DHAVE_SWIG=1 -fpermissive -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -g -DNDEBUG    CMakeFiles/FreeCADMain.dir/MainGui.cpp.o  -o ../../bin/FreeCAD -rdynamic ../../lib/libFreeCADGui.so ../../lib/libFreeCADApp.so ../../lib/libFreeCADBase.so -lpython2.7 -lxerces-c -lz -lutil -ldl -lzipios -lCoin -lSoQt -lQtOpenGL -lQtSvg -Wl,-Bstatic -lQtUiTools -Wl,-Bdynamic -lQtWebKit -lQtXmlPatterns -lQtGui -lQtXml -lQtNetwork -lQtCore -lboost_filesystem-mt -lboost_program_options-mt -lboost_regex-mt -lboost_signals-mt -lboost_system-mt -lboost_thread-mt -lpthread -lGL -lspnav -Wl,-rpath,/«PKGBUILDDIR»/obj-arm-linux-gnueabi/lib:
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cd /«PKGBUILDDIR»/obj-arm-linux-gnueabi/src/Main && /usr/bin/c++   -DHAVE_CONFIG_H -DQT_CORE_LIB -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_NO_DEBUG -DQT_OPENGL_LIB -DQT_SVG_LIB -DQT_UITOOLS_LIB -DQT_WEBKIT_LIB -DQT_XML_LIB -Wall -DHAVE_SWIG=1 -fpermissive -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -g -DNDEBUG -I/«PKGBUILDDIR»/obj-arm-linux-gnueabi -isystem /usr/include/qt4 -isystem /usr/include/qt4/QtOpenGL -isystem /usr/include/qt4/QtSvg -isystem /usr/include/qt4/QtUiTools -isystem /usr/include/qt4/QtWebKit -isystem /usr/include/qt4/QtGui -isystem /usr/include/qt4/QtXml -isystem /usr/include/qt4/QtNetwork -isystem /usr/include/qt4/QtCore -I/«PKGBUILDDIR»/obj-arm-linux-gnueabi/src -I/«PKGBUILDDIR»/src -I/usr/include/python2.7    -Wno-write-strings -Wno-deprecated -o CMakeFiles/FreeCADMainCmd.dir/MainCmd.cpp.o -c /«PKGBUILDDIR»/src/Main/MainCmd.cpp
    LDFLAGS missing (-Wl,-z,relro): /usr/bin/c++   -Wall -DHAVE_SWIG=1 -fpermissive -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -g -DNDEBUG    CMakeFiles/FreeCADMainCmd.dir/MainCmd.cpp.o  -o ../../bin/FreeCADCmd -rdynamic ../../lib/libFreeCADApp.so -lQtOpenGL -lQtSvg -Wl,-Bstatic -lQtUiTools -Wl,-Bdynamic -lQtWebKit -lQtXmlPatterns -lQtGui -lQtXml -lQtNetwork -lQtCore ../../lib/libFreeCADBase.so -lpython2.7 -lxerces-c -lz -lutil -ldl -lzipios -lboost_filesystem-mt -lboost_program_options-mt -lboost_regex-mt -lboost_signals-mt -lboost_system-mt -lboost_thread-mt -lpthread -lQtCore -Wl,-rpath,/«PKGBUILDDIR»/obj-arm-linux-gnueabi/lib:
    [...]

For more hardening information please have a look at [1], [2] and
[3].

The following patch fixes the issue by setting the necessary
compiler flags.

diff -Nru freecad-0.13.1830-dfsg/debian/rules freecad-0.13.1830-dfsg/debian/rules
--- freecad-0.13.1830-dfsg/debian/rules	2013-05-02 23:07:15.000000000 +0200
+++ freecad-0.13.1830-dfsg/debian/rules	2013-06-05 22:21:51.000000000 +0200
@@ -9,9 +9,10 @@
 
 extra_flags += \
 -DFREECAD_BUILD_DEBIAN=ON \
--DCMAKE_CXX_FLAGS="-Wall -DHAVE_SWIG=1 -fpermissive $(shell dpkg-buildflags --get CXXFLAGS)" \
--DCMAKE_C_FLAGS="-Wall -fpermissive $(shell dpkg-buildflags --get CFLAGS)" \
+-DCMAKE_CXX_FLAGS="-Wall -DHAVE_SWIG=1 -fpermissive $(shell dpkg-buildflags --get CXXFLAGS) $(shell dpkg-buildflags --get CPPFLAGS)" \
+-DCMAKE_C_FLAGS="-Wall -fpermissive $(shell dpkg-buildflags --get CFLAGS) $(shell dpkg-buildflags --get CPPFLAGS)" \
 -DCMAKE_SHARED_LINKER_FLAGS="-lrt $(shell dpkg-buildflags --get LDFLAGS)" \
+-DCMAKE_EXE_LINKER_FLAGS="$(shell dpkg-buildflags --get LDFLAGS)" \
 -DINSTALL_RPATH="/usr/lib/freecad/lib" \
 -DCMAKE_INSTALL_PREFIX="/usr" \
 -DCMAKE_INSTALL_DATADIR="share/freecad" \

CMake doesn't respect CPPFLAGS by default, therefore they are
passed via CFLAGS and CXXFLAGS.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package (Position
Independent Executable and Immediate binding is not enabled by
default) and check the build log with `blhc` (hardening-check
doesn't catch everything).

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/debian-science-maintainers/attachments/20130605/0f138136/attachment-0001.pgp>

More information about the debian-science-maintainers mailing list