[xml/sgml-pkgs] Bug#681163: libxslt: LDFLAGS hardening flags missing for dbg package

Simon Ruderich simon at ruderich.org
Wed Jul 11 01:04:48 UTC 2012 

Package: libxslt
Version: 1.1.26-13
Severity: normal
Tags: patch

Dear Maintainer,

The LDFLAGS hardening flags are missing for the dbg package
because they are not set in debian/rules. For more hardening
information please have a look at [1], [2] and [3].

The following patch fixes the issue.

diff -Nru libxslt-1.1.26/debian/rules libxslt-1.1.26/debian/rules
--- libxslt-1.1.26/debian/rules	2012-07-05 05:05:21.000000000 +0200
+++ libxslt-1.1.26/debian/rules	2012-07-11 02:50:09.000000000 +0200
@@ -37,7 +37,7 @@
 
 dobuild-python%: BUILD_DIR=builddir/main/$*
 dobuild-python%-dbg: BUILD_FLAGS = PYTHON_INCLUDES=/usr/include/$(*:-dbg=_d) \
-    LDFLAGS="-L$(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)" CFLAGS="-Wall -g -O0"
+    LDFLAGS="$(LDFLAGS) -L$(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)" CFLAGS="$(CFLAGS) -Wall -O0"
 
 override_dh_auto_clean:
 	rm -rf builddir debian/tmp-dbg config.sub config.guess autogen.sh

-O0 overrides the default -O2.

Enabling the hardening flags for the complete package allows
automatic checks for missing hardening flags and is generally a
good idea.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything).

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/attachments/20120711/de5a9920/attachment.pgp>

More information about the debian-xml-sgml-pkgs mailing list