[Pkg-alsa-devel] Bug#662256: alsa-plugins: LDFLAGS hardening flags missing

Simon Ruderich simon at ruderich.org
Mon Mar 5 01:25:04 UTC 2012 

Package: alsa-plugins
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The LDFLAGS hardening flags are missing because they are
overwritten in debian/rules.

DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].

The following patch fixes the issue.

    diff -Nru alsa-plugins-1.0.25/debian/rules alsa-plugins-1.0.25/debian/rules
    --- alsa-plugins-1.0.25/debian/rules	2012-02-12 00:22:10.000000000 +0100
    +++ alsa-plugins-1.0.25/debian/rules	2012-03-05 02:09:58.000000000 +0100
    @@ -1,4 +1,7 @@
     #!/usr/bin/make -f
    +
    +export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs
    +
     %:
     	dh $@ --with autoreconf
     
    @@ -10,8 +13,7 @@
     		    --with-plugindir=/usr/lib/$(DEB_HOST_MULTIARCH)/alsa-lib \
     		    --with-avcodec-includedir=\$${prefix}/include/libavcodec \
     		    --host=$(DEB_HOST_GNU_TYPE) \
    -		    --build=$(DEB_BUILD_GNU_TYPE) \
    -		    LDFLAGS=-Wl,-z,defs
    +		    --build=$(DEB_BUILD_GNU_TYPE)
     
     override_dh_auto_install:
     	dh_auto_install --destdir=debian/tmp

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:

    $ hardening-check /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_rate_speexrate.so ...
    /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_rate_speexrate.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: no, not found!
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_rate_samplerate.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: no, not found!
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(The stack protected and fortify source warnings are fine in this
case, the flags are correctly applied.)

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPVBXrAAoJEJL+/bfkTDL5wyAP/0H/xUWytjIHnamDguoz0FbO
tgGXWT36tmQpON1rLv+yStg9efygBBk9JdqS1IDkLr1rJyPOYi4fpvd9jTSqAh7+
27hdjfNGv3ZmxiDMrIfPhULk9O0KV3pkBI2CaCq9bdBHYyaCqtBRwluDP9HUlyhu
L1REAO1QWu1PrXHOEYXe+b/0gqMlItwwcvk43VPB7/zJoVzQKx9hR6mhg2g4ACxX
uqCRj16VlyD9z8NvGu8DmVjM5YcMJO0OTouZtTRKM7375OqPqzKnOCQhv4S3rc8U
/Y7rAengqxAJi62J/Qn0R0slTrQea0lTklPtgNZ9ihc4PL67++jSLV7UJ7VQ34eu
GI7c9LJHm7R/KKbuBETy3YMXJ2FZ+UAtok+k0EK3OAzDlOJPgEKlQvPXqeK0DccO
JtxQphh50RRPRKyAoxnDiwpVXqCNii4s8ljkE4KPIaa4sHQ7saGlRnuhhd3N5LDw
j3aGYy9WWDD2QNQPIPH6UNt1nmwQsj4f3LgshKyH/pAXaAYEu1smp9Lg0rbKWOC/
Gs37JrHXWCz9qC0q1/eOfOcQoXXobtPwU8F5qxVVdsm3/ijCo6MYUxYSBFvPufL2
4ZxET0tuetTHgtujHz0BWfgyVKIH5JFaT6nmbob7JS3w+1rXi5D0taSJ+QKpqt9O
RcuQhfHbLkhk25TZwV9k
=CUzv
-----END PGP SIGNATURE-----

More information about the Pkg-alsa-devel mailing list