Bug#687645: exim4: Hardening flags missing
Simon Ruderich
simon at ruderich.org
Fri Sep 14 15:15:45 UTC 2012
Package: exim4
Version: 4.80-4
Severity: important
Tags: patch
Dear Maintainer,
The CPPFLAGS and LDFLAGS hardening flags are missing because they
are ignored by the build system. For more hardening information
please have a look at [1], [2] and [3].
The attached patches (exim_debian_rules.patch and
fix-missing-ldflags.patch) fix the issue but I'm not sure if
forcing LFLAGS to LDFLAGS is the best way to handle the LDFLAGS
problem.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/lib/exim4/eximon.bin /usr/sbin/exim4 /usr/sbin/exim4 /usr/sbin/exim_lock /usr/sbin/exim_dbmbuild /usr/sbin/exim_tidydb ...
/usr/lib/exim4/eximon.bin:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/exim4:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/exim4:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/exim_lock:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/exim_dbmbuild:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/exim_tidydb:
Position Independent Executable: yes
...
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
When checking the build log with blhc the build system causes
many false positives, the attached patches
makefile-missing-fullecho.patch and fix-too-verbose.patch fix
this issue - I'm not sure if it's worth including them but they
are useful while testing.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exim_debian_rules.patch
Type: text/x-diff
Size: 420 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20120914/df2ff81a/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-missing-ldflags.patch
Type: text/x-diff
Size: 1269 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20120914/df2ff81a/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: makefile-missing-fullecho.patch
Type: text/x-diff
Size: 1523 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20120914/df2ff81a/attachment-0002.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-too-verbose.patch
Type: text/x-diff
Size: 8909 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20120914/df2ff81a/attachment-0003.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20120914/df2ff81a/attachment.pgp>
More information about the Pkg-exim4-maintainers
mailing list