Bug#658929: Please enable hardened build flags
Fabian Greffrath
fabian at greffrath.com
Fri Mar 2 12:43:02 UTC 2012
Alright, I have succesfully build libav with hardening flags enabled
*on i386*. I have enabled them by applying the attached
libav-hardening.patch against debian/confflags and
format-security.patch against libavcodec/srtdec.c to fix a format
string vulnerability.
However, I am hesitating to push these changes already. As you can
see, the hardening flags are injected where the CFLAGS and LDFLAGS
variables have been unconditionally reset to empty strings before. It
has been like this since version 3:0.svn20080925-1 for the CFLAGS
(commited with comment "# XXX this probably needs fixing") and since
30 Jan 2011 for LDFLAGS, see
<http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=commitdiff;h=17e588e364b1f67c5e4c513bd24a91292bf24522>.
I don't know the exact reason for reseting CFLAGS, but it seems the
resetting of LDFLAGS was needed because of an Ubuntu-specific default
flag that caused the build to break. Maybe this specific flag could
get filtered out of LDFLAGS as done in x264. However, this was on
amd64 apparently, so I couldn't test it myself.
However, I believe the next upload with these changes included should
target the experimental suite. ;)
- Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: format-security.patch
Type: text/x-diff
Size: 1209 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20120302/4f80524f/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libav-hardening.patch
Type: text/x-diff
Size: 656 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20120302/4f80524f/attachment-0001.patch>
More information about the pkg-multimedia-maintainers
mailing list