Bug#664512: xvidcore: CPPFLAGS hardening flags missing
Simon Ruderich
simon at ruderich.org
Sun Mar 18 14:04:55 UTC 2012
Source: xvidcore
Version: 2:1.3.2.-8
Severity: important
Tags: patch
Dear Maintainer,
The CPPFLAGS hardening flags are missing because the build system
ignores them.
The following patch fixes the issue by adding them to CFLAGS. For
more hardening information please have a look at [1], [2] and
[3].
diff -Nru xvidcore-1.3.2/debian/confflags xvidcore-1.3.2/debian/confflags
--- xvidcore-1.3.2/debian/confflags 2012-03-17 18:49:16.000000000 +0100
+++ xvidcore-1.3.2/debian/confflags 2012-03-18 14:58:51.000000000 +0100
@@ -8,6 +8,10 @@
HARDENED_CFLAGS = -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
endif
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the
+# missing (hardening) flags.
+HARDENED_CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS) -g
+
# Set CFLAGS from DEB_CFLAGS if defined, otherwise let xvidcore's build system
# set CFLAGS to use.
DEFAULT_CFLAGS = -Wall -O3 -fstrength-reduce -finline-functions -ffast-math \
The attached patch enables verbose builds to make it easy to
(automatically) spot missing hardening flags. Please add it too.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
/usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Immediate binding is not enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: verbose-build.patch
Type: text/x-diff
Size: 7076 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20120318/c328106e/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20120318/c328106e/attachment-0001.pgp>
More information about the pkg-multimedia-maintainers
mailing list