Bug#674971: mixxx: CPPFLAGS hardening flags missing

Simon Ruderich simon at ruderich.org
Tue May 29 02:29:01 UTC 2012 

Package: mixxx
Version: 1.10.0~dfsg0-3
Severity: normal
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because the build system
ignores them. For more hardening information please have a look
at [1], [2] and [3].

The following patch fixes the issue.

diff -Nru mixxx-1.10.0~dfsg0/debian/rules mixxx-1.10.0~dfsg0/debian/rules
--- mixxx-1.10.0~dfsg0/debian/rules	2012-05-28 10:37:22.000000000 +0200
+++ mixxx-1.10.0~dfsg0/debian/rules	2012-05-29 04:02:34.000000000 +0200
@@ -6,8 +6,10 @@
 PACKAGE = mixxx
 
 export CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
-export CFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
-export CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS)
+# The build system ignores CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable
+# the missing (hardening) flags.
+export CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) $(CPPFLAGS)
+export CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS) $(CPPFLAGS)
 export LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
 
 export DEB_HOST_ARCH      ?= $(shell dpkg-architecture -qDEB_HOST_ARCH)

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/bin/mixxx
    /usr/bin/mixxx:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20120529/256b4320/attachment.pgp>

More information about the pkg-multimedia-maintainers mailing list