[Pkg-samba-maint] Bug#665209: ctdb: Hardening flags missing

Simon Ruderich simon at ruderich.org
Thu Mar 22 15:48:14 UTC 2012 

Package: ctdb
Version: 1.12+git20120201-2
Severity: important
Tags: patch

Dear Maintainer,

The hardening flags are missing because the build system ignores
them; LDFLAGS in a few places, CPPFLAGS completely.

The following _and_ the attached patch (use-ldflags.patch) fix
the issue. If possible it should be sent upstream.

diff -Nru ctdb-1.12+git20120201/debian/rules ctdb-1.12+git20120201/debian/rules
--- ctdb-1.12+git20120201/debian/rules	2011-11-06 17:22:42.000000000 +0100
+++ ctdb-1.12+git20120201/debian/rules	2012-03-22 16:20:49.000000000 +0100
@@ -3,7 +3,9 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
-export DEB_CFLAGS_MAINT_APPEND  := -Wall
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND  := -Wall $(shell dpkg-buildflags --get CPPFLAGS)
 export DEB_BUILD_MAINT_OPTIONS	:= hardening=+bindnow
 
 DESTDIR=$(CURDIR)/debian/tmp

The second attached patch (verbose-build.patch) enables a verbose
build so missing (hardening) flags can be (automatically)
detected. Please apply it too.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/bin/smnotify /usr/bin/ping_pong /usr/bin/ltdbtool ...
    /usr/bin/smnotify:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes
     Read-only relocations: yes
     Immediate binding: yes
    /usr/bin/ping_pong:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/bin/ltdbtool:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    ...

(Position Independent Executable is not enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: use-ldflags.patch
Type: text/x-diff
Size: 962 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20120322/db757d48/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: verbose-build.patch
Type: text/x-diff
Size: 7969 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20120322/db757d48/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20120322/db757d48/attachment.pgp>

More information about the Pkg-samba-maint mailing list