Bug#687704: speex: Hardening flags missing
Simon Ruderich
simon at ruderich.org
Sat Sep 15 10:53:53 UTC 2012
Package: speex
Version: 1.2~rc1-6
Severity: normal
Tags: patch
Dear Maintainer,
Some hardening flags (format flags and relro on some archs) are
still missing because they are not set in debian/rules. For more
hardening information please have a look at [1], [2] and [3].
The attached patch fixes the issue by using dpkg-buildflags to
set the default flags. This automatically takes care of old
versions of dpkg-buildpackage setting different flags, handling
noopt and architectures which don't support certain hardening
flags (e.g. relro). -g and -O2 are also added by default (-O0
with noopt). And by using dpkg-buildflags future (hardening)
flags will be automatically added.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/bin/speexenc /usr/bin/speexdec /usr/lib/x86_64-linux-gnu/libspeexdsp.so.1.5.0 /usr/lib/x86_64-linux-gnu/libspeex.so.1.5.0 ...
/usr/bin/speexenc:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/speexdec:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/x86_64-linux-gnu/libspeexdsp.so.1.5.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/x86_64-linux-gnu/libspeex.so.1.5.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
...
(Position Independent Executable is not enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: speex-hardening.patch
Type: text/x-diff
Size: 1722 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20120915/4c7c2d40/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20120915/4c7c2d40/attachment-0001.pgp>
More information about the Pkg-voip-maintainers
mailing list