[Python-modules-team] Bug#666679: pyside: CPPFLAGS hardening flags missing

Simon Ruderich simon at ruderich.org
Sat Mar 31 21:11:40 UTC 2012 

Package: pyside
Version: 1.1.0-1
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because CMake ignores
them by default.

The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].

diff -Nru pyside-1.1.0/debian/rules pyside-1.1.0/debian/rules
--- pyside-1.1.0/debian/rules	2012-01-04 10:48:07.000000000 +0100
+++ pyside-1.1.0/debian/rules	2012-03-29 20:48:50.000000000 +0200
@@ -1,5 +1,13 @@
 #!/usr/bin/make -f
 
+# Enable verbose build to detect missing (hardening) flags.
+export VERBOSE=1
+
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND   = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
 %:
 	dh $@ --with python2 --with python3 --buildsystem=cmake --parallel
 

It also enables verbose builds to make it easy to (automatically)
spot missing hardening flags.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything).

However at the moment fortification (which is set by CPPFLAGS) is
not yet used because there are no protectable functions. Still
passing CPPFLAGS is important to automatically protect new
functions in the future.

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20120331/da023027/attachment.pgp>

More information about the Python-modules-team mailing list