Bug#667930: marked as done (epm: CPPFLAGS hardening flags missing)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 05 Apr 2024 00:49:31 +0000
with message-id <E1rsXlr-00CIaq-IK@fasolo.debian.org>
and subject line Bug#667930: fixed in epm 4.2-12
has caused the Debian Bug report #667930,
regarding epm: CPPFLAGS hardening flags missing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
667930: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667930
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: epm: CPPFLAGS hardening flags missing
• From: Simon Ruderich <simon@ruderich.org>
• Date: Sat, 7 Apr 2012 17:54:40 +0200
• Message-id: <20120407155440.GA324@ruderich.org>

Package: epm
Version: 4.2-3
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because the build system
ignores them.

The attached patch (dpkg-buildflags.patch) fixes the issue by
patching the build system to respect CPPFLAGS and all build flags
in doc/. If possible it should be sent upstream. It applies
cleanly to the original source and thus should be used first in
series, a refreshed version of build-cleanup and
manpage-build-fixes is also attached.

The flags for doc/ are not strictly necessary but make automatic
checks for missing hardening flags possible and prevent possible
problems in the future.

The following patch enables all hardening flags for the complete
package. They were partially used already because fltk sets them:

diff -Nru epm-4.2/debian/rules epm-4.2/debian/rules
--- epm-4.2/debian/rules	2012-04-01 18:54:46.000000000 +0200
+++ epm-4.2/debian/rules	2012-04-07 17:35:34.000000000 +0200
@@ -11,8 +11,8 @@
 
 # The FLTK static libs are built position-independent, so we need
 # to enable the same for our setup tool.  It's easier to just enable
-# it all around.
-DEB_BUILD_MAINT_OPTIONS="hardening=+pie"
+# it all around. +all includes PIE.
+DEB_BUILD_MAINT_OPTIONS="hardening=+all"
 
 # Set build flags.  For wheezy+1, we will switch to using debhelper 9.
 # For now, preserve compatibility with squeeze.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/lib/epm/uninst /usr/lib/epm/setup /usr/bin/mkepmlist /usr/bin/epminstall /usr/bin/epm
    /usr/lib/epm/uninst:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/lib/epm/setup:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/bin/mkepmlist:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/bin/epminstall:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/bin/epm:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Use build flags from environment (dpkg-buildflags).
 Necessary for hardening flags.
Author: Simon Ruderich <simon@ruderich.org>
Last-Update: 2012-04-07

Index: epm-4.2/Makefile.in
===================================================================
--- epm-4.2.orig/Makefile.in	2012-04-07 17:50:29.572096713 +0200
+++ epm-4.2/Makefile.in	2012-04-07 17:50:34.248096734 +0200
@@ -43,6 +43,7 @@
 ARCHFLAGS	=	@ARCHFLAGS@
 CFLAGS		=	$(ARCHFLAGS) @CFLAGS@ $(OPTIM)
 CXXFLAGS	=	$(ARCHFLAGS) @CXXFLAGS@ $(OPTIM)
+CPPFLAGS	=	@CPPFLAGS@
 GUILIBS		=	@GUILIBS@
 LDFLAGS		=	$(ARCHFLAGS) @LDFLAGS@ $(OPTIM)
 LIBS		=	@LIBS@
@@ -75,10 +76,10 @@
 .SUFFIXES:	.c .cxx .h .o
 .c.o:
 	echo Compiling $<...
-	$(CC) $(CFLAGS) -I. -I$(srcdir) -c $<
+	$(CC) $(CFLAGS) $(CPPFLAGS) -I. -I$(srcdir) -c $<
 .cxx.o:
 	echo Compiling $<...
-	$(CXX) $(CXXFLAGS) -I. -I$(srcdir) -c $<
+	$(CXX) $(CXXFLAGS) $(CPPFLAGS) -I. -I$(srcdir) -c $<
 
 
 #
Index: epm-4.2/doc/Makefile.in
===================================================================
--- epm-4.2.orig/doc/Makefile.in	2012-04-07 17:50:29.572096713 +0200
+++ epm-4.2/doc/Makefile.in	2012-04-07 17:50:34.248096734 +0200
@@ -25,6 +25,13 @@
 NROFF	=	@NROFF@
 RM	=	@RM@ -f
 
+#
+# Build flags...
+#
+
+CFLAGS		=	@CFLAGS@
+CPPFLAGS	=	@CPPFLAGS@
+LDFLAGS		=	@LDFLAGS@
 
 #
 # Man page generation...
@@ -55,7 +62,7 @@
 	$(HTMLDOC) --batch epm-book.book -f epm-book.html
 
 mantohtml:	mantohtml.o
-	$(CC) -o $@ mantohtml.o
+	$(CC) -o $@ $(CFLAGS) $(LDFLAGS) mantohtml.o
 
 $(MANPAGES):	mantohtml
 

Description: Build clean-ups
 This patch makes build output more useful when things go wrong.
Author: Jeff Licquia <licquia@debian.org>
Forwarded: not-needed
Last-Update: 2011-02-19

Index: epm-4.2/Makefile.in
===================================================================
--- epm-4.2.orig/Makefile.in	2012-04-07 17:50:34.248096734 +0200
+++ epm-4.2/Makefile.in	2012-04-07 17:50:37.468096748 +0200
@@ -71,14 +71,10 @@
 # Rules...
 #
 
-.SILENT:
-
 .SUFFIXES:	.c .cxx .h .o
 .c.o:
-	echo Compiling $<...
 	$(CC) $(CFLAGS) $(CPPFLAGS) -I. -I$(srcdir) -c $<
 .cxx.o:
-	echo Compiling $<...
 	$(CXX) $(CXXFLAGS) $(CPPFLAGS) -I. -I$(srcdir) -c $<
 
 
@@ -169,7 +165,7 @@
 #
 
 install: all @INSTALL_GUIS@ @INSTALL_OSX@
-	echo Installing EPM programs in $(bindir)
+	@echo Installing EPM programs in $(bindir)
 	-$(MKDIR) $(bindir)
 	$(RM) $(bindir)/epm
 	$(CP) epm $(bindir)
@@ -179,7 +175,7 @@
 	$(STRIP) $(bindir)/epminstall
 	$(RM) $(bindir)/mkepmlist
 	$(CP) mkepmlist $(bindir)
-	echo Installing EPM manpages in $(mandir)/man1
+	@echo Installing EPM manpages in $(mandir)/man1
 	-$(MKDIR) $(mandir)/man1
 	$(RM) $(mandir)/man1/epm.1
 	$(CP) $(srcdir)/doc/epm.man $(mandir)/man1/epm.1
@@ -189,13 +185,13 @@
 	$(CP) $(srcdir)/doc/mkepmlist.man $(mandir)/man1/mkepmlist.1
 	$(RM) $(mandir)/man1/setup.1
 	$(CP) $(srcdir)/doc/setup.man $(mandir)/man1/setup.1
-	echo Installing EPM manpages in $(mandir)/man5
+	@echo Installing EPM manpages in $(mandir)/man5
 	-$(MKDIR) $(mandir)/man5
 	$(RM) $(mandir)/man5/epm.list.5
 	$(CP) $(srcdir)/doc/epm.list.man $(mandir)/man5/epm.list.5
 	$(RM) $(mandir)/man5/setup.types.5
 	$(CP) $(srcdir)/doc/setup.types.man $(mandir)/man5/setup.types.5
-	echo Installing EPM documentation in $(docdir)
+	@echo Installing EPM documentation in $(docdir)
 	-$(MKDIR) $(docdir)
 	$(RM) $(docdir)/COPYING
 	$(CP) $(srcdir)/COPYING $(docdir)
@@ -205,7 +201,7 @@
 	$(CP) $(srcdir)/doc/epm-book.html $(docdir)
 
 install-guis:	setup uninst
-	echo Installing EPM setup/uninst in $(libdir)/epm
+	@echo Installing EPM setup/uninst in $(libdir)/epm
 	$(RM) -r $(libdir)/epm
 	-$(MKDIR) $(libdir)/epm
 	$(CP) setup $(libdir)/epm
@@ -214,7 +210,7 @@
 	-$(STRIP) $(libdir)/epm/uninst
 
 install-osx:
-	echo Installing EPM OSX data files in $(datadir)/epm
+	@echo Installing EPM OSX data files in $(datadir)/epm
 	$(RM) -r $(datadir)/epm
 	-$(MKDIR) $(datadir)/epm
 	$(CP) macosx/setup.icns $(datadir)/epm
@@ -228,23 +224,23 @@
 #
 
 uninstall:
-	echo Uninstalling EPM programs from $(bindir)
+	@echo Uninstalling EPM programs from $(bindir)
 	$(RM) $(bindir)/epm
 	$(RM) $(bindir)/epminstall
 	$(RM) $(bindir)/mkepmlist
-	echo Uninstalling EPM manpages from $(mandir)/man1
+	@echo Uninstalling EPM manpages from $(mandir)/man1
 	$(RM) $(mandir)/man1/epm.1
 	$(RM) $(mandir)/man1/epminstall.1
 	$(RM) $(mandir)/man1/mkepmlist.1
 	$(RM) $(mandir)/man1/setup.1
-	echo Uninstalling EPM manpages from $(mandir)/man5
+	@echo Uninstalling EPM manpages from $(mandir)/man5
 	$(RM) $(mandir)/man5/epm.list.5
 	$(RM) $(mandir)/man5/setup.types.5
-	echo Uninstalling EPM documentation from $(docdir)
+	@echo Uninstalling EPM documentation from $(docdir)
 	$(RM) -r $(docdir)
-	echo Uninstalling EPM setup/uninstall from $(libdir)/epm
+	@echo Uninstalling EPM setup/uninstall from $(libdir)/epm
 	$(RM) -r $(libdir)/epm
-	echo Uninstalling EPM OSX data files from $(datadir)/epm
+	@echo Uninstalling EPM OSX data files from $(datadir)/epm
 	$(RM) -r $(datadir)/epm
 
 
@@ -281,15 +277,15 @@
 #
 
 test:	$(TARGETS)
-	echo Starting portable distribution build test...
-	if ./epm -vv epm >test.log; then \
+	@echo Starting portable distribution build test...
+	@if ./epm -vv epm >test.log; then \
 		echo Portable distribution build test PASSED.; \
 	else \
 		echo Portable distribution build test FAILED.; \
 		cat test.log; \
 	fi
-	echo Starting native distribution build test...
-	if ./epm -vv -s doc/epmlogo.tif -f native epm >test.log; then \
+	@echo Starting native distribution build test...
+	@if ./epm -vv -s doc/epmlogo.tif -f native epm >test.log; then \
 		echo Native distribution build test PASSED.; \
 	else \
 		echo Native distribution build test FAILED.; \
@@ -343,7 +339,6 @@
 #
 
 libepm.a:	$(EPM_OBJS)
-	echo Archiving libepm.a...
 	$(RM) libepm.a
 	$(AR) $(ARFLAGS) libepm.a $(EPM_OBJS)
 	$(RANLIB) libepm.a
@@ -356,7 +351,6 @@
 #
 
 epm:	epm.o $(EPM_OBJS)
-	echo Linking epm...
 	$(CC) $(LDFLAGS) -o epm epm.o libepm.a $(LIBS)
 
 epm.o:	epm.h epmstring.h
@@ -367,7 +361,6 @@
 #
 
 epminstall:	epminstall.o libepm.a
-	echo Linking epminstall...
 	$(CC) $(LDFLAGS) -o epminstall epminstall.o libepm.a $(LIBS)
 
 epminstall.o:	epm.h epmstring.h
@@ -378,7 +371,6 @@
 #
 
 mkepmlist:	mkepmlist.o libepm.a
-	echo Linking mkepmlist...
 	$(CC) $(LDFLAGS) -o mkepmlist mkepmlist.o libepm.a $(LIBS)
 
 mkepmlist.o:	epm.h epmstring.h
@@ -389,7 +381,6 @@
 #
 
 setup:	$(SETUP_OBJS) libepm.a
-	echo Linking setup...
 	$(CXX) $(LDFLAGS) -o setup $(SETUP_OBJS) libepm.a $(GUILIBS) $(LIBS)
 
 setup.o:	setup.h gui-common.h epmstring.h
@@ -402,7 +393,6 @@
 #
 
 uninst:	$(UNINST_OBJS) libepm.a
-	echo Linking uninst...
 	$(CXX) $(LDFLAGS) -o uninst $(UNINST_OBJS) libepm.a $(GUILIBS) $(LIBS)
 
 uninst.o:	uninst.h epmstring.h gui-common.h

Description: Build proper set of man pages
 For some reason, upstream does not build all of the available man
 pages.  This patch fixes that.
Author: Jeff Licquia <licquia@debian.org>
Last-Update: 2011-02-19

Index: epm-4.2/doc/Makefile.in
===================================================================
--- epm-4.2.orig/doc/Makefile.in	2012-04-07 17:50:34.248096734 +0200
+++ epm-4.2/doc/Makefile.in	2012-04-07 17:50:39.460096757 +0200
@@ -47,7 +47,8 @@
 # Targets...
 #
 
-MANPAGES	=	epm.html epminstall.html mkepmlist.html setup.html
+MANPAGES	=	epm.html epminstall.html mkepmlist.html setup.html \
+			epm.list.html setup.types.html
 HTMLFILES	=	preface.html 1-intro.html 2-building.html \
 			3-packaging.html 4-advanced.html 5-examples.html \
 			a-license.html b-manpages.html c-reference.html \

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: 667930-close@bugs.debian.org
• Subject: Bug#667930: fixed in epm 4.2-12
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 05 Apr 2024 00:49:31 +0000
• Message-id: <E1rsXlr-00CIaq-IK@fasolo.debian.org>
• Reply-to: Andreas Beckmann <anbe@debian.org>

Source: epm
Source-Version: 4.2-12
Done: Andreas Beckmann <anbe@debian.org>

We believe that the bug you reported is fixed in the latest version of
epm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 667930@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Beckmann <anbe@debian.org> (supplier of updated epm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 05 Apr 2024 02:33:54 +0200
Source: epm
Architecture: source
Version: 4.2-12
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Andreas Beckmann <anbe@debian.org>
Closes: 667930 1044273 1066241
Changes:
 epm (4.2-12) unstable; urgency=medium
 .
   * QA upload.
   * Fix building with -Werror=implicit-function-declaration.
     (Closes: #1066241)
   * Fix building twice in a row.  (Closes: #1044273)
   * Enable all hardening flags, thanks to Simon Ruderich.  (Closes: #667930)
   * Update Homepage, watch file, upstream metadata.  (See #1051502)
Checksums-Sha1:
 478c03be95809d486287ca4cf81199c750d3129b 1960 epm_4.2-12.dsc
 138b4fd8a8a147597988a87a463b391c502acdfc 8408 epm_4.2-12.debian.tar.xz
 daa2175ad8ee6f6d6a5f9a6239154bcb268e71c3 9328 epm_4.2-12_source.buildinfo
Checksums-Sha256:
 46ab06d72c5f82b63fb31d057955930bf2ad880612c412abe8757aa60b17e146 1960 epm_4.2-12.dsc
 76dfbc8394b2b902543973244705361f815780e3cfec19d292bd1234b5c20a39 8408 epm_4.2-12.debian.tar.xz
 0adfa0eddf150011413ace76574b7637118ca3ba62ce4995001eb19cc710713f 9328 epm_4.2-12_source.buildinfo
Files:
 55882a76e48ea66794de0b404a688ab8 1960 devel optional epm_4.2-12.dsc
 ce377dc67c9ac5e7cad2ba2d7da42569 8408 devel optional epm_4.2-12.debian.tar.xz
 c0103688e6fe4bd61a548fbb3de5cd95 9328 devel optional epm_4.2-12_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE6/MKMKjZxjvaRMaUX7M/k1np7QgFAmYPR7oQHGFuYmVAZGVi
aWFuLm9yZwAKCRBfsz+TWentCAtcEACj7lfhcgi0iLIVpHUO8tGaNlku8EqJkilc
Wq0NhcFgionDfLXnOsiZcCJljBlSkRPBVkEf3Z6qr0gqczqvXqh9WYlC+zSChG1u
J/Lrr7yn3dliaaAQX4dgRsqWQRvlQH2ojCPRdRIxbYxMBrJvAESzk3wIG7lkBfYX
hsCJBRnejLL5mvUxAykFv+2Yw1Lf+VglU8CsEF4W7Rr571dBauwZ7TCLQRMX7m7x
/TipCGhERMMnjUNILHDuhiEBqyOVsSYY20oxUICBTvptkab90CAnpyuG7Sq7141g
DoL5cDm1r1SoSbOgMSA0+Jw6kCkJmuWkPYAOa3z+l3OSNESrASZukbXksXqRdGvj
1UPnDdpPPDLruNSIpF1aiZ41wjoT8AoRNpcYLM7mt8JEKP3p8KAqLJ9JcWoTDk62
MMb1MBr888PwHPvdZaBtWBx8FjAIS2eiBqbq1AORue2oLySXyItDY0+EwLVffNHF
R/21sMHV0NMsmf2Rq6j2rKLHur8yA75lJDmnsKvXgUXCwnh6ahN7l1o93331yGn7
p6tawGh6gZdX4Jfs/SJOrt4qgPkGQS2B+lHHLfP1vNvFVeIykPj7CHp4oXxtvKsN
aQSoA6OaFrxOX9Tujf21eFj5lmMvNRx2UI01y4Va+Gmn3jZZy4rcNGyfSTNZ6twA
YpjlpsasdQ==
=/Uuw
-----END PGP SIGNATURE-----

Attachment: pgpV59epv5k_4.pgp
Description: PGP signature

--- End Message ---