Bug#663625: zgv: Hardening flags missing
Package: zgv
Version: 5.9-4
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The hardening flags are missing because the build system ignores
them. For more hardening information please have a look at [1],
[2] and [3].
The attached patch fixes the issue. If possible it should be sent
upstream.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/zgv
/usr/bin/zgv:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPXk5CAAoJEJL+/bfkTDL5+bgP/0wOW+QJElAOLjZT3M7h0Pls
Cj9GDwmgmXQxP9WHIE4khVftha2ZqqGgFAawRHmmgdtseK8e1M0VcIjGzL24TtJO
rHRlRImDQ+zfJTTq/pM2h0VS2HKbqIev8RdCTdDYDojm/yOMzrxythxbOKYlHR4J
OotYFMOQHgtV6tImFusgJhUVkfSYBcf1f73ju+X/1FiJ6bPjvVY/IeUUiNsVmMfi
iUm63Mu1nFaLrswFxe6JZbV3yeOxnaaDiGV8y2riWEJ4LPvoq3ljmbb6mTqeSqT3
y+o7mz+9ZhK4mDZPosmvbBvfUB/qBOo7bUV9fcvwl51H3gj2E9nh29kruE+qZqYj
RjBsNLIFbHgXzMyk6x2jPF9QoAJfPHzynmpVLyr41ZsEQ/Nn04JnQjvJcuKlLIpR
eWi0xH3u2JlXUzGKjV2Ce2W+v37Bggh5JFA6qo0YPkiyf3ar0jGCZpV34Leaxz/O
vgduNkEVMu4zBhR6XhGA5/mzK/E/lur8tjatFqK+t4qQNHCSdaay7m8YzVgqg/mp
Jtigx2MsUxpF3o8oZI7kRoyMNiL7NT3c+Tr/x1uKr80EHWOtyLE+5NvT5lwsbzCY
4mOi8mgUVjaT80uxlELMCGJAH/IYbnoiMaC9g9Yoz8MAmJTDN3wvjhTBDc0wsfAY
6fjt0NcrGbUgMHmraCFD
=Ods2
-----END PGP SIGNATURE-----
diff -u zgv-5.9/config.mk zgv-5.9/config.mk
--- zgv-5.9/config.mk
+++ zgv-5.9/config.mk
@@ -8,7 +8,7 @@
# This is likely to be what you'll want for most systems:
#
CC=gcc
-CFLAGS=$(shell dpkg-buildflags --get CFLAGS) -O2 -Wall -fomit-frame-pointer -finline-functions
+CFLAGS+=-O2 -Wall -fomit-frame-pointer -finline-functions
#
# If you're brave enough to try compiling zgv on a non-x86 system :-),
# this might be a better bet:
diff -u zgv-5.9/src/Makefile zgv-5.9/src/Makefile
--- zgv-5.9/src/Makefile
+++ zgv-5.9/src/Makefile
@@ -47,13 +47,13 @@
modesel.o readpcd.o readtiff.o readprf.o zgv_io.o
zgv: $(ZGV_OBJS)
- $(CC) $(CFLAGS) -o zgv $(ZGV_OBJS) $(ZGV_LIBS)
+ $(CC) $(LDFLAGS) -o zgv $(ZGV_OBJS) $(ZGV_LIBS)
bdf2h: bdf2h.o
- $(CC) $(CFLAGS) -o bdf2h bdf2h.o
+ $(CC) $(LDFLAGS) -o bdf2h bdf2h.o
install-info: install-info.c
- $(CC) $(INFODIRDEF) -o install-info install-info.c
+ $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(INFODIRDEF) -o install-info install-info.c
# explicitly removes /usr/bin/{zgv,zgv-sdl} in case of old
# installation. Not nice to put this in the install target,
diff -u zgv-5.9/debian/rules zgv-5.9/debian/rules
--- zgv-5.9/debian/rules
+++ zgv-5.9/debian/rules
@@ -7,7 +7,10 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
+CFLAGS := $(shell dpkg-buildflags --get CFLAGS)
+CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS)
LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS)
+export CFLAGS CPPFLAGS LDFLAGS
build: build-stamp
build-stamp:
Reply to: