Package: xloadimage
Version: 4.1-18
Severity: important
Tags: Patch
Dear Maintainer,
The hardening flags are missing because the build system ignores
them. For more hardening information please have a look at [1],
[2] and [3].
The attached patch fixes the issue.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):
$ hardening-check /usr/bin/uufilter /usr/bin/xloadimage
/usr/bin/uufilter:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/xloadimage:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <simon@ruderich.org> Last-Update: 2012-04-29 Index: xloadimage-4.1/Makefile.in =================================================================== --- xloadimage-4.1.orig/Makefile.in 2012-04-29 12:13:45.456985928 +0200 +++ xloadimage-4.1/Makefile.in 2012-04-29 12:13:45.640985927 +0200 @@ -27,7 +27,7 @@ $(CC) -o $@ $(OBJS) build.o $(LDFLAGS) $(XLIB) $(LIBS) uufilter: uufilter.c - $(CC) $(CFLAGS) $(DEFS) uufilter.c -o $@ + $(CC) $(CFLAGS) $(LDFLAGS) $(DEFS) uufilter.c -o $@ .c.o: config.h image.h $(CC) $(CFLAGS) -c $(DEFS) $< Index: xloadimage-4.1/Makefile.std =================================================================== --- xloadimage-4.1.orig/Makefile.std 2012-04-29 12:13:41.916985912 +0200 +++ xloadimage-4.1/Makefile.std 2012-04-29 12:13:45.640985927 +0200 @@ -23,7 +23,7 @@ # the Make.conf file and recursively calls make. autoconfig: autoconfig.c - $(CC) -g -o autoconfig autoconfig.c + $(CC) $(CFLAGS) $(LDFLAGS) -g -o autoconfig autoconfig.c # manual configuration target configure:: autoconfig Index: xloadimage-4.1/Makefile =================================================================== --- xloadimage-4.1.orig/Makefile 2012-04-29 12:13:41.916985912 +0200 +++ xloadimage-4.1/Makefile 2012-04-29 12:13:45.640985927 +0200 @@ -8,7 +8,7 @@ # Include system configuration parameters include Make.conf -CFLAGS=$(OPT_FLAGS) $(CC_FLAGS) $(CC_CONFIG_FLAGS) $(X11_INC_DIR) \ +CFLAGS+=$(OPT_FLAGS) $(CC_FLAGS) $(CC_CONFIG_FLAGS) $(X11_INC_DIR) \ -DSYSPATHFILE=\"$(SYSPATHFILE)\" LIBS=$(X11_LIB_DIR) $(X11_LIB_NAME) $(SYS_LIBS) -lm @@ -23,7 +23,7 @@ # the Make.conf file and recursively calls make. autoconfig: autoconfig.c - $(CC) -g -o autoconfig autoconfig.c + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -g -o autoconfig autoconfig.c # manual configuration target configure:: autoconfig
Attachment:
signature.asc
Description: Digital signature