[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#663625: marked as done (zgv: Hardening flags missing)

Your message dated Tue, 04 Sep 2012 09:47:39 +0000
with message-id <E1T8pjP-0007hS-9g@franck.debian.org>
and subject line Bug#663625: fixed in zgv 5.9-5
has caused the Debian Bug report #663625,
regarding zgv: Hardening flags missing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
663625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663625
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: zgv
Version: 5.9-4
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The hardening flags are missing because the build system ignores
them. For more hardening information please have a look at [1],
[2] and [3].

The attached patch fixes the issue. If possible it should be sent
upstream.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/bin/zgv
    /usr/bin/zgv:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPXk5CAAoJEJL+/bfkTDL5+bgP/0wOW+QJElAOLjZT3M7h0Pls
Cj9GDwmgmXQxP9WHIE4khVftha2ZqqGgFAawRHmmgdtseK8e1M0VcIjGzL24TtJO
rHRlRImDQ+zfJTTq/pM2h0VS2HKbqIev8RdCTdDYDojm/yOMzrxythxbOKYlHR4J
OotYFMOQHgtV6tImFusgJhUVkfSYBcf1f73ju+X/1FiJ6bPjvVY/IeUUiNsVmMfi
iUm63Mu1nFaLrswFxe6JZbV3yeOxnaaDiGV8y2riWEJ4LPvoq3ljmbb6mTqeSqT3
y+o7mz+9ZhK4mDZPosmvbBvfUB/qBOo7bUV9fcvwl51H3gj2E9nh29kruE+qZqYj
RjBsNLIFbHgXzMyk6x2jPF9QoAJfPHzynmpVLyr41ZsEQ/Nn04JnQjvJcuKlLIpR
eWi0xH3u2JlXUzGKjV2Ce2W+v37Bggh5JFA6qo0YPkiyf3ar0jGCZpV34Leaxz/O
vgduNkEVMu4zBhR6XhGA5/mzK/E/lur8tjatFqK+t4qQNHCSdaay7m8YzVgqg/mp
Jtigx2MsUxpF3o8oZI7kRoyMNiL7NT3c+Tr/x1uKr80EHWOtyLE+5NvT5lwsbzCY
4mOi8mgUVjaT80uxlELMCGJAH/IYbnoiMaC9g9Yoz8MAmJTDN3wvjhTBDc0wsfAY
6fjt0NcrGbUgMHmraCFD
=Ods2
-----END PGP SIGNATURE-----

diff -u zgv-5.9/config.mk zgv-5.9/config.mk
--- zgv-5.9/config.mk
+++ zgv-5.9/config.mk
@@ -8,7 +8,7 @@
 # This is likely to be what you'll want for most systems:
 #
 CC=gcc
-CFLAGS=$(shell dpkg-buildflags --get CFLAGS) -O2 -Wall -fomit-frame-pointer -finline-functions
+CFLAGS+=-O2 -Wall -fomit-frame-pointer -finline-functions
 #
 # If you're brave enough to try compiling zgv on a non-x86 system :-),
 # this might be a better bet:
diff -u zgv-5.9/src/Makefile zgv-5.9/src/Makefile
--- zgv-5.9/src/Makefile
+++ zgv-5.9/src/Makefile
@@ -47,13 +47,13 @@
 	modesel.o readpcd.o readtiff.o readprf.o zgv_io.o
 
 zgv: $(ZGV_OBJS)
-	$(CC) $(CFLAGS) -o zgv $(ZGV_OBJS) $(ZGV_LIBS)
+	$(CC) $(LDFLAGS) -o zgv $(ZGV_OBJS) $(ZGV_LIBS)
 
 bdf2h: bdf2h.o
-	$(CC) $(CFLAGS) -o bdf2h bdf2h.o
+	$(CC) $(LDFLAGS) -o bdf2h bdf2h.o
 
 install-info: install-info.c
-	$(CC) $(INFODIRDEF) -o install-info install-info.c
+	$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(INFODIRDEF) -o install-info install-info.c
 
 # explicitly removes /usr/bin/{zgv,zgv-sdl} in case of old
 # installation. Not nice to put this in the install target,
diff -u zgv-5.9/debian/rules zgv-5.9/debian/rules
--- zgv-5.9/debian/rules
+++ zgv-5.9/debian/rules
@@ -7,7 +7,10 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
+CFLAGS              := $(shell dpkg-buildflags --get CFLAGS)
+CPPFLAGS            := $(shell dpkg-buildflags --get CPPFLAGS)
 LDFLAGS             := $(shell dpkg-buildflags --get LDFLAGS)
+export CFLAGS CPPFLAGS LDFLAGS
 
 build: build-stamp
 build-stamp:

--- End Message ---
--- Begin Message --- 
Source: zgv
Source-Version: 5.9-5

We believe that the bug you reported is fixed in the latest version of
zgv, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 663625@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Boris Pek <tehnick-8@mail.ru> (supplier of updated zgv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 30 Jun 2012 04:09:42 +0300
Source: zgv
Binary: zgv
Architecture: source i386
Version: 5.9-5
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Boris Pek <tehnick-8@mail.ru>
Description: 
 zgv        - SVGAlib graphics viewer
Closes: 379319 438363 662575 663625
Changes: 
 zgv (5.9-5) unstable; urgency=low
 .
   * QA upload.
   * Updated debian/watch: changed regexp.
   * Bumped Standards-Version to 3.9.3 (was 3.9.2).
   * Added debhelper version (9 is used); updated debian/compat.
     Fixed lintian note package-lacks-versioned-build-depends-on-debhelper.
   * Added file debian/source/format: format 1.0 is still used in this package.
   * Patched files config.mk and src/Makefile to respect build with
     hardening flags. [Thanks to Mario 'BitKoenig' Holbe] (Closes: #663625)
   * Patched Makefile: cut permanent launching strip command.
     Fixed not handling nostrip build option [policy 10.1]. (Closes: #438363)
   * Patched file debian/zgv.mime. [Thanks to Mario 'BitKoenig' Holbe]
     Fixed problem that mailcap entries did not work on plain consoles.
     (Closes: #379319)
   * Rewritten debian/rules:
     - now dh is used instead of direct dh_* commands
     - added --as-needed option to LDFLAGS
     - added section get-orig-source (uscan is used)
     - fixed lintian warnings:
       + hardening-no-relro
       + hardening-no-fortify-functions
       + dh-clean-k-is-deprecated
       + debian-rules-ignores-make-clean-error
       + debian-rules-missing-recommended-target build-arch
       + debian-rules-missing-recommended-target build-indep
   * Updated debian/control:
     - added Homepage field
     - added ${misc:Depends} to package zgv
     - changed build dependency from libpng12-dev to libpng-dev
       (Closes: #662575)
   * Updated debian/menu: fixed lintian warnings:
     - unquoted-string-in-menu-item
     - menu-item-uses-apps-section
   * Updated doc/zgv.1: fixed lintian notes hyphen-used-as-minus-sign.
   * Deleted file debian/postinst: generated automatically.
Checksums-Sha1: 
 0281eb8c9191319fec164e111ea407d10c42694a 1752 zgv_5.9-5.dsc
 bcfc2c9b87bb3e455db1eedb1baca9e0ec08e3d3 11673 zgv_5.9-5.diff.gz
 a53f8700f1bf7581b12e133ac5d3712e426346f8 279796 zgv_5.9-5_i386.deb
Checksums-Sha256: 
 43ea04fae25b2f9ab7e1e5fc3dfc28b7bdecf7dcfaca9ca05cf8db8a019df264 1752 zgv_5.9-5.dsc
 17969d2a806e672cd0f8e06815c1fe481d02fd0954a490123784edb21a0dbd73 11673 zgv_5.9-5.diff.gz
 c030fcf2e849f894276e5471dd329f040b0fb8717b3781a5fc502294efe5f72f 279796 zgv_5.9-5_i386.deb
Files: 
 6e698b676dbd7eaf74a67ee22cb0476a 1752 graphics optional zgv_5.9-5.dsc
 f4ccaab1909d1f6b4ecd7f504d6385cf 11673 graphics optional zgv_5.9-5.diff.gz
 a9ee02d7e428b1e1ffd67e6ebc5c171b 279796 graphics optional zgv_5.9-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUEXNrTk1h9l9hlALAQhYHRAAtI8ndY0dFpyZioQ0luZ2GBfgYlz3CXBp
5yR4wxjCRjGi2qUXtzeCtSd8csR8OL46m8dG6TX0LNZJi1xPj1jL6QljsjzhWpsE
oYmfd40iRfN/r27xCBEVwuy+Dr+dH3qyVGJlND7nYL5SFbnReT6KfIwPbmHXmJ+4
UTWFjb6a8TudEzlYc9njdU0z/RZyqdQBvdruL2IP/FcW9gTYbtw5WJsHgw7nzcne
2njbTAMH/D7GLtPIgFWCqj2C58GSaBDVd0urx/oN8GWh6viZEjQnmULfRIq1oGf9
codflLIijBMkbLuqJkRSRQXQkgO5VhB5BlY6IgJPNY+RCFgC9xfE94Tum+onDHCj
go+wYxIoj6ocPH9hvSWLPanhvraYql6M9gye++fSQj4d3UZ7dAlCQ8+TbeV8sw/P
U3aE3sP22gUb46sxqG6t7iwbK9RX47Bx/lK7ksQEByXxXnHlOCozsp903WenZVuG
xIVSG777tS4PbZPazzIJECjv4UvhvB1UDmvNNxZAdW47A8aExuSO6suq9dlMFw3h
sp74hzufqabQR+w7OfqPUpS4XHY/twJgibtbzGL6nFAcDQsJpS4+th4O80SJZB7q
gpSzGH7a3+Kk2lxOL/EbEoN8toK6t/L/cEDauhmyGPHtCGyzGgAzlVCw7t5x4Eov
R3+tMxzpJ/g=
=INHo
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: