Your message dated Thu, 03 May 2012 10:05:00 +0000 with message-id <E1SPsuC-0001m0-KT@franck.debian.org> and subject line Bug#670819: fixed in xloadimage 4.1-19 has caused the Debian Bug report #670819, regarding xloadimage: Hardening flags missing to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 670819: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670819 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: Jari Aalto <jari.aalto@cante.net>
- Subject: xloadimage: Hardening flags missing
- From: Simon Ruderich <simon@ruderich.org>
- Date: Sun, 29 Apr 2012 12:17:02 +0200
- Message-id: <20120429101702.GA6515@ruderich.org>
Package: xloadimage Version: 4.1-18 Severity: important Tags: Patch Dear Maintainer, The hardening flags are missing because the build system ignores them. For more hardening information please have a look at [1], [2] and [3]. The attached patch fixes the issue. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/bin/uufilter /usr/bin/xloadimage /usr/bin/uufilter: Position Independent Executable: yes Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes /usr/bin/xloadimage: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <simon@ruderich.org> Last-Update: 2012-04-29 Index: xloadimage-4.1/Makefile.in =================================================================== --- xloadimage-4.1.orig/Makefile.in 2012-04-29 12:13:45.456985928 +0200 +++ xloadimage-4.1/Makefile.in 2012-04-29 12:13:45.640985927 +0200 @@ -27,7 +27,7 @@ $(CC) -o $@ $(OBJS) build.o $(LDFLAGS) $(XLIB) $(LIBS) uufilter: uufilter.c - $(CC) $(CFLAGS) $(DEFS) uufilter.c -o $@ + $(CC) $(CFLAGS) $(LDFLAGS) $(DEFS) uufilter.c -o $@ .c.o: config.h image.h $(CC) $(CFLAGS) -c $(DEFS) $< Index: xloadimage-4.1/Makefile.std =================================================================== --- xloadimage-4.1.orig/Makefile.std 2012-04-29 12:13:41.916985912 +0200 +++ xloadimage-4.1/Makefile.std 2012-04-29 12:13:45.640985927 +0200 @@ -23,7 +23,7 @@ # the Make.conf file and recursively calls make. autoconfig: autoconfig.c - $(CC) -g -o autoconfig autoconfig.c + $(CC) $(CFLAGS) $(LDFLAGS) -g -o autoconfig autoconfig.c # manual configuration target configure:: autoconfig Index: xloadimage-4.1/Makefile =================================================================== --- xloadimage-4.1.orig/Makefile 2012-04-29 12:13:41.916985912 +0200 +++ xloadimage-4.1/Makefile 2012-04-29 12:13:45.640985927 +0200 @@ -8,7 +8,7 @@ # Include system configuration parameters include Make.conf -CFLAGS=$(OPT_FLAGS) $(CC_FLAGS) $(CC_CONFIG_FLAGS) $(X11_INC_DIR) \ +CFLAGS+=$(OPT_FLAGS) $(CC_FLAGS) $(CC_CONFIG_FLAGS) $(X11_INC_DIR) \ -DSYSPATHFILE=\"$(SYSPATHFILE)\" LIBS=$(X11_LIB_DIR) $(X11_LIB_NAME) $(SYS_LIBS) -lm @@ -23,7 +23,7 @@ # the Make.conf file and recursively calls make. autoconfig: autoconfig.c - $(CC) -g -o autoconfig autoconfig.c + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -g -o autoconfig autoconfig.c # manual configuration target configure:: autoconfigAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 670819-close@bugs.debian.org
- Subject: Bug#670819: fixed in xloadimage 4.1-19
- From: Jari Aalto <jari.aalto@cante.net>
- Date: Thu, 03 May 2012 10:05:00 +0000
- Message-id: <E1SPsuC-0001m0-KT@franck.debian.org>
Source: xloadimage Source-Version: 4.1-19 We believe that the bug you reported is fixed in the latest version of xloadimage, which is due to be installed in the Debian FTP archive: xloadimage_4.1-19.debian.tar.gz to main/x/xloadimage/xloadimage_4.1-19.debian.tar.gz xloadimage_4.1-19.dsc to main/x/xloadimage/xloadimage_4.1-19.dsc xloadimage_4.1-19_amd64.deb to main/x/xloadimage/xloadimage_4.1-19_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 670819@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jari Aalto <jari.aalto@cante.net> (supplier of updated xloadimage package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 29 Apr 2012 18:40:30 +0300 Source: xloadimage Binary: xloadimage Architecture: source amd64 Version: 4.1-19 Distribution: unstable Urgency: low Maintainer: Debian QA Group <packages@qa.debian.org> Changed-By: Jari Aalto <jari.aalto@cante.net> Description: xloadimage - Graphics file viewer under X11 Closes: 670819 Changes: xloadimage (4.1-19) unstable; urgency=low . * QA upload. * Adjust hardening flags to include LDFLAGS for uufilter (Closes: #670819). Thanks to Simon Ruderich <simon@ruderich.org>. Checksums-Sha1: 15fc849c505b60c0231d430d0bb145f0055e08f9 1135 xloadimage_4.1-19.dsc c7424a71ee248cfcc09548b63b50fe19af4edc72 75479 xloadimage_4.1-19.debian.tar.gz 2427854c81457a998396fd078c2124828007b0e6 132718 xloadimage_4.1-19_amd64.deb Checksums-Sha256: d3a4900e9f0f2b01b150588093f0bdc0a1437be46faece831a64f9447f325d27 1135 xloadimage_4.1-19.dsc 5794dfbba25f6f02c0b07d49320154d4bea46ad1c8277866f79b1a6bfcd48cb8 75479 xloadimage_4.1-19.debian.tar.gz 00063d3eba902b33fbcad432fcf0bd9ee155c70663e2dd35c68ebd2a5d09af64 132718 xloadimage_4.1-19_amd64.deb Files: 23264974725a909336336c2deb0087cc 1135 graphics optional xloadimage_4.1-19.dsc fc6aea40928f032e13e66b500e955e52 75479 graphics optional xloadimage_4.1-19.debian.tar.gz 2f2031ed2a72687a1e92c71c2d2453a9 132718 graphics optional xloadimage_4.1-19_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk+iVnYACgkQLARVQsm1Xaxu5wCghHqyo/LnfSOP/qx1Hta+HEG4 D/EAmwXU17KEeTl5Op5thsneus4aUYnt =atAN -----END PGP SIGNATURE-----
--- End Message ---