Bug#670819: marked as done (xloadimage: Hardening flags missing)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 03 May 2012 10:05:00 +0000
with message-id <E1SPsuC-0001m0-KT@franck.debian.org>
and subject line Bug#670819: fixed in xloadimage 4.1-19
has caused the Debian Bug report #670819,
regarding xloadimage: Hardening flags missing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
670819: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670819
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Cc: Jari Aalto <jari.aalto@cante.net>
• Subject: xloadimage: Hardening flags missing
• From: Simon Ruderich <simon@ruderich.org>
• Date: Sun, 29 Apr 2012 12:17:02 +0200
• Message-id: <20120429101702.GA6515@ruderich.org>

Package: xloadimage
Version: 4.1-18
Severity: important
Tags: Patch

Dear Maintainer,

The hardening flags are missing because the build system ignores
them. For more hardening information please have a look at [1],
[2] and [3].

The attached patch fixes the issue.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/bin/uufilter /usr/bin/xloadimage
    /usr/bin/uufilter:
     Position Independent Executable: yes
     Stack protected: no, not found!
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/bin/xloadimage:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Use build flags from environment (dpkg-buildflags).
 Necessary for hardening flags.
Author: Simon Ruderich <simon@ruderich.org>
Last-Update: 2012-04-29

Index: xloadimage-4.1/Makefile.in
===================================================================
--- xloadimage-4.1.orig/Makefile.in	2012-04-29 12:13:45.456985928 +0200
+++ xloadimage-4.1/Makefile.in	2012-04-29 12:13:45.640985927 +0200
@@ -27,7 +27,7 @@
 	$(CC) -o $@ $(OBJS) build.o $(LDFLAGS) $(XLIB) $(LIBS)
 
 uufilter: uufilter.c
-	$(CC) $(CFLAGS) $(DEFS) uufilter.c -o $@
+	$(CC) $(CFLAGS) $(LDFLAGS) $(DEFS) uufilter.c -o $@
 
 .c.o: config.h image.h
 	$(CC) $(CFLAGS) -c $(DEFS) $<
Index: xloadimage-4.1/Makefile.std
===================================================================
--- xloadimage-4.1.orig/Makefile.std	2012-04-29 12:13:41.916985912 +0200
+++ xloadimage-4.1/Makefile.std	2012-04-29 12:13:45.640985927 +0200
@@ -23,7 +23,7 @@
 # the Make.conf file and recursively calls make.
 
 autoconfig: autoconfig.c
-	$(CC) -g -o autoconfig autoconfig.c
+	$(CC) $(CFLAGS) $(LDFLAGS) -g -o autoconfig autoconfig.c
 
 # manual configuration target
 configure:: autoconfig
Index: xloadimage-4.1/Makefile
===================================================================
--- xloadimage-4.1.orig/Makefile	2012-04-29 12:13:41.916985912 +0200
+++ xloadimage-4.1/Makefile	2012-04-29 12:13:45.640985927 +0200
@@ -8,7 +8,7 @@
 # Include system configuration parameters
 include Make.conf
 
-CFLAGS=$(OPT_FLAGS) $(CC_FLAGS) $(CC_CONFIG_FLAGS) $(X11_INC_DIR) \
+CFLAGS+=$(OPT_FLAGS) $(CC_FLAGS) $(CC_CONFIG_FLAGS) $(X11_INC_DIR) \
   -DSYSPATHFILE=\"$(SYSPATHFILE)\"
 LIBS=$(X11_LIB_DIR) $(X11_LIB_NAME) $(SYS_LIBS) -lm
 
@@ -23,7 +23,7 @@
 # the Make.conf file and recursively calls make.
 
 autoconfig: autoconfig.c
-	$(CC) -g -o autoconfig autoconfig.c
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -g -o autoconfig autoconfig.c
 
 # manual configuration target
 configure:: autoconfig

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: 670819-close@bugs.debian.org
• Subject: Bug#670819: fixed in xloadimage 4.1-19
• From: Jari Aalto <jari.aalto@cante.net>
• Date: Thu, 03 May 2012 10:05:00 +0000
• Message-id: <E1SPsuC-0001m0-KT@franck.debian.org>

Source: xloadimage
Source-Version: 4.1-19

We believe that the bug you reported is fixed in the latest version of
xloadimage, which is due to be installed in the Debian FTP archive:

xloadimage_4.1-19.debian.tar.gz
  to main/x/xloadimage/xloadimage_4.1-19.debian.tar.gz
xloadimage_4.1-19.dsc
  to main/x/xloadimage/xloadimage_4.1-19.dsc
xloadimage_4.1-19_amd64.deb
  to main/x/xloadimage/xloadimage_4.1-19_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 670819@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jari Aalto <jari.aalto@cante.net> (supplier of updated xloadimage package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 29 Apr 2012 18:40:30 +0300
Source: xloadimage
Binary: xloadimage
Architecture: source amd64
Version: 4.1-19
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Jari Aalto <jari.aalto@cante.net>
Description: 
 xloadimage - Graphics file viewer under X11
Closes: 670819
Changes: 
 xloadimage (4.1-19) unstable; urgency=low
 .
   * QA upload.
   * Adjust hardening flags to include LDFLAGS for uufilter
     (Closes: #670819). Thanks to Simon Ruderich <simon@ruderich.org>.
Checksums-Sha1: 
 15fc849c505b60c0231d430d0bb145f0055e08f9 1135 xloadimage_4.1-19.dsc
 c7424a71ee248cfcc09548b63b50fe19af4edc72 75479 xloadimage_4.1-19.debian.tar.gz
 2427854c81457a998396fd078c2124828007b0e6 132718 xloadimage_4.1-19_amd64.deb
Checksums-Sha256: 
 d3a4900e9f0f2b01b150588093f0bdc0a1437be46faece831a64f9447f325d27 1135 xloadimage_4.1-19.dsc
 5794dfbba25f6f02c0b07d49320154d4bea46ad1c8277866f79b1a6bfcd48cb8 75479 xloadimage_4.1-19.debian.tar.gz
 00063d3eba902b33fbcad432fcf0bd9ee155c70663e2dd35c68ebd2a5d09af64 132718 xloadimage_4.1-19_amd64.deb
Files: 
 23264974725a909336336c2deb0087cc 1135 graphics optional xloadimage_4.1-19.dsc
 fc6aea40928f032e13e66b500e955e52 75479 graphics optional xloadimage_4.1-19.debian.tar.gz
 2f2031ed2a72687a1e92c71c2d2453a9 132718 graphics optional xloadimage_4.1-19_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk+iVnYACgkQLARVQsm1Xaxu5wCghHqyo/LnfSOP/qx1Hta+HEG4
D/EAmwXU17KEeTl5Op5thsneus4aUYnt
=atAN
-----END PGP SIGNATURE-----

--- End Message ---