Bug#667941: korundum: CPPFLAGS hardening flags missing

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#667941: korundum: CPPFLAGS hardening flags missing
From: Simon Ruderich <simon@ruderich.org>
Date: Sat, 7 Apr 2012 18:52:00 +0200
Message-id: <[🔎] 20120407165200.GA21533@ruderich.org>
Reply-to: Simon Ruderich <simon@ruderich.org>, 667941@bugs.debian.org

Package: korundum
Version: 4:4.7.4-1
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because CMake ignores
them by default.

The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].

diff -Nru korundum-4.7.4/debian/rules korundum-4.7.4/debian/rules
--- korundum-4.7.4/debian/rules	2012-04-02 20:14:12.000000000 +0200
+++ korundum-4.7.4/debian/rules	2012-04-07 18:15:10.000000000 +0200
@@ -1,5 +1,10 @@
 #! /usr/bin/make -f
 
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND   = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
 #Always use Ruby 1.8.x
 RUBY_SITEARCH := $(shell ruby1.8 -rrbconfig -e 'puts Config::CONFIG["sitearch"]')
 CMAKE_FLAGS := \

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything).

    $ hardening-check /usr/bin/krubyapplication /usr/lib/kde4/krubypluginfactory.so ...
    /usr/bin/krubyapplication:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/kde4/krubypluginfactory.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: no, not found!
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#667941: korundum: CPPFLAGS hardening flags missing
  - From: Pino Toscano <pino@debian.org>

Prev by Date: Bug#667932: Keyboard focus in text field is not respected
Next by Date: Bug#667941: korundum: CPPFLAGS hardening flags missing
Previous by thread: Bug#667932: Keyboard focus in text field is not respected
Next by thread: Bug#667941: korundum: CPPFLAGS hardening flags missing
Index(es):
- Date
- Thread