[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#669183: marked as done (pkg-kde-tools: LDFLAGS hardening flags overwritten when using variables.mk)

Your message dated Sat, 02 Jun 2012 19:51:40 +0000
with message-id <E1SauMO-0001aL-4R@franck.debian.org>
and subject line Bug#669183: fixed in pkg-kde-tools 0.15.0
has caused the Debian Bug report #669183,
regarding pkg-kde-tools: LDFLAGS hardening flags overwritten when using variables.mk
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
669183: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669183
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: pkg-kde-tools
Version: 0.14.3
Severity: normal
Tags: patch

Dear Maintainer,

The LDFLAGS hardening flags are missing when a package includes
variables.mk. For more hardening information please have a look
at [1], [2] and [3].

The attached patch fixes the issue. It also updates README.Debian
to prevent the overwrite of hardening flags and adds CPPFLAGS to
CFLAGS which are otherwise ignored by cmake.

I found no way to enable DEB_KDE_LINK_WITH_AS_NEEDED without
including variables.mk. But for compat=9 there is another simple
way. Just add this at the top of debian/rules:

    export DEB_LDFLAGS_MAINT_APPEND = -Wl,--no-undefined -Wl,--as-needed

Works fine for all build systems which respect LDFLAGS and is
documented in dpkg-buildflags(1). Maybe you could add that to
README.Debian as well.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

diff -Nru pkg-kde-tools-0.14.3/debian/README.Debian pkg-kde-tools-0.14.3.1~debhelper1/debian/README.Debian
--- pkg-kde-tools-0.14.3/debian/README.Debian	2011-04-25 09:39:21.000000000 +0200
+++ pkg-kde-tools-0.14.3.1~debhelper1/debian/README.Debian	2012-04-18 01:52:47.000000000 +0200
@@ -68,9 +68,9 @@
 	mkdir -p builddir
 	cd builddir && cmake .. \
 		-DCMAKE_INSTALL_PREFIX=/usr \
-		-DCMAKE_C_FLAGS="$(CFLAGS)" \
-		-DCMAKE_LD_FLAGS="-Wl,-z,defs" \
-		-DCMAKE_CXX_FLAGS="$(CXXFLAGS)" \
+		-DCMAKE_C_FLAGS="$(CPPFLAGS) $(CFLAGS)" \
+		-DCMAKE_LD_FLAGS="$(LDFLAGS) -Wl,-z,defs" \
+		-DCMAKE_CXX_FLAGS="$(CPPFLAGS) $(CXXFLAGS)" \
 		-DCMAKE_SKIP_RPATH=ON \
 		-DCMAKE_VERBOSE_MAKEFILE=ON \
 		$(DEB_CMAKE_KDE4_FLAGS)
diff -Nru pkg-kde-tools-0.14.3/makefiles/1/variables.mk pkg-kde-tools-0.14.3.1~debhelper1/makefiles/1/variables.mk
--- pkg-kde-tools-0.14.3/makefiles/1/variables.mk	2011-03-27 14:13:44.000000000 +0200
+++ pkg-kde-tools-0.14.3.1~debhelper1/makefiles/1/variables.mk	2012-04-18 01:52:01.000000000 +0200
@@ -47,7 +47,7 @@
 
 ifneq (,$(DEB_KDE_LINKER_FLAGS))
     DEB_CMAKE_CUSTOM_FLAGS += \
-        -DCMAKE_SHARED_LINKER_FLAGS="$(DEB_KDE_LINKER_FLAGS)" \
-        -DCMAKE_MODULE_LINKER_FLAGS="$(DEB_KDE_LINKER_FLAGS)" \
-        -DCMAKE_EXE_LINKER_FLAGS="$(DEB_KDE_LINKER_FLAGS)"
+        -DCMAKE_SHARED_LINKER_FLAGS="$(LDFLAGS) $(DEB_KDE_LINKER_FLAGS)" \
+        -DCMAKE_MODULE_LINKER_FLAGS="$(LDFLAGS) $(DEB_KDE_LINKER_FLAGS)" \
+        -DCMAKE_EXE_LINKER_FLAGS="$(LDFLAGS) $(DEB_KDE_LINKER_FLAGS)"
 endif

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: pkg-kde-tools
Source-Version: 0.15.0

We believe that the bug you reported is fixed in the latest version of
pkg-kde-tools, which is due to be installed in the Debian FTP archive:

libdlrestrictions-dev_0.15.0_amd64.deb
  to main/p/pkg-kde-tools/libdlrestrictions-dev_0.15.0_amd64.deb
libdlrestrictions1_0.15.0_amd64.deb
  to main/p/pkg-kde-tools/libdlrestrictions1_0.15.0_amd64.deb
pkg-kde-tools_0.15.0.dsc
  to main/p/pkg-kde-tools/pkg-kde-tools_0.15.0.dsc
pkg-kde-tools_0.15.0.tar.bz2
  to main/p/pkg-kde-tools/pkg-kde-tools_0.15.0.tar.bz2
pkg-kde-tools_0.15.0_all.deb
  to main/p/pkg-kde-tools/pkg-kde-tools_0.15.0_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 669183@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Modestas Vainius <modax@debian.org> (supplier of updated pkg-kde-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 02 Jun 2012 21:45:25 +0300
Source: pkg-kde-tools
Binary: pkg-kde-tools libdlrestrictions1 libdlrestrictions-dev
Architecture: source all amd64
Version: 0.15.0
Distribution: unstable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Modestas Vainius <modax@debian.org>
Description: 
 libdlrestrictions-dev - development files for the DLRestrictions library
 libdlrestrictions1 - library that implements library compatibility checks for dlopen()
 pkg-kde-tools - various packaging tools and scripts for KDE Applications
Closes: 657806 669183
Changes: 
 pkg-kde-tools (0.15.0) unstable; urgency=low
 .
   * Team upload.
 .
   [ Modestas Vainius ]
   * Bump Standards-Version to 3.9.3: no changes needed.
   * Install pkgkde-git as an alias for pkgkde-vcs with VCS type forced to git.
   * Implement pkgkde-git clone and update-config subcommands.
   * Make variables.mk respect LDFLAGS from environment. Thanks to Simon
     Ruderich for the patch. (Closes: #669183)
   * pkgkde-symbolshelper: output covariant return trunks with c++ tag since the
     symbol name contains an arch-specific offset. (Closes: #657806)
 .
   [ José Manuel Santamaría Lema ]
   * Add a workaround for cmake bug #653916 (cmake ignores CPPFLAGS) in
     qt-kde-team/2/dhmk.mk.
Checksums-Sha1: 
 94de29d88a80ad36f136dc2aa0f84978ad12465a 1198 pkg-kde-tools_0.15.0.dsc
 cceebfe23dcd27d235b54dae91d2e97ebb478999 101909 pkg-kde-tools_0.15.0.tar.bz2
 c5e46484d4fe0a56765aba4bbde73e23fe168272 107846 pkg-kde-tools_0.15.0_all.deb
 ec18eba170da032302ee268a99c6989839c0ba8b 20378 libdlrestrictions1_0.15.0_amd64.deb
 74f00045ad49c722526a2bc51401deb0115dd501 16466 libdlrestrictions-dev_0.15.0_amd64.deb
Checksums-Sha256: 
 4d07cf1cf3915ccbbb179e9fbe18fd7f13e585cc2b4858241b9500dfaebe5351 1198 pkg-kde-tools_0.15.0.dsc
 6de07e91fd759e7b704cd9a55726df4ee1db1ccce5f056fb8acfb6ef927ceb42 101909 pkg-kde-tools_0.15.0.tar.bz2
 6e613e8db61c7e0ffc06a5a8d4e190ae8a5a6c3728c0df85cebaa219c0d45768 107846 pkg-kde-tools_0.15.0_all.deb
 d6dbcf57d63a79342877a6d0399b9e36798f3a68dfcd81d377c3d7a4301d6d2d 20378 libdlrestrictions1_0.15.0_amd64.deb
 dbe707e1ce4d1d63697eb1cfbc3e15ff8160c8159896e5ae5624d6c0d6eb9800 16466 libdlrestrictions-dev_0.15.0_amd64.deb
Files: 
 c4b998113cac54faed0117f8b54dea2d 1198 devel extra pkg-kde-tools_0.15.0.dsc
 81306b8da09d85e826f13222f4b27ebe 101909 devel extra pkg-kde-tools_0.15.0.tar.bz2
 c187b66a9568d134682f323293d6bfd5 107846 devel extra pkg-kde-tools_0.15.0_all.deb
 ba0c567e8449eee7f2586c806c5d1d68 20378 libs extra libdlrestrictions1_0.15.0_amd64.deb
 d774ef3f7a7b6712340417ceaabc7a34 16466 libdevel extra libdlrestrictions-dev_0.15.0_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/Ka2AACgkQHO9JRnPq4hS7AwCeIrJR6zZ/hKV0rrfuPmw3/OP+
oU8AoOMGhK7ys1uPPs+tj6tp8Azc681l
=BzlJ
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: