Package: hydra Version: 7.2-1 Severity: important Tags: patch Dear Maintainer,
The hardening flags are missing because the build system ignores
CFLAGS/CPPFLAGS/LDFLAGS in a few places.
The following patch fixes the issue. If possible it should be
sent upstream.
diff -Nru hydra-7.2/debian/patches/05_add_option_to_cflag.diff
hydra-7.2/debian/patches/05_add_option_to_cflag.diff
--- hydra-7.2/debian/patches/05_add_option_to_cflag.diff 2012-02-16
20:26:13.000000000 +0100
+++ hydra-7.2/debian/patches/05_add_option_to_cflag.diff 2012-03-22
20:43:40.000000000 +0100
@@ -19,7 +19,7 @@
hydra: hydra.c $(OBJ)
- $(CC) $(OPTS) $(LIBS) -o hydra $(HYDRA_LOGO) hydra.c $(OBJ) $(LIBS)
$(XLIBS) $(XLIBPATHS) $(XIPATHS) $(XDEFINES)
-+ $(CC) $(OPTS) $(LDFLAGS) $(LIBS) -o hydra $(HYDRA_LOGO) hydra.c $(OBJ)
$(LIBS) $(XLIBS) $(XLIBPATHS) $(XDEFINES)
++ $(CC) $(OPTS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(LIBS) -o hydra
$(HYDRA_LOGO) hydra.c $(OBJ) $(LIBS) $(XLIBS) $(XLIBPATHS) $(XDEFINES)
@echo
@echo If men could get pregnant, abortion would be a sacrament
@echo
@@ -28,11 +28,11 @@
pw-inspector: pw-inspector.c
- -$(CC) $(OPTS) -o pw-inspector $(PWI_LOGO) pw-inspector.c
-+ -$(CC) $(OPTS) $(CFLAGS) -o pw-inspector $(PWI_LOGO) pw-inspector.c
++ -$(CC) $(OPTS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o pw-inspector
$(PWI_LOGO) pw-inspector.c
.c.o:
- $(CC) $(OPTS) -c $< $(XDEFINES) $(XIPATHS)
-+ $(CC) $(CFLAGS) $(OPTS) -c $< $(XDEFINES) $(XIPATHS)
++ $(CC) $(CFLAGS) $(CPPFLAGS) $(OPTS) -c $< $(XDEFINES) $(XIPATHS)
strip: hydra
strip $(BINS)
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/pw-inspector /usr/bin/hydra /usr/bin/xhydra
/usr/bin/pw-inspector:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/hydra:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/xhydra:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
