Package: libusb Version: 2:0.1.12-20 Severity: important Tags: patch Dear Maintainer,
The CXXFLAGS hardening flags are missing because debian/rules
doesn't set them.
The following patch fixes the issue. Btw. the *_UDEB flags are
not used.
diff -Nru libusb-0.1.12/debian/rules libusb-0.1.12/debian/rules
--- libusb-0.1.12/debian/rules 2011-12-31 01:56:04.000000000 +0100
+++ libusb-0.1.12/debian/rules 2012-03-22 23:55:26.000000000 +0100
@@ -20,15 +20,18 @@
# Get flags from dpkg-buildflags
CFLAGS = $(shell dpkg-buildflags --get CFLAGS)
+CXXFLAGS = $(shell dpkg-buildflags --get CXXFLAGS)
LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS)
# Additional flags
CFLAGS += -Wall
+CXXFLAGS += -Wall
# Flags for udebs
-CPPFLAGS_UDEB = $(CFLAGS)
+CPPFLAGS_UDEB = $(CPPFLAGS)
CFLAGS_UDEB = $(CFLAGS) -Os
+CXXLFAGS_UDEB = $(CXXFLAGS) -Os
LDFLAGS_UDEB = $(LDFLAGS)
@@ -63,7 +66,7 @@
# run configure with build tree $(objdir)
cd $(objdir) && \
- CPPFLAGS="$(CPPFLAGS)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)"
../configure \
+ CPPFLAGS="$(CPPFLAGS)" CFLAGS="$(CFLAGS)"
CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" ../configure \
--host=$(DEB_HOST_GNU_TYPE) \
--build=$(DEB_BUILD_GNU_TYPE) \
--prefix=/usr \
@@ -82,7 +85,7 @@
# run configure with build tree $(objdir_udeb)
cd $(objdir_udeb) && \
- CPPFLAGS="$(CPPFLAGS)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)"
../configure \
+ CPPFLAGS="$(CPPFLAGS)" CFLAGS="$(CFLAGS)"
CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" ../configure \
--prefix=/usr \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /lib/x86_64-linux-gnu/libusb-0.1.so.4.4.4
/lib/x86_64-linux-gnu/libusb-0.1.so.4.4.4
/usr/lib/x86_64-linux-gnu/libusbpp-0.1.so.4.4.4
/usr/lib/x86_64-linux-gnu/libusbpp-0.1.so.4.4.4
/lib/x86_64-linux-gnu/libusb-0.1.so.4.4.4:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/lib/x86_64-linux-gnu/libusb-0.1.so.4.4.4:
{osition Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/x86_64-linux-gnu/libusbpp-0.1.so.4.4.4:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/x86_64-linux-gnu/libusbpp-0.1.so.4.4.4:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
