Package: mupdf Version: 0.9-2 Severity: important Tags: Patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because the build system
ignores them.
The following patch fixes the issue by adding CPPFLAGS to CFLAGS.
It also enables verbose builds to detect missing hardening flags
(like these CPPFLAGS).
diff -Nru mupdf-0.9/debian/rules mupdf-0.9/debian/rules
--- mupdf-0.9/debian/rules 2011-12-17 16:18:07.000000000 +0100
+++ mupdf-0.9/debian/rules 2012-03-23 01:26:19.000000000 +0100
@@ -4,11 +4,17 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
+# Enable verbose builds to detect missing (hardening) flags.
+export verbose=1
+
# This has to be exported to make some magic below work.
export DH_OPTIONS
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the
+# missing (hardening) flags.
+CFLAGS += $(CPPFLAGS)
ifneq (,$(filter x-fpic,$(DEB_BUILD_OPTIONS)))
CFLAGS += -fPIC
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/mupdf /usr/bin/pdfshow /usr/bin/pdfdraw
/usr/bin/pdfclean
/usr/bin/mupdf:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/pdfshow:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/pdfdraw:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/pdfclean:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
