Package: ramond Version: 0.5-2 Severity: important Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because the build system
ignores them. For more hardening information please have a look
at [1], [2] and [3].
The attached patch (which is a revised version of
0004-Honor-CFLAGS-and-LDFLAGS.patch) fixes the issue by updating
the patch for the Makefile.
As ramond is a network daemon you might want to consider enabling
all hardening flags (including PIE and bindnow). The following
patch enables them:
diff -Nru ramond-0.5/debian/rules ramond-0.5/debian/rules
--- ramond-0.5/debian/rules 2011-12-12 22:29:41.000000000 +0100
+++ ramond-0.5/debian/rules 2012-03-24 16:17:33.000000000 +0100
@@ -2,8 +2,9 @@
# -*- makefile -*-
# Inject the dpkg buildflags
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk
-export CPPFLAGS CFLAGS LDFLAGS
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/sbin/ramond
/usr/sbin/ramond:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
From: Nicolas Dandrimont <[email protected]> Date: Mon, 12 Dec 2011 19:38:38 +0100 Subject: Honor CFLAGS, CPPFLAGS and LDFLAGS --- Makefile | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) Index: ramond-0.5/Makefile =================================================================== --- ramond-0.5.orig/Makefile 2011-05-26 00:42:13.000000000 +0200 +++ ramond-0.5/Makefile 2012-03-24 16:11:14.685413806 +0100 @@ -1,8 +1,10 @@ GCC=/usr/bin/gcc RM=/bin/rm -CFLAGS=-ggdb -LDFLAGS=-lpcap +CFLAGS ?= -ggdb +LDFLAGS ?= + +PCAP_LDFLAGS=-lpcap APR_CFLAGS=`apr-1-config --includes --cppflags --cflags` APR_LDFLAGS=`apr-1-config --link-ld --libs ` @@ -13,17 +15,17 @@ all: ramond log.o: src/log.c - $(GCC) -c src/log.c $(CFLAGS) $(APR_CFLAGS) $(XML_CFLAGS) + $(GCC) -c src/log.c $(CFLAGS) $(CPPFLAGS) $(APR_CFLAGS) $(XML_CFLAGS) xmlparser.o: src/xmlparser.c src/type.h - $(GCC) -c src/xmlparser.c $(CFLAGS) $(APR_CFLAGS) $(XML_CFLAGS) + $(GCC) -c src/xmlparser.c $(CFLAGS) $(CPPFLAGS) $(APR_CFLAGS) $(XML_CFLAGS) main.o: src/main.c src/type.h - $(GCC) -c src/main.c $(CFLAGS) $(APR_CFLAGS) $(XML_CFLAGS) + $(GCC) -c src/main.c $(CFLAGS) $(CPPFLAGS) $(APR_CFLAGS) $(XML_CFLAGS) ramond: main.o xmlparser.o log.o - $(GCC) log.o xmlparser.o main.o -o ramond $(LDFLAGS) $(APR_LDFLAGS) $(XML_LDFLAGS) + $(GCC) log.o xmlparser.o main.o -o ramond $(LDFLAGS) $(PCAP_LDFLAGS) $(APR_LDFLAGS) $(XML_LDFLAGS) clean: @-$(RM) ramond
signature.asc
Description: Digital signature
