Package: theseus Version: 1.6.2-1 Severity: normal Tags: patch Dear Maintainer,
The hardening flags are missing because the build system ignores
them. For more hardening information please have a look at [1],
[2] and [3].
The two attached patches fix the issue. The first one
(21_use_dpkg_buildflags.patch) should be sent to upstream if
possible, the second (22_hardening_compile.patch) is only
necessary for the debian package. The second patch also sets
-Wno-error=unused-result to prevent a build failure - fixing all
those warnings is a lot of work.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/theseus
/usr/bin/theseus:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. . Also use CPPFLAGS and LDFLAGS where appropriate. Author: Simon Ruderich <[email protected]> Last-Update: 2012-04-09 Index: theseus-1.6.2/make.inc =================================================================== --- theseus-1.6.2.orig/make.inc 2012-04-09 02:09:33.411167605 +0200 +++ theseus-1.6.2/make.inc 2012-04-09 02:10:23.355167827 +0200 @@ -25,7 +25,10 @@ #OPT = -O0 -ggdb OPT = -O3 -ffast-math -fstrict-aliasing -funroll-loops -fomit-frame-pointer WARN = -Werror -Wall -pedantic -std=c99 #-Wstrict-aliasing=2 -CFLAGS = $(WARN) #-force_cpusubtype_ALL -mmacosx-version-min=10.4 -arch x86_64 -arch i386 #-DNDEBUG +CFLAGS += $(WARN) #-force_cpusubtype_ALL -mmacosx-version-min=10.4 -arch x86_64 -arch i386 #-DNDEBUG +# CPPFLAGS are ignored by the rest of the build system but necessary for +# hardening flags. +CFLAGS += $(CPPFLAGS) CC = /usr/bin/gcc # Index: theseus-1.6.2/Makefile =================================================================== --- theseus-1.6.2.orig/Makefile 2012-04-09 02:09:02.995167470 +0200 +++ theseus-1.6.2/Makefile 2012-04-09 02:09:34.139167608 +0200 @@ -36,12 +36,12 @@ distfitexe: $(CC) $(OPT) $(CFLAGS) -c distfit.c - $(CC) $(OPT) $(CFLAGS) $(LIBDIR) $(LAPACKLIBDIR) $(BLASLIBDIR) distfit.o $(LIBS) $(LAPACKLIB) $(BLASLIB) $(SYSLIBS) -o distfit + $(CC) $(OPT) $(CFLAGS) $(LDFLAGS) $(LIBDIR) $(LAPACKLIBDIR) $(BLASLIBDIR) distfit.o $(LIBS) $(LAPACKLIB) $(BLASLIB) $(SYSLIBS) -o distfit # THESEUS-specific files theseus: theseus.o $(OBJECTS) - $(CC) $(OPT) $(CFLAGS) $(LIBDIR) $(LAPACKLIBDIR) $(BLASLIBDIR) theseus.o $(OBJECTS) $(LIBS) $(LAPACKLIB) $(BLASLIB) $(SYSLIBS) -o theseus + $(CC) $(OPT) $(CFLAGS) $(LDFLAGS) $(LIBDIR) $(LAPACKLIBDIR) $(BLASLIBDIR) theseus.o $(OBJECTS) $(LIBS) $(LAPACKLIB) $(BLASLIB) $(SYSLIBS) -o theseus CovMat.o: CovMat.c $(CC) $(OPT) $(CFLAGS) $(INCDIR) -c CovMat.c
Description: Fix compile with dpkg-buildflags. Use -Wno-error=unused-result to ignore unimportant warnings and filter out -O2. Author: Simon Ruderich <[email protected]> Last-Update: 2012-04-09 Index: theseus-1.6.2/make.inc =================================================================== --- theseus-1.6.2.orig/make.inc 2012-04-09 02:10:23.355167827 +0200 +++ theseus-1.6.2/make.inc 2012-04-09 02:11:03.507168001 +0200 @@ -24,11 +24,14 @@ INSTALLDIR = /usr/local/bin #OPT = -O0 -ggdb OPT = -O3 -ffast-math -fstrict-aliasing -funroll-loops -fomit-frame-pointer -WARN = -Werror -Wall -pedantic -std=c99 #-Wstrict-aliasing=2 +WARN = -Werror -Wno-error=unused-result -Wall -pedantic -std=c99 #-Wstrict-aliasing=2 CFLAGS += $(WARN) #-force_cpusubtype_ALL -mmacosx-version-min=10.4 -arch x86_64 -arch i386 #-DNDEBUG # CPPFLAGS are ignored by the rest of the build system but necessary for # hardening flags. CFLAGS += $(CPPFLAGS) +# Filter out -O2 which overwrites the default -O3 because OPT is used before +# CFLAGS. +CFLAGS := $(filter-out -O2,$(CFLAGS)) CC = /usr/bin/gcc #
signature.asc
Description: Digital signature

