Package: libnspr4 Version: 2:4.9-2 Severity: important Dear Maintainer,
The LDFLAGS hardening flags are missing. For more hardening
information please have a look at [1], [2] and [3].
$ hardening-check /usr/lib/x86_64-linux-gnu/libplc4.so
/usr/lib/x86_64-linux-gnu/libplds4.so /usr/lib/x86_64-linux-gnu/libnspr4.so
/usr/lib/x86_64-linux-gnu/libplc4.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: no, not found!
Immediate binding: no not found!
/usr/lib/x86_64-linux-gnu/libplds4.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: no, not found!
Immediate binding: no not found!
/usr/lib/x86_64-linux-gnu/libnspr4.so:
Position Independent Executable: no, regular shared library (ignored)
}tack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: no, not found!
Immediate binding: no not found!
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything).
I've no idea what the code in debian/rules in lines 4-7 is
supposed to do, so I can't propose a patch. If relro should be
disabled please add a comment so non-make-geeks are not confused
;-)
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature

