Package: aria2 Version: 1.15.0-1 Severity: normal I looked at build logs and it shows that Fortify Source (-D_FORTIFY_SOURCE=2) is missing from compile flags. And mostly flags are ignored. When compiling in this directory other harnening features are enabled:
make[7]: Entering directory `/build/buildd-aria2_1.15.0-1-i386-oexzB9/aria2-1.15.0/deps/wslay/lib' /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -DHAVE_CONFIG_H -I./includes -I./includes -Wall -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -MT wslay_frame.lo -MD -MP -MF .deps/wslay_frame.Tpo -c -o wslay_frame.lo wslay_frame.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -DHAVE_CONFIG_H -I./includes -I./includes -Wall -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -MT wslay_frame.lo -MD -MP -MF .deps/wslay_frame.Tpo -c wslay_frame.c -o wslay_frame.o But when entering directory src it seems that no hardening is enabled. Making all in src make[3]: Entering directory `/build/buildd-aria2_1.15.0-1-i386-oexzB9/aria2-1.15.0/src' g++ -DHAVE_CONFIG_H -I. -I.. -Wall -I../lib -I../intl -DLOCALEDIR=\"/usr/share/locale\" -DCA_BUNDLE=\"/etc/ssl/certs/ca-certificates.crt\" -DHAVE_CONFIG_H -I../deps/wslay/lib/includes -I../deps/wslay/lib/includes -I/usr/include/p11-kit-1 -I/usr/include/libxml2 -g -O2 -MT SocketCore.o -MD -MP -MF .deps/SocketCore.Tpo -c -o SocketCore.o SocketCore.cc Here are some links that maybe help: http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags http://wiki.debian.org/Hardening http://wiki.debian.org/HardeningWalkthrough -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
