Source: dovecot Severity: normal Version: 1:2.1.7-2 Tags: patch User: [email protected] Usertags: goal-hardening
Hi! It's great that dovecot is now built with a (limited) set of hardening build flags. However, we can easily do better! Please build dovecot with PIE and bindnow, as implemented by the attached patch. (FWIW, Ubuntu has been building dovecot with these options enabled since 9.04 included, so what I'm suggesting is not supposed to be a risky experiment :) Thank you for maintaining dovecot in Debian.
>From 6ecc6969ac6a659b10de7dec36ba73d35662ad86 Mon Sep 17 00:00:00 2001 From: intrigeri <[email protected]> Date: Mon, 25 Jun 2012 17:40:10 +0200 Subject: [PATCH] Build with PIE and bindnow. Ubuntu has been doing this since 9.04. --- debian/rules | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/debian/rules b/debian/rules index 15a26fb..b96adb1 100755 --- a/debian/rules +++ b/debian/rules @@ -5,6 +5,8 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS="hardening=+all" dpkg-buildflags + PIGEONHOLE_DIR=pigeonhole # These are used for cross-compiling and for saving the configure script @@ -23,7 +25,7 @@ endif config-stamp: configure dh_testdir # Dovecot - $(shell dpkg-buildflags --export=configure) sh configure \ + $(shell $(dpkg_buildflags) --export=configure) sh configure \ --with-ldap=plugin \ --with-ssl=openssl \ --with-sql=plugin \ @@ -49,7 +51,7 @@ config-stamp: configure # Pigeonhole (cd $(PIGEONHOLE_DIR)/ && \ touch stamp.h.in && \ - $(shell dpkg-buildflags --export=configure) sh configure \ + $(shell $(dpkg_buildflags) --export=configure) sh configure \ --with-dovecot=../ \ --prefix=/usr \ --sysconfdir=/etc \ @@ -66,7 +68,7 @@ build-stamp: config-stamp # Pigeonhole $(MAKE) -C $(PIGEONHOLE_DIR) # DRAC - $(MAKE) -C src/plugins/drac $(shell dpkg-buildflags --export=configure) + $(MAKE) -C src/plugins/drac $(shell $(dpkg_buildflags) --export=configure) touch build-stamp clean: -- 1.7.10

