Source: dovecot
Severity: normal
Version: 1:2.1.7-2
Tags: patch
User: [email protected]
Usertags: goal-hardening

Hi!

It's great that dovecot is now built with a (limited) set of hardening
build flags. However, we can easily do better!

Please build dovecot with PIE and bindnow,
as implemented by the attached patch.

(FWIW, Ubuntu has been building dovecot with these options enabled
since 9.04 included, so what I'm suggesting is not supposed to be
a risky experiment :)

Thank you for maintaining dovecot in Debian.

>From 6ecc6969ac6a659b10de7dec36ba73d35662ad86 Mon Sep 17 00:00:00 2001
From: intrigeri <[email protected]>
Date: Mon, 25 Jun 2012 17:40:10 +0200
Subject: [PATCH] Build with PIE and bindnow.

Ubuntu has been doing this since 9.04.
---
 debian/rules |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/debian/rules b/debian/rules
index 15a26fb..b96adb1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,6 +5,8 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
+dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS="hardening=+all" dpkg-buildflags
+
 PIGEONHOLE_DIR=pigeonhole
 
 # These are used for cross-compiling and for saving the configure script
@@ -23,7 +25,7 @@ endif
 config-stamp: configure
 	dh_testdir
 	# Dovecot
-	$(shell dpkg-buildflags --export=configure) sh configure \
+	$(shell $(dpkg_buildflags) --export=configure) sh configure \
 	            --with-ldap=plugin \
 	            --with-ssl=openssl \
 	            --with-sql=plugin \
@@ -49,7 +51,7 @@ config-stamp: configure
 	# Pigeonhole
 	(cd $(PIGEONHOLE_DIR)/ && \
 	    touch stamp.h.in && \
-	    $(shell dpkg-buildflags --export=configure) sh configure \
+	    $(shell $(dpkg_buildflags) --export=configure) sh configure \
 	    --with-dovecot=../ \
 		--prefix=/usr \
 		--sysconfdir=/etc \
@@ -66,7 +68,7 @@ build-stamp:  config-stamp
 	# Pigeonhole
 	$(MAKE) -C $(PIGEONHOLE_DIR)
 	# DRAC
-	$(MAKE) -C src/plugins/drac $(shell dpkg-buildflags --export=configure)
+	$(MAKE) -C src/plugins/drac $(shell $(dpkg_buildflags) --export=configure)
 	touch build-stamp
 
 clean:
-- 
1.7.10

Reply via email to