Package: seaview
Version: 1:4.4.0-1
Severity: normal
Tags: patch

Dear Maintainer,

The following CFLAGS hardening flags are missing because they are
ignored in Makefile:

    CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): gcc -c  -O3 -D_FORTIFY_SOURCE=2 -Icsrc 
csrc/raa_acnuc.c
    CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): gcc -c  -O3 -D_FORTIFY_SOURCE=2 -Icsrc csrc/parser.c
    CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): gcc -c  -O3 -D_FORTIFY_SOURCE=2 -Icsrc csrc/md5.c
    CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): gcc -c  -O3 -D_FORTIFY_SOURCE=2 -Icsrc csrc/zsockr.c
    CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): gcc -c  -O3 -D_FORTIFY_SOURCE=2 -Icsrc 
csrc/misc_acnuc.c
    CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): gcc -c  -O3 -D_FORTIFY_SOURCE=2 -Icsrc csrc/dnapars.c
    CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): gcc -c  -O3 -D_FORTIFY_SOURCE=2 -Icsrc csrc/protpars.c
    CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): gcc -c  -O3 -D_FORTIFY_SOURCE=2 -Icsrc csrc/lwl.c
    CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): gcc -c  -O3 -D_FORTIFY_SOURCE=2 -Icsrc csrc/bionj.c
    CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security): gcc -c  -O3 -D_FORTIFY_SOURCE=2 -Icsrc 
csrc/phyml_util.c

For more hardening information please have a look at [1], [2] and
[3].

The attached patch fixes the issue, if possible it should be sent
to upstream.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything).

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use CFLAGS from environment for csrc/* (dpkg-buildflags).
 Necessary for hardening flags.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-09-24

--- seaview-4.4.0.orig/Makefile
+++ seaview-4.4.0/Makefile
@@ -49,7 +49,7 @@ seaview : $(OBJECTS) $(COBJECTS)
          -lX11 -lm -lz -lpthread
 
 $(COBJECTS) : $(CSRC)/$*
-	$(CC) -c $(DEBUG) $(OPT) $(CPPFLAGS) -I$(CSRC) $(CSRC)/$*.c
+	$(CC) -c $(DEBUG) $(OPT) $(CFLAGS) $(CPPFLAGS) -I$(CSRC) $(CSRC)/$*.c
 
 
 .SUFFIXES:	.c .cxx .h .o

Attachment: signature.asc
Description: Digital signature

Reply via email to