Package: lifeograph Version: 0.9.0.dfsg-1 Severity: normal Tags: patch Dear Maintainer,
The following CXXFLAGS hardening flags are missing because they
are not set correctly in debian/rules and makefile.debian:
CXXFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security): g++ -c src/dialog_export.cpp -Wall `pkg-config
gtkmm-3.0 gtkspell-3.0 --cflags`-DHAVE_CONFIG_H -I./build/include
-D_FORTIFY_SOURCE=2 -fPIC -O2 -o build/o/dialog_export.o
CXXFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security): g++ -c src/dialog_password.cpp -Wall `pkg-config
gtkmm-3.0 gtkspell-3.0 --cflags`-DHAVE_CONFIG_H -I./build/include
-D_FORTIFY_SOURCE=2 -fPIC -O2 -o build/o/dialog_password.o
CXXFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security): g++ -c src/dialog_preferences.cpp -Wall `pkg-config
gtkmm-3.0 gtkspell-3.0 --cflags`-DHAVE_CONFIG_H -I./build/include
-D_FORTIFY_SOURCE=2 -fPIC -O2 -o build/o/dialog_preferences.o
[...]
For more hardening information please have a look at [1], [2] and
[3].
CPPFLAGS is not used for C++ flags, but for preprocessor flags
(cpp, e.g. -D_FORTIFY_SOURCE=2). C++ flags are passed in
CXXFLAGS.
The attached patches fix the issue. The first is a revised
version of use_environmental_build_flags.patch, the second fixes
debian/rules.
The first patch uses := ... $(CXXFLAGS) to overwrite the flags
from pkg-config which might not contain the correct flags, +=
would overwrite the flags in CXXFLAGS. := is necessary because
CXXFLAGS is used in its definition.
The second patch also removes some unnecessary settings.
buildflags.mk already sets all the *FLAGS variables by calling
dpkg-buildflags, therefore it's not necessary to call
dpkg-buildflags again. dpkg-buildflags automatically adds -g and
takes care of -O2 (and respects noopt). The patch also appends
CPPFLAGS to CXXFLAGS because the build systems doesn't use
CPPFLAGS. -fPIC is not necessary because hardening=+all already
passes -fPIE (the equivalent for binaries).
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/bin/lifeograph
/usr/bin/lifeograph:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: use CPPFLAGS and LDFLAGS from environment Use normal build flags from environment, not only upstream similarly named ones. Author: Laszlo Boszormenyi (GCS) <[email protected]> Last-Update: 2012-09-24 --- Index: lifeograph-0.9.0.dfsg/makefile.debian =================================================================== --- lifeograph-0.9.0.dfsg.orig/makefile.debian 2012-07-08 08:33:22.000000000 +0200 +++ lifeograph-0.9.0.dfsg/makefile.debian 2012-09-24 16:00:49.796847080 +0200 @@ -55,11 +55,12 @@ BUIBINDIR = $(BUIDIR)/bin BIN = $(BUIBINDIR)/$(PACKAGE) -LINKFLAGS = -s +LINKFLAGS = -s $(LDFLAGS) LIBS = `pkg-config gtkmm-3.0 gtkspell-3.0 --cflags --libs` -lgcrypt -lgpg-error -CXXFLAGS = -Wall `pkg-config gtkmm-3.0 gtkspell-3.0 --cflags`-DHAVE_CONFIG_H -I./build/include +CXXFLAGS := -Wall `pkg-config gtkmm-3.0 gtkspell-3.0 --cflags`-DHAVE_CONFIG_H -I./build/include $(CXXFLAGS) ICONS = icons -OPTFLAGS = -O2 +# Debian passes -O* flags in CXXFLAGS, necessary for noopt. +OPTFLAGS = PREFIX ?= /usr BINDIR = $(PREFIX)/bin
diff -Nru lifeograph-0.9.0.dfsg/debian/rules lifeograph-0.9.0.dfsg/debian/rules --- lifeograph-0.9.0.dfsg/debian/rules 2012-07-14 20:03:33.000000000 +0200 +++ lifeograph-0.9.0.dfsg/debian/rules 2012-09-24 16:09:45.000000000 +0200 @@ -11,20 +11,12 @@ DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk -CFLAGS ?= $(shell dpkg-buildflags --get CFLAGS) -CPPFLAGS ?= $(shell dpkg-buildflags --get CPPFLAGS) -LDFLAGS ?= $(shell dpkg-buildflags --get LDFLAGS) -CFLAGS += $(HARDENING_CFLAGS) -CPPFLAGS += $(HARDENING_CFLAGS) -fPIC -LDFLAGS += $(HARDENING_LDFLAGS) +CXXFLAGS += -Wall +# The build system doesn't respect CPPFLAGS, pass them in CXXFLAGS instead. +CXXFLAGS += $(CPPFLAGS) package = lifeograph CC = gcc -CFLAGS += -g -Wall - -ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O2 -endif clean:
signature.asc
Description: Digital signature
