Package: libpam-krb5
Version: 4.5-2
Severity: important
Hi Russ,
writing my previous mail wrt pkg-perl reminded me of one of my review
TODO items of hardening changes spotted on debian-devel-changes :-)
libpam-krb5 (4.5-1) contains the following entry:
* Enable compiler hardening flags.
Out of the three hardening features from the Wheezy default set
(protected stack, fortified source and relro) only the protected
stack is enabled:
root@pisco:~# hardening-check /lib/x86_64-linux-gnu/security/pam_krb5.so
/lib/x86_64-linux-gnu/security/pam_krb5.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, no protected functions found!
Read-only relocations: no, not found!
root@pisco:~# hardening-check /lib/x86_64-linux-gnu/security/pam_krb5.so
/lib/x86_64-linux-gnu/security/pam_krb5.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, no protected functions found!
Read-only relocations: no, not found!
The reason is that you're overwriting CPPFLAGS (which would otherwise
be "-D_FORTIFY_SOURCE=2", resulting in fortified functions) and LDFLAGS
(which would be "-Wl,-z,relro", resulting in read-only relocs):
mkdir build-mit build-heimdal
CPPFLAGS=-I/usr/include/mit-krb5 \
LDFLAGS=-L/usr/lib/$(DEB_HOST_MULTIARCH)/mit-krb5 \
dh_auto_configure -Bbuild-mit -- --enable-reduced-depends \
--libdir=/lib/$(DEB_HOST_MULTIARCH)
I'm attaching a patch (compile-tested only, I don't have a Kerberos
setup handy).
Cheers,
Moritz
Nur in libpam-krb5-4.5: build-heimdal.
Nur in libpam-krb5-4.5: build-mit.
diff -aur libpam-krb5-4.5.orig/debian/rules libpam-krb5-4.5/debian/rules
--- libpam-krb5-4.5.orig/debian/rules 2011-12-27 01:36:41.000000000 +0100
+++ libpam-krb5-4.5/debian/rules 2012-01-02 20:56:37.000000000 +0100
@@ -13,13 +13,13 @@
override_dh_auto_configure:
mkdir build-mit build-heimdal
- CPPFLAGS=-I/usr/include/mit-krb5 \
- LDFLAGS=-L/usr/lib/$(DEB_HOST_MULTIARCH)/mit-krb5 \
- dh_auto_configure -Bbuild-mit -- --enable-reduced-depends \
+ DEB_CPPFLAGS_MAINT_APPEND=-I/usr/include/mit-krb5
+ DEB_LDFLAGS_MAINT_APPEND=-L/usr/lib/$(DEB_HOST_MULTIARCH)/mit-krb5
+ dh_auto_configure -Bbuild-mit -- --enable-reduced-depends \
--libdir=/lib/$(DEB_HOST_MULTIARCH)
- CPPFLAGS=-I/usr/include/heimdal \
- LDFLAGS=-L/usr/lib/$(DEB_HOST_MULTIARCH)/heimdal \
- dh_auto_configure -Bbuild-heimdal -- --enable-reduced-depends \
+ DEB_CPPFLAGS_MAINT_APPEND=-I/usr/include/heimdal
+ DEB_LDFLAGS_MAINT_APPEND=-L/usr/lib/$(DEB_HOST_MULTIARCH)/heimdal
+ dh_auto_configure -Bbuild-heimdal -- --enable-reduced-depends \
--libdir=/lib/$(DEB_HOST_MULTIARCH)
override_dh_auto_build:
Nur in libpam-krb5-4.5/debian: rules~.