Package: libpam-krb5
Version: 4.5-2
Severity: important

Hi Russ,
writing my previous mail wrt pkg-perl reminded me of one of my review
TODO items of hardening changes spotted on debian-devel-changes :-)

libpam-krb5 (4.5-1) contains the following entry:
    * Enable compiler hardening flags.

Out of the three hardening features from the Wheezy default set
(protected stack, fortified source and relro) only the protected
stack is enabled:

root@pisco:~# hardening-check /lib/x86_64-linux-gnu/security/pam_krb5.so
/lib/x86_64-linux-gnu/security/pam_krb5.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, no protected functions found!
 Read-only relocations: no, not found!

root@pisco:~# hardening-check /lib/x86_64-linux-gnu/security/pam_krb5.so
/lib/x86_64-linux-gnu/security/pam_krb5.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, no protected functions found!
 Read-only relocations: no, not found!

The reason is that you're overwriting CPPFLAGS (which would otherwise
be "-D_FORTIFY_SOURCE=2", resulting in fortified functions) and LDFLAGS
(which would be "-Wl,-z,relro", resulting in read-only relocs):

        mkdir build-mit build-heimdal
        CPPFLAGS=-I/usr/include/mit-krb5 \
            LDFLAGS=-L/usr/lib/$(DEB_HOST_MULTIARCH)/mit-krb5 \
            dh_auto_configure -Bbuild-mit -- --enable-reduced-depends \
                --libdir=/lib/$(DEB_HOST_MULTIARCH)

I'm attaching a patch (compile-tested only, I don't have a Kerberos
setup handy).

Cheers,
        Moritz
Nur in libpam-krb5-4.5: build-heimdal.
Nur in libpam-krb5-4.5: build-mit.
diff -aur libpam-krb5-4.5.orig/debian/rules libpam-krb5-4.5/debian/rules
--- libpam-krb5-4.5.orig/debian/rules	2011-12-27 01:36:41.000000000 +0100
+++ libpam-krb5-4.5/debian/rules	2012-01-02 20:56:37.000000000 +0100
@@ -13,13 +13,13 @@
 
 override_dh_auto_configure:
 	mkdir build-mit build-heimdal
-	CPPFLAGS=-I/usr/include/mit-krb5 \
-	    LDFLAGS=-L/usr/lib/$(DEB_HOST_MULTIARCH)/mit-krb5 \
-	    dh_auto_configure -Bbuild-mit -- --enable-reduced-depends \
+	DEB_CPPFLAGS_MAINT_APPEND=-I/usr/include/mit-krb5
+	DEB_LDFLAGS_MAINT_APPEND=-L/usr/lib/$(DEB_HOST_MULTIARCH)/mit-krb5
+	dh_auto_configure -Bbuild-mit -- --enable-reduced-depends \
 		--libdir=/lib/$(DEB_HOST_MULTIARCH)
-	CPPFLAGS=-I/usr/include/heimdal \
-	    LDFLAGS=-L/usr/lib/$(DEB_HOST_MULTIARCH)/heimdal \
-	    dh_auto_configure -Bbuild-heimdal -- --enable-reduced-depends \
+	DEB_CPPFLAGS_MAINT_APPEND=-I/usr/include/heimdal
+	DEB_LDFLAGS_MAINT_APPEND=-L/usr/lib/$(DEB_HOST_MULTIARCH)/heimdal
+	dh_auto_configure -Bbuild-heimdal -- --enable-reduced-depends \
 		--libdir=/lib/$(DEB_HOST_MULTIARCH)
 
 override_dh_auto_build:
Nur in libpam-krb5-4.5/debian: rules~.

Reply via email to