Source: firebird2.5
Severity: important
Hi,
I'm currently checking all packages, which had a DSA in the last
year to enable hardened build flags. firebird2.5 has already been
updated to use dpkg-buildflags, but I noticed that not all flags
are fully in effect. You can use the hardening-check scripts from
the package hardening includes:
Out of the three hardening features from the Wheezy default set
(protected stack, fortified source and relro) not all are fully
applied, e.g.
root@pisco:~# hardening-check /usr/sbin/fb_inet_server
/usr/sbin/fb_inet_server:
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
root@pisco:~# hardening-check /usr/bin/fbsvcmgr
/usr/bin/fbsvcmgr:
Stack protected: yes
Fortify Source functions: no, no protected functions found!
Read-only relocations: yes
root@pisco:~# hardening-check /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2
/usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2:
Stack protected: yes
Fortify Source functions: no, no protected functions found!
Read-only relocations: yes
The reason is likely that some parts of Firebird build system hardcode
specific flags, which nullify the hardened build flags?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
