Source: libmikmod
Severity: important
Tags: patch
Please enabled hardened build flags through dpkg-buildflags.
I'm attaching a patch, which passes "dpkg-buildflags
--export=configure" to the build system.
However, this patch is incomplete. If I build libmikmod with
these flags, the default flags are not fully passed to the build:
The default flags should enable a protected stack, fortified
source and read-only relocs, but fortified source and relro
is missing:
jmm@pisco:~/scratch$ hardening-check
/usr/lib/x86_64-linux-gnu/libmikmod.so.2.0.4
/usr/lib/x86_64-linux-gnu/libmikmod.so.2.0.4:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, no protected functions found!
Read-only relocations: no, not found!
Immediate binding: no not found!
jmm@pisco:~/scratch$
This probably means that CPPFLAGS and LDFLAGS are not properly
propagated to the build. I did some brief research, but found no
obvious reason as to why.
Cheers,
Moritz
diff -aur libmikmod-3.1.12.harden/debian/rules libmikmod-3.1.12/debian/rules
--- libmikmod-3.1.12.harden/debian/rules 2011-12-06 10:41:29.000000000 +0100
+++ libmikmod-3.1.12/debian/rules 2012-01-21 18:07:06.000000000 +0100
@@ -6,7 +6,7 @@
dh_auto_configure -- \
--enable-threads \
--disable-alsa \
- --disable-esd
+ --disable-esd $(shell dpkg-buildflags --export=configure)
override_dh_installinfo:
dh_installinfo docs/mikmod.info*
Nur in libmikmod-3.1.12/debian: rules~.
