Package: anacron
Version: 2.3-15
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1] and
[2].
The attached patch bumps debian/compat to 9 to automatically
enable the hardening flags and enables all flags (including PIE
because anacron runs as root); you could also enable them without
changing compat (see [2]), but compat=9 is the preferred and
simplest solution. It also fixes a few "implicit declaration of
function" warnings which are necessary for fortify source (see
[2]). CFLAGS in Makefile append to CFLAGS so they don't overwrite
the hardening flags; -O2 is automatically set.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/sbin/anacron
/usr/sbin/anacron:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages anacron depends on:
ii debianutils 4.2.1
ii libc6 2.13-26
ii lsb-base 3.2-28.1
Versions of packages anacron recommends:
ii cron 3.0pl1-121
ii rsyslog [system-log-daemon] 5.8.6-1
Versions of packages anacron suggests:
ii exim4-daemon-light [mail-transport-agent] 4.77-1+b1
ii powermgmt-base 1.31
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJPRmldAAoJEJL+/bfkTDL5GCsQAJS72Dpv7AYNViURs69ziRGb
6SssF81kfsZk2jVT+i7rpUsMZfgM1IelbwLBvC9qIcbysxvlT09mtzoBw8rXW1zL
NuS4Dr5eIYgHRNn2vonL0ntJ3ESrMZR+kWWnsJqv+8lrWygQ00kqlVZuKWvOMsnL
rXtpz+obwQ40DnwLHvPPg5Nq3TqUxkdZy7l1yg0ox8LV6LAG9w8vVZ8WyI12UIP6
Rvth6x0Z6Rt7KQHeWR6B3dCA2a4L+kt08bFfvYFMMXxJcBlTpmpy9YjkOf6h3c3g
O4C+YHHkCKsQ2qlX7G23k8rIikIci0KUmB9AXyOMvy1zAKh/E3nF6/kgDhFQNk5H
jKQ9etFNXAIe6J3St7HGkXRtLZ5uX7iNJUrzGp/sYOaXbgpctpe8oNhfEDE5CBNa
3K1bk5wRwJfhIKxhFh5ySN01qx86lh1OOHIR7PIC5sYU2gA+bSHUDvZ0SsoF6m2Y
pCplrS+5n/gWoh7RCM8+2SVK6EuXo8jZXJa4cyZ2+OkkqukXooyjzMhdKi4ZGsu9
KfmugH7r8EHIz+OPLaVJpapWZI5I2OpNdNnyjCY+YuRZam2g+Keg5u1eWsSfkbnu
FlCCrLx9toSltl0h6Y5E0X8+6lSXKz84dJBBjlLvJA8/8qV8bSeIXRiT0wbxe3JQ
27E72H9/FAUmIX2Pnbqa
=2F4n
-----END PGP SIGNATURE-----
diff -u anacron-2.3/log.c anacron-2.3/log.c
--- anacron-2.3/log.c
+++ anacron-2.3/log.c
@@ -43,6 +43,7 @@
#include <signal.h>
#include <sys/types.h>
#include <string.h>
+#include <stdlib.h> /* for exit() */
#include "global.h"
static char truncated[] = " (truncated)";
diff -u anacron-2.3/main.c anacron-2.3/main.c
--- anacron-2.3/main.c
+++ anacron-2.3/main.c
@@ -31,6 +31,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <string.h>
+#include <stdlib.h> /* for exit() */
#include "global.h"
#include "gregor.h"
diff -u anacron-2.3/debian/rules anacron-2.3/debian/rules
--- anacron-2.3/debian/rules
+++ anacron-2.3/debian/rules
@@ -1,5 +1,7 @@
#!/usr/bin/make -f
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
%:
dh $@
diff -u anacron-2.3/debian/compat anacron-2.3/debian/compat
--- anacron-2.3/debian/compat
+++ anacron-2.3/debian/compat
@@ -1 +1 @@
-7
+9
diff -u anacron-2.3/debian/control anacron-2.3/debian/control
--- anacron-2.3/debian/control
+++ anacron-2.3/debian/control
@@ -1,7 +1,7 @@
Source: anacron
Section: admin
Priority: optional
-Build-Depends: debhelper (>= 7.0.50~)
+Build-Depends: debhelper (>= 9)
Maintainer: Peter Eisentraut <[email protected]>
Uploaders: Antonio Radici <[email protected]>
Standards-Version: 3.9.2
--- anacron-2.3.orig/matchrx.c
+++ anacron-2.3/matchrx.c
@@ -26,6 +26,7 @@
#include <regex.h>
#include <stdarg.h>
#include <stdlib.h>
+#include <string.h> /* for memset() */
#include "matchrx.h"
int
--- anacron-2.3.orig/Makefile
+++ anacron-2.3/Makefile
@@ -22,7 +22,7 @@
PREFIX =
BINDIR = $(PREFIX)/usr/sbin
MANDIR = $(PREFIX)/usr/man
-CFLAGS = -Wall -pedantic -O2
+CFLAGS += -Wall -pedantic
#CFLAGS = -Wall -O2 -g -DDEBUG
# If you change these, please update the man-pages too
