Package: wmshutdown
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The hardening flags are not used because the Makefile ignores
them.
The attached bug fixes this and also updates debian/rules to not
use buildflags.mk which is unnecessary when debian/compat=9 is
used. -Wall is also set by default. And there's no need to export
CFLAGS and LDFLAGS (and if you had to, you also have to export
CPPFLAGS which sets additional hardening flags; but in your case
everything works fine without any exports).
For more information please have a look at [1], [2] and [3].
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/bin/wmshutdown-run /usr/bin/wmshutdown
/usr/bin/wmshutdown-run:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/wmshutdown:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
(The "stack protected" and "fortify source" warnings are fine in
this case, as these binaries don't use them.)
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPUjO2AAoJEJL+/bfkTDL5RD8P/0buo7oLYVYCrgxWkvpIbnTG
DJ8O3fduPTiHCgdQDv1x+Z8hr7/XoB3Wv4NIDsq0oDgUM+XFODfj1H3wRNeRq5Kz
bvRZf4kLZPvQzDL3aeATfQY03PE3tDYd8xKASj0uRE51ttEfkJsQOyt6hP1ThWxm
gg6y+Z9s/8QwwH3d6cWSMPZ/4HRTAgj2SvtH/nQorWvAfCvUW/JvhRf0saf8PMAG
43OCkJMsPBslVagQJAAas8xHd3xsYWjXDy+7dmB+gaWsZquWPer6ijAXjJ6NMXG5
EUh1M1jHjR3F4Kty2TFFNhLfmY2imcRLfo46STJCyJcwCYjl1LR+NrT5KmJybOxV
PH2ZYu+lvHV3oNjBLI4LJIuM4BVC8+qhTXzwfKyBd5J+Deh0Go7CrAhKy93RB5Qg
qVKi2BIg5EOQWRlIamJkOdOKlqR6/4B7S4UACGHNkKDp0LMRvT73NSfTqgt3zBEV
YzZijPljSa3Qq8jbUDRFbvuEAe5wfvcF7lpy24VczZJM37jF0wsAn1Iz4BubtDYV
nBuA06SrHWLFwdYSFMdhuxYC31prD52PRi9aDXAZbF/h+yXV75en33cbqm9VNocm
0Gdp6z9tf2tb/Z6V69c/anRMRolphU0Ui0/n9CujsOakSlMWaD/KxCymaEqAQn92
0OGI8IIW2wx6ZnWJ3juB
=VYBJ
-----END PGP SIGNATURE-----
diff -Nru wmshutdown-0.2/debian/patches/10-makefile.patch wmshutdown-0.2/debian/patches/10-makefile.patch
--- wmshutdown-0.2/debian/patches/10-makefile.patch 2012-02-15 14:19:29.000000000 +0100
+++ wmshutdown-0.2/debian/patches/10-makefile.patch 2012-03-03 15:55:51.000000000 +0100
@@ -3,6 +3,9 @@
Date: Thu, 17 Dec 2009 14:20:10 +0200
Subject: [PATCH] Makefile: Change name. Fix linking with GTK+
+Also use CFLAGS, CPPFLAGS, LDFLAGS from the environment. Necessary to use
+(hardening) compiler flags specified by dh.
+
Signed-off-by: Jari Aalto <[email protected]>
---
Makefile | 32 ++++++++++++++++++++------------
@@ -15,7 +18,7 @@
@@ -1,4 +1,15 @@
-all:
+
-+LDFLAGS = -Wl,--no-add-needed -Wl,--no-undefined
++LDFLAGS += -Wl,--no-add-needed -Wl,--no-undefined
+INCFLAGS = -I/usr/include/gtk-2.0
+LIBS = -lX11
+
@@ -54,12 +57,12 @@
dock: wmShutdown.c
- $(CC) -c -o wmShutdown.o wmShutdown.c `gtk-config --cflags`
- $(CC) -o wmShutdown wmShutdown.o `gtk-config --libs`
-+ $(CC) $(INCFLAGS) $(GTKFLAGS) -c -o wmShutdown.o wmShutdown.c
++ $(CC) $(CFLAGS) $(CPPFLAGS) $(INCFLAGS) $(GTKFLAGS) -c -o wmShutdown.o wmShutdown.c
+ $(CC) $(LDFLAGS) -o wmShutdown wmShutdown.o $(GTKLIBS) $(LIBS)
shutdown: shutdown.c
- $(CC) -o Shutdown shutdown.c
-+ $(CC) $(LDFLAGS) $(INCFLAGS) -o Shutdown shutdown.c
++ $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(INCFLAGS) -o Shutdown shutdown.c
--
1.6.5
diff -Nru wmshutdown-0.2/debian/rules wmshutdown-0.2/debian/rules
--- wmshutdown-0.2/debian/rules 2012-02-15 14:19:29.000000000 +0100
+++ wmshutdown-0.2/debian/rules 2012-03-03 15:50:43.000000000 +0100
@@ -6,10 +6,8 @@
MANPAGE1 = debian/$(PACKAGE).$(MANSECT)
MANPAGE2 = debian/$(PACKAGE2).$(MANSECT)
-include /usr/share/dpkg/buildflags.mk
-CFLAGS += -Wall -pedantic
+CFLAGS += -pedantic
LDFLAGS += -Wl,--as-needed
-export CFLAGS LDFLAGS
man:
# Commands to build manual pages