Package: pfb2t1c2pfb
Version: 0.3-8
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
The following patch updates debian/rules to use hardening flags:
diff -Nru pfb2t1c2pfb-0.3/debian/rules pfb2t1c2pfb-0.3/debian/rules
--- pfb2t1c2pfb-0.3/debian/rules 2012-03-06 09:46:56.000000000 +0100
+++ pfb2t1c2pfb-0.3/debian/rules 2012-03-06 18:27:00.000000000 +0100
@@ -9,14 +9,8 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
-
-CFLAGS = -Wall -g
-
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
configure: configure-stamp
configure-stamp:
The attached patch updates the "build system" to use the
hardening flags. dpkg-buildflags automatically handles noopt, so
that's no longer necessary (and wasn't used by the build system
anyway).
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/bin/t1c2pfb /usr/bin/pfb2t1c
/usr/bin/t1c2pfb:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/pfb2t1c:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pfb2t1c2pfb depends on:
ii libc6 2.13-27
pfb2t1c2pfb recommends no packages.
pfb2t1c2pfb suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVkovAAoJEJL+/bfkTDL5BUMP/2dF821ZQdhp87VkmT1mLUgE
baPMeT3F21uGrlmTjj4k0WSjqDehWxWeep1U57eWC5gMgblQ+GhkpYpT1U3g12zn
DI13F2BG6Q81KuJSJLXwrEM6FQf6N28vGVdOJRnLvyIe0vf28QXphGSZGssEOkWz
pPEaRWz6Bn/2YIA4YhpOVFP3bQ7iNlx5qeG6OAFn04HiWfonsYLsmznutngIvnWr
aXbBMKSYEsICtwnkytrjo8fsLO5ccJMbgmtR8+fOMOW9IcGV/cKsRzm0X/Cr60Ac
18cDygU5GFgufdTAhGFFExoo39Sg3mDcuziKwbTuMJBc9u+b0zzuVQlQqbMoEGMw
pwGXRZ1vRLWu7jlvO4MG19LByDqtjSsDGdNyA7soE/YUYPA559MNrIva5diTuxlF
+amFWrhMa1C+B1CxK3U93OFNgFALGpL1hiIWwYWI27GXiJDbL44xMJvJ6IbFO8zw
WDRftPsYZkHmsV0BoJwxn47pttWeuDxi8vqC/1zAy8yUH+2+2+LXFcJhBqKWwi2l
KrPiqpb+P8slc0ryEf5+zhE1ZSBm57F8uOynRTunxo3dUKCItMfVZzKIu4swbJgp
9QHJsE7mJbOsG/UAVXFJoTltAz3Brn7fm394FimF+2fGco11hkA0ubZGMrXZ68Sf
mnbplYkdJUPBOJN2TRnk
=CDQw
-----END PGP SIGNATURE-----
Description: Use build flags from the environment (dpkg-buildflags).
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-06
Index: pfb2t1c2pfb-0.3/t1c2pfb.c
===================================================================
--- pfb2t1c2pfb-0.3.orig/t1c2pfb.c 2012-03-06 18:25:35.000000000 +0100
+++ pfb2t1c2pfb-0.3/t1c2pfb.c 2012-03-06 18:26:27.694179405 +0100
@@ -1,6 +1,6 @@
#define DUMMY \
set -ex; \
-gcc -DNDEBUG=1 -O3 -ansi -pedantic \
+gcc -DNDEBUG=1 $CFLAGS $CPPFLAGS $LDFLAGS -O3 -ansi -pedantic \
-Wall -W -Wstrict-prototypes -Wnested-externs -Winline \
-Wpointer-arith -Wbad-function-cast -Wcast-qual -Wmissing-prototypes \
-Wmissing-declarations "$0" -o t1c2pfb; \
Index: pfb2t1c2pfb-0.3/pfb2t1c.c
===================================================================
--- pfb2t1c2pfb-0.3.orig/pfb2t1c.c 2012-03-06 18:25:35.000000000 +0100
+++ pfb2t1c2pfb-0.3/pfb2t1c.c 2012-03-06 18:26:27.694179405 +0100
@@ -1,6 +1,6 @@
#define DUMMY \
set -ex; \
-gcc -DNDEBUG=1 -O3 -ansi -pedantic \
+gcc -DNDEBUG=1 $CFLAGS $CPPFLAGS $LDFLAGS -O3 -ansi -pedantic \
-Wall -W -Wstrict-prototypes -Wnested-externs -Winline \
-Wpointer-arith -Wbad-function-cast -Wcast-qual -Wmissing-prototypes \
-Wmissing-declarations "$0" -o pfb2t1c; \
