Bug#663523: libktorrent: CPPFLAGS hardening flags missing

[Simon Ruderich]

Package: libktorrent
Version: 1.2.0-1
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The CPPFLAGS hardening flags are missing because CMake ignores
them by default.

The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].

    diff -Nru libktorrent-1.2.0/debian/rules libktorrent-1.2.0/debian/rules
    --- libktorrent-1.2.0/debian/rules      2011-05-02 23:12:44.000000000 +0200
    +++ libktorrent-1.2.0/debian/rules      2012-03-11 23:44:10.000000000 +0100
    @@ -1,5 +1,10 @@
     #!/usr/bin/make -f
     
    +# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
    +# missing (hardening) flags.
    +export DEB_CFLAGS_MAINT_APPEND   = $(shell dpkg-buildflags --get CPPFLAGS)
    +export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
    +
     override_dh_auto_configure:
            dh_auto_configure -Skde -- -DCMAKE_USE_RELATIVE_PATHS=ON

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/lib/libktorrent.so.4.0.0
    /usr/lib/libktorrent.so.4.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPXTaQAAoJEJL+/bfkTDL5d5IP/09N2Ibo/lrPwj0QQEfy8hlC
X1SkqxazAYVBzyG8i4cWPvGZPEJZ1b5V6FwITODyZv8J2/bPbCIaR9LRBmGpAhCm
oLxtu0l8jacTkjGvIjsl/2UBFXNt91Mx1qK3nCfAbTala+RCJWQ2mBM92hff79mj
OmSWT+zzeAJljJx9EvqmxENe+vg+dYJIaowMb2K8+JGcn59a4TzuLmchx2bXkD13
SD9k9igwGuVDgXzKU4K/3qIo05FJbZxTuSntXErL+/jW3M3z1Ghq22HeyJRe3Oc9
SyqcPxvzIMJ7lOYJd0ziqb7DYcXNV1WOj5V6MROlh2q4+MV2S9lbuoSfcNYEESxh
b1PZjNSXQpBqPHJV+1hBgOix7vuK8SZiq2NYDcKWub6iY5GfB6OJjT2ocruBKVY+
C0+9wb6DvlktQjpbHLSdFtzSYlNPM+sVkii9/pcXuc//dtZkalBfwOihqhzLZiut
xJn6108wzBAHNOBKMljsjQTLKhIMCvz56s9gf7yqSIcM1hsHXtt3Ldk9BvMNxgci
HbCDeYm+KblaqXKsMig2neA/qLZO2WuT7aro2vpsjpaR8v/QJ7XV25+nAARD/dpo
siL65IZWP8LQNatQPddGJGm2CHtza48aOxed2KYCPTQEiRpW30XVATJNlCgunRWK
amte7huJVGp/e53igW2u
=kH2u
-----END PGP SIGNATURE-----



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org