Package: icu
Version: 4.8.1.1-4
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
The attached patch enables hardening flags. Including
buildflags.mk is necessary because no CDBS class is used.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/libicutu.so.48.1.1 /usr/lib/libicutest.so.48.1.1
/usr/lib/libiculx.so.48.1.1 ...
/usr/lib/libicutu.so.48.1.1:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/libicutest.so.48.1.1:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/libiculx.so.48.1.1:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPXh5VAAoJEJL+/bfkTDL5hkgQAK5Vz8hp4wPhYK2js7OnUYHK
ubpMHhpSqlyuxTYNuyEWOUDQZQAX/Q9hyQWszaUsAOyUwu60tMqeSnfDLlQRZe4R
4PENz79H1xLgGStypkD5Xx1VoLTdAuvZbmLhgEQCLhH5WWJ1au0nvRLe+Jb3rCyD
g0kP20xa+n8wt7v2+9ifvgGsQwprwWBa9ELgXaYWI5g0SBoTuUc4A5Tmk7XQCl0O
o740KqDt2Oxj6sr0yE9OwJ0PSjnUQ36c16v32kXaVSdzcCUblPqCwucxBtmwZfIk
cib/3V6XN5mT5R6GOKJJxdHGqV3xUUdowIbyxze9HnZJaT22ja5+Zd8BTO+2Grab
aj0u2ZzqPMKM2jMAGIPqVQNFBSMUSyc+lOVfeHhBgQN7aiKY8GroE2I6sdlFENc8
+xhoYhRXI0GRmQbK6hwEdL1vgKcWRhbZjZA+ZqT+TWxq49PdEcoKgQ4FNs+yGEHN
cr9tRxSZc3VR1dOaTJL/3sIrOpIoRXGKCUvpAmCca5qD6OdkgR2+YkoqvXCoW9Kt
yavhP4IoMP8bSfwP4Mqk4WLDZwZ4yMj41SwOSnhGb30E6AXQLlP8j5YOSjSLLog1
DSIFZNfMK9C7HsILlgMoxqwpFo31slYdQmIASI7+luGtUjG/gAHJU/VR7z2qi6Qk
bul57If7iNgTDssO5J8w
=03ug
-----END PGP SIGNATURE-----
diff -Nru icu-4.8.1.1/debian/rules icu-4.8.1.1/debian/rules
--- icu-4.8.1.1/debian/rules 2012-03-11 23:50:05.000000000 +0100
+++ icu-4.8.1.1/debian/rules 2012-03-12 16:41:49.000000000 +0100
@@ -1,5 +1,10 @@
#!/usr/bin/make -f
+# Get (hardening) build flags, CDBS doesn't handle this automatically because
+# no class is used.
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
DEB_HOST_ARCH_CPU ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU)
# To distinguish variables that are truly local to this file (rather
@@ -7,21 +12,24 @@
# variables' names with l_.
l_SONAME := 48
-l_CFLAGS := -g -Wall
+CFLAGS += -g -Wall
ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- l_CFLAGS += -O0
+ CFLAGS += -O0
else
- l_CFLAGS += -O2
+ CFLAGS += -O2
endif
# Turn off optimization on armel to avoid some internal compiler
# errors. This can be removed once bug 484053 is resolved.
ifeq ($(shell dpkg --print-architecture),armel)
-l_CFLAGS := $(filter-out -O%,$(l_CFLAGS)) -O0
+CFLAGS := $(filter-out -O%,$(CFLAGS)) -O0
endif
+# Use local settings for CXXFLAGS as well.
+CXXFLAGS = $(CFLAGS)
+
# common configure cruft
-l_CONFIGURE = CC="gcc" CXX="g++" CPPFLAGS="" LDFLAGS="" \
+l_CONFIGURE = CC="gcc" CXX="g++" \
./configure \
--build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr \
--includedir="\$${prefix}/include" \
@@ -70,14 +78,13 @@
configure/libicu$(l_SONAME) configure/libicu-dev:: debian/stamp-configure
debian/stamp-configure:
cd $(DEB_SRCDIR) && \
- CFLAGS="$(l_CFLAGS)" CXXFLAGS="$(l_CFLAGS)" \
$(l_CONFIGURE)
touch debian/stamp-configure
configure/lib32icu$(l_SONAME) configure/lib32icu-dev:: debian/stamp-configure32
debian/stamp-configure32:
cd $(DEB_SRCDIR)-build32 && \
- CFLAGS="$(l_CFLAGS) -m32" CXXFLAGS="$(l_CFLAGS) -m32" \
+ CFLAGS="$(CFLAGS) -m32" CXXFLAGS="$(CXXFLAGS) -m32" \
$(l_CONFIGURE) --libdir=/usr/lib32
touch debian/stamp-configure32
