On Thu, 30 Jun 2016 at 16:31:43 +0100, Jose M Calhariz wrote:
> On Thu, Jun 30, 2016 at 02:59:39PM +0000, Niels Thykier wrote:
> > Please verify that the CPPFLAGS are passed to the compiler (a lot of
> > build systems fail to pass exactly CPPFLAGS on).
What Niels said. This appears to be exactly the bug here.
You can either modify the build system to take CPPFLAGS from the
environment, or do something like CFLAGS += $(CPPFLAGS) in debian/rules.
> Fortify Source functions: no, only unprotected functions found!
This looks like the lintian tag is justified. There are three
possibilities for "fortify":
- the binary does not call any functions that have a "fortified" version
so there is nothing to do;
- the binary calls functions that have a "fortified" version and gets the
"fortified" version;
- the binary calls functions that have a "fortified" version but gets the
original (unhardened) version
This looks like you're in the third possibility.
> gcc -c -I. -g -O2 -fPIE -fstack-protector-strong -Wformat
> -Werror=format-security -DHAVE_CONFIG_H -DVERSION=\"3.1.19\"
> -DETCDIR=\"/etc\" -DLOADAVG_MX=1.5 -DDAEMON_USERNAME=\"daemon\"
> -DDAEMON_GROUPNAME=\"daemon\" -DLFILE=\"/var/spool/cron/atjobs/.SEQ\" -Wall
> at.c
>
> The flags are enabled and most protections are in place, right?
Not all. You should also be seeing -D_FORTIFY_SOURCE=2.
(blhc would probably have told you that.)
S
