Bug#658929: Please enable hardened build flags

Fri, 02 Mar 2012 04:45:19 -0800

Alright, I have succesfully build libav with hardening flags enabled *on i386*. I have enabled them by applying the attached libav-hardening.patch against debian/confflags and format-security.patch against libavcodec/srtdec.c to fix a format string vulnerability.
However, I am hesitating to push these changes already. As you can see, the hardening flags are injected where the CFLAGS and LDFLAGS variables have been unconditionally reset to empty strings before. It has been like this since version 3:0.svn20080925-1 for the CFLAGS (commited with comment "# XXX this probably needs fixing") and since 30 Jan 2011 for LDFLAGS, see <http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=commitdiff;h=17e588e364b1f67c5e4c513bd24a91292bf24522>. 


I don't know the exact reason for reseting CFLAGS, but it seems the 
resetting of LDFLAGS was needed because of an Ubuntu-specific default 
flag that caused the build to break. Maybe this specific flag could 
get filtered out of LDFLAGS as done in x264. However, this was on 
amd64 apparently, so I couldn't test it myself.



However, I believe the next upload with these changes included should 
target the experimental suite. ;)


 - Fabian

--- libav.orig/libavcodec/srtdec.c
+++ libav/libavcodec/srtdec.c
@@ -110,7 +110,7 @@ static const char *srt_to_ass(AVCodecCon
                                     for (j=sptr-2; j>=0; j--)
                                         if (stack[j].param[i][0]) {
                                             out += snprintf(out, out_end-out,
-                                                            stack[j].param[i]);
+                                                            "%s", stack[j].param[i]);
                                             break;
                                         }
                         } else {
@@ -146,7 +146,7 @@ static const char *srt_to_ass(AVCodecCon
                             for (i=0; i<PARAM_NUMBER; i++)
                                 if (stack[sptr].param[i][0])
                                     out += snprintf(out, out_end-out,
-                                                    stack[sptr].param[i]);
+                                                    "%s", stack[sptr].param[i]);
                         }
                     } else if (!buffer[1] && strspn(buffer, "bisu") == 1) {
                         out += snprintf(out, out_end-out,

diff --git a/debian/confflags b/debian/confflags
index c89aa10..9048cd6 100644
--- a/debian/confflags
+++ b/debian/confflags
@@ -150,9 +150,10 @@ ifneq (,$(findstring linux,$(DEB_HOST_GNU_TYPE)))
   lib1394-dev += libraw1394-dev, libdc1394-22-dev
 endif
 
-# Sanitize injected compiler in linker flags
-CFLAGS :=
-LDFLAGS :=
+# Enable hardened build flags through dpkg-buildflags
+CFLAGS := $(shell dpkg-buildflags --get CFLAGS)
+CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS)
+LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS)
 
 ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
 # Various parts of Libav (and swscale) FTBFS when compiling with -fPIC

_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers





















					Reply via email to