[Debian-med-packaging] Bug#670230: bowtie: Hardening flags missing

Simon Ruderich simon at ruderich.org
Tue Apr 24 09:38:24 UTC 2012 

Package: bowtie
Version: 0.12.7-2
Severity: normal
Tags: patch

Dear Maintainer,

The LDFLAGS/CPPFLAGS hardening flags are missing because the
build system ignores them. For more hardening information please
have a look at [1], [2] and [3].

The attached patch fixes the issue, if possible it should be sent
to upstream.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/bin/bowtie-inspect /usr/bin/bowtie-build /usr/bin/bowtie ...
    /usr/bin/bowtie-inspect:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: no, only unprotected functions found!
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/bowtie-build:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: no, only unprotected functions found!
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/bowtie:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: use-dpkg-buildflags.patch
Type: text/x-diff
Size: 578 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20120424/5d7001c6/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20120424/5d7001c6/attachment.pgp>

More information about the Debian-med-packaging mailing list