Bug#666095: openal-soft: CPPFLAGS hardening flags missing

Simon Ruderich simon at ruderich.org
Wed Mar 28 16:51:37 UTC 2012 

Package: openal-soft
Version: 1:1.13-6
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because CMake ignores
them by default.

The following patch fixes the issue by adding them to CFLAGS. For
more hardening information please have a look at [1], [2] and
[3].

diff -Nru openal-soft-1.13/debian/rules openal-soft-1.13/debian/rules
--- openal-soft-1.13/debian/rules	2012-03-19 15:13:07.000000000 +0100
+++ openal-soft-1.13/debian/rules	2012-03-28 18:12:58.000000000 +0200
@@ -11,6 +11,9 @@
 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
 
 CFLAGS = -Wall $(shell dpkg-buildflags --get CFLAGS 2>/dev/null | sed -e 's/-g\|-O2//g')
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS to enable the missing
+# (hardening) flags.
+CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS)
 
 # Use this variable to allow options passed to cmake to be overridable
 DEB_CMAKE_OPTIONS ?= -DCMAKE_VERBOSE_MAKEFILE=ON \

Btw. it's not necessary to strip -g and -O2 from dpkg-buildflags.
-O2 is overruled by the build system if -O3 is specified (in this
case the buildsystem uses -O2 as well). -g is necessary for a
debug package (#659364) and DEB_BUILD_OPTIONS=nostrip.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/lib/x86_64-linux-gnu/libopenal.so.1.13.0
    /usr/lib/x86_64-linux-gnu/libopenal.so.1.13.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Immediate binding is not enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20120328/d0a55e7a/attachment.pgp>

More information about the Pkg-games-devel mailing list