Bug#710809: libapache-mod-jk: Hardening CPPFLAGS missing

Sun Jun 2 16:14:27 UTC 2013

Package: libapache-mod-jk
Severity: normal
Tags: patch

Dear Maintainer,

The following CPPFLAGS hardening flags are missing because they
are ignored by the build system:

    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): /bin/sh ../libtool --mode=compile i486-linux-gnu-gcc -std=gnu99 -I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security  -pthread  -DHAVE_APR  -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE  -c jk_ajp12_worker.c -o jk_ajp12_worker.lo
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2):  i486-linux-gnu-gcc -std=gnu99 -I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -pthread -DHAVE_APR -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c  -fPIC -DPIC -o .libs/jk_ajp12_worker.o
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2):  i486-linux-gnu-gcc -std=gnu99 -I/usr/include/apache2 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -pthread -DHAVE_APR -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DHAVE_CONFIG_H -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -c jk_ajp12_worker.c -o jk_ajp12_worker.o >/dev/null 2>&1
    [...]

For more hardening information please have a look at [1], [2] and
[3].

The following patch fixes the issue:

diff -Nru libapache-mod-jk-1.2.37/debian/rules libapache-mod-jk-1.2.37/debian/rules

--- libapache-mod-jk-1.2.37/debian/rules	2013-06-01 15:16:39.000000000 +0200
+++ libapache-mod-jk-1.2.37/debian/rules	2013-06-02 17:24:43.000000000 +0200
@@ -1,7 +1,7 @@
 #!/usr/bin/make -f
 
-# Enable LFS
-CFLAGS = -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 $(shell dpkg-buildflags --get CFLAGS)
+# Enable LFS, build system doesn't respect CPPFLAGS.
+export DEB_CFLAGS_MAINT_APPEND = -D_LARGEFILE_SUPPORT -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 $(shell dpkg-buildflags --get CPPFLAGS)
 
 %:
 	dh $@ --with autotools_dev,apache2 --sourcedirectory=native

DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information); the default
CFLAGS from dpkg-buildpackage are automatically included.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package (Position
Independent Executable and Immediate binding is not enabled by
default) and check the build log with `blhc` (hardening-check
doesn't catch everything).

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20130602/c6189fc3/attachment.pgp>
