[Pkg-mailman-hackers] Bug#663590: mailman: CPPFLAGS/LDFLAGS hardening flags missing

Simon Ruderich simon at ruderich.org
Mon Mar 12 14:50:06 UTC 2012 

Package: mailman
Version: 1:2.1.14-3
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The CPPFLAGS and LDFLAGS hardening flags are missing because the
build system ignores them.

For more hardening information please have a look at [1], [2] and
[3].

The attached patch fixes the issue. If possible it should be sent
to upstream.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/lib/mailman/mail/mailman /usr/lib/cgi-bin/mailman/subscribe /usr/lib/cgi-bin/mailman/roster ...
    /usr/lib/mailman/mail/mailman:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/cgi-bin/mailman/subscribe:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/cgi-bin/mailman/roster:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPXg0YAAoJEJL+/bfkTDL5tlMP/05bCesEq5OBPLT3DKqSRWgP
YiAGGNr93rUlnnzy3CgDaYt3/C/ZmXdM9ZbaykAdQkLMHFM0jSTmnGyBtIXgyfU4
vanA4b2S/2jHlJERGMDvopRabTefYGlLoWCrUt/glatsjd+QF79rclPor+MIFh3L
AGTxA9wxlR6e0UfbeeA88u41DkrSfC0qyJv8JMZI62hQor5/x/WWFTGVwBYmNcKp
iTyQdISFvtsaY1kC/jpqHfe2Xd3+QucnTLFK+jJzinqY2455YxfE97xxGobDRGDT
0THQJ5Z9oZtoKl9L9VhZTgiLaDQC3QErmUyaEVloRvyEMA0rm3Mc582S5TdpKkTt
pjOEyAUkidfjk/86hMUtLdJY4oJdxvS5h1L2xZV8/2VV1nMvtFyo/mu4JCJl1d/3
YFh3vQ1X82Nag9ZMVwSEFmZ5vhmUGQoW112B5PBXyPeDbjM7SBIO+r3SE9GiQbGQ
gNb4AKzkgu0ezmmmwrAXqzxAWkcLXN/FTZsN+9j5YeOFDOjJ9TBNhmkGzCJyrJcQ
fDa5B8KHQf/XLOpf5UpJC9VlQJoFYAhjQt5c4cZM5FmqGXr24CTKgy2nJN7OGOWW
d4J8tIV/kWVvY2+i8KLeZ26SXN0eXPsuIn7DELYF0raLWAZjLU9d+7GxBa1oZo63
pOu9ofKaC5w45zRpbvkw
=aYw1
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 02_use_dpkg_buildflags.patch
Type: text/x-diff
Size: 1739 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mailman-hackers/attachments/20120312/87d01294/attachment.patch>

More information about the Pkg-mailman-hackers mailing list