Bug#662695: alsaequal: Please enable hardening flags
Simon Ruderich
simon at ruderich.org
Mon Mar 5 20:29:34 UTC 2012
Package: alsaequal
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
debian/compat is already 9, so hardening flags are enabled by
default via dpkg-buildflags. The only problem is that the build
system (Makefile) doesn't respect compiler flags from the
environment. The attached patch fixes this by updating the
Makefile.
The following patch disables quiet builds so missing flags can be
detected easily:
diff -Nru alsaequal-0.6/debian/rules alsaequal-0.6/debian/rules
--- alsaequal-0.6/debian/rules 2012-01-12 21:52:28.000000000 +0100
+++ alsaequal-0.6/debian/rules 2012-03-05 21:08:33.000000000 +0100
@@ -3,6 +3,9 @@
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
LIBDIR = lib/$(DEB_HOST_MULTIARCH)
+# Disable quiet builds.
+export Q=
+
%:
dh $@
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_ctl_equal.so /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_equal.so
/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_ctl_equal.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_equal.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(The stack protected warning is fine in this case, the flags are
correctly applied.)
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVSIpAAoJEJL+/bfkTDL511EP/1P2tkI0bB9R7AwTE68lKJog
Xl0D0OWsIigeplXwuIQsU9enAbzEpQqPZUpuYtffDWfDqLWLdnFbEfskl62Z8VFa
36GWoqeZi+4l61Q1no6N6oZo9Pw+33jOQi0kPBaiihHzmsokCOpAcBHUsWaeCnaq
sz6QlmSxcsu1cRdCju857M2X0W8d1r/0qCvFwEOH68PHHXvl9igMbajpBu8sYQO/
li2iUxCFoDB2LCC8zvVdVZsQ4hnnUwv/s3NLRHiC1cZiNhM0hKevFnz5aCScBChb
NfoGJX0C3qt5zSEwiW2T0JPj07qn9dvD1msaedYRpzzaNDFvIW+FIOU7s4ZeOAxu
bYyYfvrcYnBY7C4UsdyhiO+WvhqfqjmdSOnVw3o0UNPeIpfv0YSb70bTpFl8Z3W1
K3myqdEL1S4ehuJiWeDgauke3FNIHnLIlgodW1xERsHbzcYqoplu+6vOU5hEow//
EIodNrMp4R2Pczqi08tDXeDqgzCJ2AAACcYdoarZNtSCl8hyzKQMrXX/Ly/KsDgH
RWUp0GANflSjw0etGDoWcH9RClEnkw0zsxNcYEzADRLV2/nI0i7tjHScvOLsN0Qm
O+a8M/vNT9UDdB8ikxP8k16k/fpyxqkHl0ibUZI60MDLQPP5mxxCknKdw9/KHBSP
4fHYE697+12X/6+Ddj0d
=y7hL
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-dpkg-buildflags.patch
Type: text/x-diff
Size: 804 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20120305/150e1217/attachment.patch>
More information about the pkg-multimedia-maintainers
mailing list