Bug#663275: audacity: Hardening flags missing for portmixer

Simon Ruderich simon at ruderich.org
Sat Mar 10 00:44:21 UTC 2012 

Package: audacity
Version: 2.0.0~rc8-1
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The hardening flags are missing for lib-src/portmixer because the
Makefile ignores compiler flags from the environment. For more
hardening information please have a look at [1], [2] and [3].

The attached patch fixes the issue. If possible it should be sent
upstream.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/bin/audacity
    /usr/bin/audacity:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPWqPgAAoJEJL+/bfkTDL5UfoP/3TshdQpTBUKZ6LWbHidWNTI
LnN2rsMKll3g5RLbBS5ajHk6CWfpr0ScUf+KcihwT7YjaPZH93QvSHa5xeYrU2xV
+P5hL/5MggJlTxtnaM1wDe9c0DN7T1LmGvm8qOTiuOWOVmu0kTFkddKyE9jNv3A5
YygqCihgXPuNZXR9TDVEBsd1th6RGVTQ0tDqQaaVSwGmRaReNdCmW7gbLeIaWuRu
HuimLzYsAPoERFaYaNLNqvAoCGz09AEU2ye2p6VjixRTUIVs+A1PLt1tYi4RVojY
QOY+P5I9zp1sm5/4TyfsLrfXoVbRrJI/a6uSHrGeUG1OGaN4YddxZVQeRZN0NJCt
eaAwnT9x6sFVOuW7AvjTd9kLoLv82BzrAXPXXqPuaj2l1v5wgqTCU/FOUfDagfff
Eax09TIbyxt4vzn+8FADkf5XkSVQgXAxhsswu/QQPz/QKlGI4AhMdpAoKuzjn4ms
sVNhnzX6oIGWJUGzSgngwRmZlLh1kp2ezMc7sfxCjNTdDKr0CWFW5K4a/+aQy9zk
SVBWR+ZRsv/WRLVyTQqpRBaQyVl+zXcXkXD7CygDdv8xiXlAWlSqigHfbVXszYxv
FOaC7DDq0t6Qf3bq/ZTvdmgFxUgG2NJnTi8EYhThK5FzB4mcQ47c/8f73nZXNzUR
r5OO2u8TuGilAoNVUrGz
=+jzP
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: portmixer-missing-dpkg-buildflags.patch
Type: text/x-diff
Size: 648 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20120310/b7e42a37/attachment.patch>

More information about the pkg-multimedia-maintainers mailing list