Bug#665323: crtmpserver: CPPFLAGS hardening flags missing

[Simon Ruderich]

Package: crtmpserver
Version: 1.0~dfsg-1
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because CMake ignores
them by default.

The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].

The -O2 removal is not necessary as gcc uses the last flag, which
is -O3 as set by CMake. compat=9 automatically exports the flags
so it's not necessary to pass them configure manually.

diff -Nru crtmpserver-1.0~dfsg/debian/rules crtmpserver-1.0~dfsg/debian/rules
--- crtmpserver-1.0~dfsg/debian/rules	2012-03-22 01:52:51.000000000 +0100
+++ crtmpserver-1.0~dfsg/debian/rules	2012-03-23 02:53:16.000000000 +0100
@@ -2,16 +2,17 @@
 
 #export DH_VERBOSE=1
 
-CFLAGS = $(shell dpkg-buildflags --get CFLAGS 2>/dev/null | sed -e 's/-O2//g')
-CXXFLAGS = $(shell dpkg-buildflags --get CXXFLAGS 2>/dev/null | sed -e 's/-O2//g')
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND   = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
 DEB_BUILDDIR = obj-$(DEB_BUILD_GNU_TYPE)
 DEB_PACKAGE_VERSION  := $(shell dpkg-parsechangelog | awk '/^Version/ {print $$2}')
 DEB_UPSTREAM_VERSION := $(shell echo $(DEB_PACKAGE_VERSION) | cut -d '-' -f 1 | sed s,~,_, )
 DEB_CONFIGURE_FLAGS = \
 			-DCMAKE_BUILD_TYPE=Release \
 			-DCMAKE_VERBOSE_MAKEFILE=ON \
-			-DCMAKE_C_FLAGS="$(CFLAGS)" \
-			-DCMAKE_CXX_FLAGS="$(CXXFLAGS)" \
 			-DCRTMPSERVER_INSTALL_PREFIX=/usr \
 			-DTEMP_FRAMEWORK_VER="$(DEB_UPSTREAM_VERSION)" \
 			-DCRTMPSERVER_SOURCES_ROOT=$(CURDIR) \

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/sbin/crtmpserver /usr/lib/crtmpserver/libthelib.so /usr/lib/crtmpserver/libcommon.so ...
    /usr/sbin/crtmpserver:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/crtmpserver/libthelib.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: no, only unprotected functions found!
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/crtmpserver/libcommon.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20120323/60793b22/attachment-0001.pgp>