[Pkg-openldap-devel] Bug#644427: openldap: please enable hardening options

Pierre Chifflier pollux at debian.org
Wed Oct 5 19:10:57 UTC 2011


Source: openldap
Severity: normal
Tags: patch
User: debian-qa at lists.debian.org
Usertags: hardening

Hardening options is a proposed release goal for Wheezy [1].

Having important package, interpreters and daemons compiled with the
hardening options will add various protections against issues such as
stack smashing, predictable locations of values in memory, etc.

I have rebuilt the package with hardening options enabled and there was
no error (during build, or at runtime).

The attached patch adds a minimal modification to the debian/rules file
to add support for hardening flags (other methods are available).
Note that PIE and bindnow are not enabled by default, and that you can
decide to enable this options for additional features (see the following
link for details).

You can control and enable/disable each hardening flag independently,
see
http://lists.debian.org/debian-devel-announce/2011/09/msg00001.html
for details.

Thanks,
Pierre

[1] http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
-------------- next part --------------
--- openldap-2.4.25.orig/debian/rules	2011-10-05 18:56:46.000000000 +0200
+++ openldap-2.4.25/debian/rules	2011-10-05 18:09:23.000000000 +0200
@@ -6,7 +6,10 @@
 # want the checks for DFSG-freeness.
 #DFSG_NONFREE = 1
 
-CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
+CFLAGS += -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE
 INSTALL = install
 INSTALL_FILE    = $(INSTALL) -p    -o root -g root  -m  644
 INSTALL_PROGRAM = $(INSTALL) -p    -o root -g root  -m  755


More information about the Pkg-openldap-devel mailing list