[Pkg-openldap-devel] Bug#663724: openldap: Hardening flags missing for autogroup and smbk5pwd

Simon Ruderich simon at ruderich.org
Tue Mar 13 15:35:12 UTC 2012 

Package: openldap
Version: 2.4.28-1.1
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The hardening flags are missing for autogroup and smbk5pwd
because the build system ignores them.

The attached patch fixes the issue. If possible it should be sent
to upstream (it might not apply cleanly to upstream because the
Makefile is modified by another Debian patch).

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/lib/ldap/autogroup.so.0.0.0 /usr/lib/ldap/smbk5pwd.so.0.0.0
    /usr/lib/ldap/autogroup.so.0.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes
     Read-only relocations: yes
     Immediate binding: yes
    /usr/lib/ldap/smbk5pwd.so.0.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPX2klAAoJEJL+/bfkTDL5Q7YP/0b4vK7IN3dSe0mkvLSZokGK
aGZzOLbhcDUlijWL/Ms5vJ4Ds3/b2+YgPhiDozozL/L/+d0qHYImcH7xKKKu0hXP
O//j7YzOU0AEPbOBCop3XJbX0m9oULs+rnZHgoBbaZV8Lk46UjD4WuRmyaB2M0Ve
MXWVAwzU83FSIKCZ+9HhY4h1iAOgQRnYDM10BIbLm7wdHcBpjJtSTUU/HVnmbmK3
5xEqarQMEL2IXXMfupciBljh5yMC65FzKid1KMbO3VjBs2kZQKXuBTfqN6YOOKR4
O4QKNVHRLNh1hil4tOd2ZlXZ7z5shdR4zqtaX+GE/SbTEzz6kES1nORYvm40EYEj
vk7PM2ynpdXgE2iaKhha5MuTt4BQiwoiOTQGCjgqbklTNWEdXTjHytSFl6JN4tMC
1htLE/KFNaosDtMeM8X+ogXA3AWLHu9DnKMMgVejxcOy01+6qiejB3fRdorGxOlr
ZDHxuuVAMD8ZMfM7wDiqhd9/dhgNSd/q9nknrSY18lbHoMs1dq5OJakJ18pr8xOS
X5NXA+EYCobCyhgBVmWASiJ+1oT1kBLX9qJk5HTUVLuWJ0G7WKPBOyryjItD3vLb
i0xXfnR+5fdS7bivsYPHUYut+Amfdeni92fKCwZsfXQeBsHsjnzllThayrG5bHyB
9piwDooomTOlJf5kEym0
=t1Hv
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: contrib-modules-use-dpkg-buildflags.patch
Type: text/x-diff
Size: 1463 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20120313/86304b2b/attachment.patch>

More information about the Pkg-openldap-devel mailing list