Enabling hardened build flags for Perl modules

Moritz Muehlenhoff jmm at debian.org
Mon Jan 2 00:59:49 UTC 2012


Hi,
Security-hardened build flags are a release goal for Wheezy:
http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags

I've been looking into all the packages, which had a DSA in the
last 5 years and started to submit patches.

Since the Debian Perl Group maintains most Perl modules I'd like
to discuss how to enable hardened build flags for those modules,
which are arch:any.

Most of the modules seem to have been converted to dh. When
run in debian/compat mode 9, dh automatically injects the
hardened build flags emitted by dpkg-buildflags:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544844

The default flags on current unstable:

root at pisco:~# dpkg-buildflags
CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
CPPFLAGS=-D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
FFLAGS=-g -O2
LDFLAGS=-Wl,-z,relro

For testing purposes I rebuild libimager-perl with 
compat level 9. The hardening status of a binary can be
checked with the hardening-check script from hardening-includes, e.g.

root at pisco:~# hardening-check /usr/lib/perl5/auto/Imager/File/ICO/ICO.so
/usr/lib/perl5/auto/Imager/File/ICO/ICO.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, no protected functions found!
 Read-only relocations: no, not found!
 Immediate binding: no not found!

The lack of "Immediate binding" is because this flag is not part of
the default build flags. The protected stack is due to CFLAGS. So
that's not an error.

Fortied source functions would be present if CPPFLAGS were correctly
passed and read-only relocations would be present due to LDFLAGS.

After a local build there exists a Makefile, which states that it was 
auto-generated from Makefile.PL and which contains local definitions
of LDFLAGS.
I'm not familiar with the Perl modules build system; what do we need to
do to adopt the dpkg-buildflags into the generated Makefiles, so that
the arch:any modules maintainer by Pkg-Perl can be hardened?

Cheers,
        Moritz










More information about the pkg-perl-maintainers mailing list