Enabling hardened build flags for Perl modules
jmm at debian.org
Mon Jan 2 00:59:49 UTC 2012
Security-hardened build flags are a release goal for Wheezy:
I've been looking into all the packages, which had a DSA in the
last 5 years and started to submit patches.
Since the Debian Perl Group maintains most Perl modules I'd like
to discuss how to enable hardened build flags for those modules,
which are arch:any.
Most of the modules seem to have been converted to dh. When
run in debian/compat mode 9, dh automatically injects the
hardened build flags emitted by dpkg-buildflags:
The default flags on current unstable:
root at pisco:~# dpkg-buildflags
CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security
For testing purposes I rebuild libimager-perl with
compat level 9. The hardening status of a binary can be
checked with the hardening-check script from hardening-includes, e.g.
root at pisco:~# hardening-check /usr/lib/perl5/auto/Imager/File/ICO/ICO.so
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, no protected functions found!
Read-only relocations: no, not found!
Immediate binding: no not found!
The lack of "Immediate binding" is because this flag is not part of
the default build flags. The protected stack is due to CFLAGS. So
that's not an error.
Fortied source functions would be present if CPPFLAGS were correctly
passed and read-only relocations would be present due to LDFLAGS.
After a local build there exists a Makefile, which states that it was
auto-generated from Makefile.PL and which contains local definitions
I'm not familiar with the Perl modules build system; what do we need to
do to adopt the dpkg-buildflags into the generated Makefiles, so that
the arch:any modules maintainer by Pkg-Perl can be hardened?
More information about the pkg-perl-maintainers