[Debian-med-packaging] Bug#667939: last-align: Hardening flags missing

Martin Frith martin at cbrc.jp
Mon May 7 08:50:26 UTC 2012 

Hi Charles and all,

thanks again: Debian is teaching me how to do these things better.

I used part of your patch in LASTv199.  (I didn't include the "+=" changes,
because I think the purpose of those flag variables is to let you override
them if you want to.  You might consider including "-O3" in your override.)

By the way, in your "rules" file, I think "clean" is no longer needed (now
in the upstream makefile), nor is "--directory src" (there is now a
top-level makefile).

Please let me know if I misunderstood something.

Have a nice day,
Martin
http://www.cbrc.jp/~martin/

On Mon, Apr 30, 2012 at 11:16 AM, Charles Plessy <plessy at debian.org> wrote:

> Hi Martin,
>
> please consider the patch below for the makefile of LAST.  It
> allows to set the compiler, preprocessor and linker separately,
> which is the way Debian follows when passing 'hardening' flags
> (see below).
>
> Cheers,
>
> -- Charles
>
> Le Sat, Apr 07, 2012 at 06:47:11PM +0200, Simon Ruderich a écrit :
> > Package: last-align
> > Version: 198-1
> > Severity: important
> > Tags: patch
> >
> > Dear Maintainer,
> >
> > The hardening flags are missing because the build system ignores
> > them.
> >
> > The attached patch fixes the issue, if possible it should be sent
> > to upstream.
> >
> > To check if all flags were correctly enabled you can use
> > `hardening-check` from the hardening-includes package and check
> > the build log (hardening-check doesn't catch everything):
> >
> >     $ hardening-check /usr/bin/lastdb /usr/bin/lastal
> >     /usr/bin/lastdb:
> >      Position Independent Executable: no, normal executable!
> >      Stack protected: yes
> >      Fortify Source functions: no, only unprotected functions found!
> >      Read-only relocations: yes
> >      Immediate binding: no not found!
> >     /usr/bin/lastal:
> >      Position Independent Executable: no, normal executable!
> >      Stack protected: yes
> >      Fortify Source functions: yes (some protected functions found)
> >      Read-only relocations: yes
> >      Immediate binding: no not found!
> >
> > (Position Independent Executable and Immediate binding is not
> > enabled by default.)
> >
> > Use find -type f \( -executable -o -name \*.so\* \) -exec
> > hardening-check {} + on the build result to check all files.
> >
> > Regards,
> > Simon
> >
> > [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
> > [2]: https://wiki.debian.org/HardeningWalkthrough
> > [3]: https://wiki.debian.org/Hardening
> > --
> > + privacy is necessary
> > + using gnupg http://gnupg.org
> > + public key id: 0x92FEFDB7E44C32F9
>
> Description: Use build flags from environment (dpkg-buildflags).
>  Necessary for hardening flags.
> Author: Simon Ruderich <simon at ruderich.org>
> Last-Update: 2012-04-07
>
> --- last-align-198.orig/makefile
> +++ last-align-198/makefile
> @@ -1,4 +1,4 @@
> -CXXFLAGS = -O3
> +CXXFLAGS += -O3
>  all:
>        @cd src && $(MAKE) CXXFLAGS="$(CXXFLAGS)"
>
> --- last-align-198.orig/src/makefile
> +++ last-align-198/src/makefile
> @@ -1,12 +1,12 @@
>  CXX = g++
>  CC  = gcc
>
> -CXXFLAGS = -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef \
> +CXXFLAGS += -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef        \
>  -Wcast-align -Wno-long-long -ansi -pedantic
>  # -Wconversion
>  # -fomit-frame-pointer ?
>
> -CFLAGS = -Wall
> +CFLAGS += -Wall
>
>  DBSRC = Alphabet.cc MultiSequence.cc CyclicSubsetSeed.cc       \
>  SubsetSuffixArray.cc LastdbArguments.cc io.cc fileMap.cc       \
> @@ -50,16 +50,16 @@ OBJ = lambda_calculator.o
>  all: lastdb lastal lastex
>
>  lastdb: $(DBSRC) $(DBINC) makefile
> -       $(CXX) $(CXXFLAGS) -o $@ $(DBSRC)
> +       $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(DBSRC)
>
>  lastal: $(ALSRC) $(ALINC) makefile $(OBJ)
> -       $(CXX) $(CXXFLAGS) -o $@ $(ALSRC) $(OBJ)
> +       $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(ALSRC) $(OBJ)
>
>  lastex: $(EXSRC) $(EXINC) makefile
> -       $(CXX) -Igumbel_params $(CXXFLAGS) -o $@ $(EXSRC)
> +       $(CXX) -Igumbel_params $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@
> $(EXSRC)
>
>  $(OBJ): CA_code/*.c CA_code/*.h makefile
> -       $(CC) $(CFLAGS) -c CA_code/lambda_calculator.c
> +       $(CC) $(CPPFLAGS) $(CFLAGS) -c CA_code/lambda_calculator.c
>
>  clean:
>        rm -f lastdb lastal lastex $(OBJ)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20120507/ecda82d3/attachment-0001.html>

More information about the Debian-med-packaging mailing list