Bug#644400: marked as done (zsh: please enable hardening options)

Tue, 21 Feb 2012 14:21:36 -0800 

Your message dated Tue, 21 Feb 2012 22:20:38 +0000
with message-id <[email protected]>
and subject line Bug#644400: fixed in zsh 4.3.16-1
has caused the Debian Bug report #644400,
regarding zsh: please enable hardening options
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
644400: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644400
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: zsh
Severity: normal
Tags: patch
User: [email protected]
Usertags: hardening

Hardening options is a proposed release goal for Wheezy [1].

Having important package compiled with the hardening options will add
various protections against issues such as stack smashing, predictable
locations of values in memory, etc.

I have rebuilt the package with hardening options enabled and there was
no error (during build, or at runtime).

The attached patch adds a minimal modification to the debian/rules file
to add support for hardening flags (other methods are available).
Note that PIE and bindnow are not enabled by default, and that you can
decide to enable this options for additional features (see the following
link for details).

You can control and enable/disable each hardening flag independently,
see
http://lists.debian.org/debian-devel-announce/2011/09/msg00001.html
for details.

Thanks,
Pierre

[1] http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags

diff -ruN zsh-4.3.12.orig/debian/rules zsh-4.3.12/debian/rules
--- zsh-4.3.12.orig/debian/rules	2011-06-14 20:14:07.000000000 +0200
+++ zsh-4.3.12/debian/rules	2011-10-05 16:01:29.000000000 +0200
@@ -10,12 +10,16 @@
 snapshot_date := $(shell dpkg-parsechangelog | sed -n '/^Version: [0-9.][0-9.]*.*+20[0-9][0-9]\([0-9][0-9][0-9][0-9]\)-[0-9][0-9]*$$/ {s//\1/;p}')
 endif
 
-CFLAGS = -Wall -g
+-include /usr/share/dpkg/buildflags.mk
+export CFLAGS LDFLAGS
+H_LDFLAGS = $(LDFLAGS)
+
+CFLAGS += -Wall -g
 ifeq (zsh-beta,$(package))
 CFLAGS += -W
 endif
 
-CONFIGFLAGS = --prefix=/usr --mandir=/usr/share/man --bindir=/bin LDFLAGS="-Wl,--as-needed -g"
+CONFIGFLAGS = --prefix=/usr --mandir=/usr/share/man --bindir=/bin LDFLAGS="-Wl,--as-needed -g $(H_LDFLAGS)"
 
 ifeq (zsh-beta,$(package))
 CONFIGFLAGS += --program-suffix=-beta

--- End Message ---
--- Begin Message --- 
Source: zsh
Source-Version: 4.3.16-1

We believe that the bug you reported is fixed in the latest version of
zsh, which is due to be installed in the Debian FTP archive:

zsh-dbg_4.3.16-1_amd64.deb
  to main/z/zsh/zsh-dbg_4.3.16-1_amd64.deb
zsh-dev_4.3.16-1_amd64.deb
  to main/z/zsh/zsh-dev_4.3.16-1_amd64.deb
zsh-doc_4.3.16-1_all.deb
  to main/z/zsh/zsh-doc_4.3.16-1_all.deb
zsh-static_4.3.16-1_amd64.deb
  to main/z/zsh/zsh-static_4.3.16-1_amd64.deb
zsh_4.3.16-1.debian.tar.gz
  to main/z/zsh/zsh_4.3.16-1.debian.tar.gz
zsh_4.3.16-1.dsc
  to main/z/zsh/zsh_4.3.16-1.dsc
zsh_4.3.16-1_amd64.deb
  to main/z/zsh/zsh_4.3.16-1_amd64.deb
zsh_4.3.16.orig.tar.bz2
  to main/z/zsh/zsh_4.3.16.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <[email protected]> (supplier of updated zsh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 21 Feb 2012 22:37:22 +0100
Source: zsh
Binary: zsh zsh-doc zsh-static zsh-dev zsh-dbg
Architecture: source amd64 all
Version: 4.3.16-1
Distribution: unstable
Urgency: low
Maintainer: Debian Zsh Maintainers <[email protected]>
Changed-By: Axel Beckert <[email protected]>
Description: 
 zsh        - shell with lots of features
 zsh-dbg    - shell with lots of features (debugging symbols)
 zsh-dev    - shell with lots of features (development files)
 zsh-doc    - zsh documentation - info/HTML format
 zsh-static - shell with lots of features (static link)
Closes: 644400 654225 658223
Changes: 
 zsh (4.3.16-1) unstable; urgency=low
 .
   * New upstream release
 .
   [ Frank Terbeck ]
   * [1a330ad7] 30079: Src/params.c: Restore `LC_ALL' when setting
     `LANG'. (Closes: #654225)
   * [756f17a7] A.Costa: grammar.yo, ChangeLog-3.1: Fix typo to
     "definition" (Closes: #658223)
 .
   [ Pierre Chifflier ]
   * [53f9140d] Enable hardening options (Closes: #644400)
 .
   [ Michael Prokop ]
   * [340a3b41] Raise upstream-branch version in gbp.conf to zsh-4.3.15
 .
   [ Axel Beckert ]
   * [baf81ea9] Raise upstream-branch version in gbp.conf to zsh-4.3.16
   * [51a77e60] Add stamp-h.in to extend-diff-ignore
Checksums-Sha1: 
 77e5c8a1b2b855f78b90a86e2aebbca70216f29a 1600 zsh_4.3.16-1.dsc
 73bda85ee5ec87ba7af81c56d0fa489dc748959f 2325370 zsh_4.3.16.orig.tar.bz2
 493eee4db0a9d47b5e921e2cba1913d141134bf7 146289 zsh_4.3.16-1.debian.tar.gz
 ed413dfc60b449c4d3118c9bad7c9c9009b0d0d4 85516 zsh-dev_4.3.16-1_amd64.deb
 1465afbcf7c0fe100971827aa59a4066c7c709f8 4915068 zsh_4.3.16-1_amd64.deb
 1bce5e665409b4a85356102f276a4a54aa6e19a2 1257728 zsh-dbg_4.3.16-1_amd64.deb
 78314a36912b731a763e585e4fd21d444e4f07fd 2584160 zsh-doc_4.3.16-1_all.deb
 0723fd9ecb5540588aba52fe52fe22d825b6dcf7 1009034 zsh-static_4.3.16-1_amd64.deb
Checksums-Sha256: 
 11e06bd02922da74f39b604ffe3d0c6e026111449fe409e7d803ced3637349a2 1600 
zsh_4.3.16-1.dsc
 60c7866de664dcb4a9c96a8e998ac8ab52060208e960c44ce86c799199ff9693 2325370 
zsh_4.3.16.orig.tar.bz2
 098e5751ef96828abd768ccc73f56252af1f003b5816c585831f32c6ef5b7772 146289 
zsh_4.3.16-1.debian.tar.gz
 9949c6cf3564f15c4c69ad66fc2bffca7b41a0101b6c8f65c7e3e0a4d9165c32 85516 
zsh-dev_4.3.16-1_amd64.deb
 fb9cae4a6de79cc4a9b9f1cf621abdd175b5a9894ba0ce3f99b2c8894500193a 4915068 
zsh_4.3.16-1_amd64.deb
 d1097a7a3a6f7c048cea43963a8b0f6d6eeaa94a5bcc9649cfb3a527a6ee1002 1257728 
zsh-dbg_4.3.16-1_amd64.deb
 c52a573718087289d924953b85ed98d1ef6c4d5c219b4bc80c23d187012f7bed 2584160 
zsh-doc_4.3.16-1_all.deb
 ec7aa75fafba376631638cd16c093c14fa1d8775687aac2d5590bba93d6944d8 1009034 
zsh-static_4.3.16-1_amd64.deb
Files: 
 bb91db23e112bce6df91b355b84d3d0a 1600 shells optional zsh_4.3.16-1.dsc
 6d630288074f137ee24027acdd128233 2325370 shells optional 
zsh_4.3.16.orig.tar.bz2
 5ae21544db8206500c5fc557b2e8ca06 146289 shells optional 
zsh_4.3.16-1.debian.tar.gz
 582b2376ce687f253352d982e60982a2 85516 libdevel optional 
zsh-dev_4.3.16-1_amd64.deb
 2fac51319b806eb5999766608bf55666 4915068 shells optional zsh_4.3.16-1_amd64.deb
 a698917fbfd8282dc00f1c77b7364587 1257728 debug extra zsh-dbg_4.3.16-1_amd64.deb
 8d1575c0556ad6f54220bd2dcfcbe18a 2584160 doc optional zsh-doc_4.3.16-1_all.deb
 815517dadb80d60169a7c60b2e07cc7b 1009034 shells optional 
zsh-static_4.3.16-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk9EEokACgkQwJ4diZWTDt4xKACfbyRfhpakyeZRtiPRVdLERUyP
nxMAnRYintkWr5G4mJB3lohxoWmMrOWs
=J0BH
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to