Your message dated Sun, 04 Mar 2012 07:39:07 +0000
with message-id <[email protected]>
and subject line Bug#662100: fixed in p11-kit 0.11-3
has caused the Debian Bug report #662100,
regarding p11-kit: CPPFLAGS hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
662100: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662100
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: p11-kit
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The CPPFLAGS hardening flags are not used in the build.
The problem is "export CPPFLAGS" in debian/rules. I'm not
entirely sure why it causes the problem, but I guess the export
happens while parsing the Makefile - which overwrites the
hardening flags which get added later. The following patch fixes
that:
diff -Nru p11-kit-0.11/debian/rules p11-kit-0.11/debian/rules
- --- p11-kit-0.11/debian/rules 2012-03-03 18:53:22.000000000 +0100
+++ p11-kit-0.11/debian/rules 2012-03-04 04:44:20.000000000 +0100
@@ -1,7 +1,6 @@
#!/usr/bin/make -f
CPPFLAGS += -D_XOPEN_SOURCE=600 -D_BSD_SOURCE
- -export CPPFLAGS
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/bin/p11-kit
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.0.0
/usr/bin/p11-kit:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.0.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
For more information please have a look at [1], [2] and [3].
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPUubpAAoJEJL+/bfkTDL5Je0P/3SH1qCNJAPTYAyOove2YeCr
iUJWAzSH43+9UkEMEMWlayfWuoIq2RrYVH6yaUSvEU4g7cZiOiSheNi3Ee9jimda
jA2Sz8u9uJKLO+wKSR4GoiF4nf2ctgZFBa/ssIUwjDZfSJpJWjTEhgNCeb+ar+xM
cTS8F/8MZUNQbOXWJMFL2U9MBdjYX9jBKTUF6Sz5QVLikT6wxyf7LCp0xt5SM1RT
3u8lNwacbqZ8KOJ+m1EASIvp/+6kCZszDtoMpkvqAnfJL9/ODgEyS+Q/x8XAyqcF
CzRvCBR/2oSpFhFYldRjyl4NSAMCiZcMwxIL72alk3vssTdiyyTKk+xY+pL2msba
rCA3dN8o31TvUdAZXk7VkUtihlfyHCozDqtJEILpjIIo7PfgUrnXNHSag7vL1bo4
iQsa6cqqibWM3/fejogtPsVSp6B9lh2p5Lw/ph4A/C5g4L+TJxYxyGPdTn8t5mFD
HRUrA4ahw5bYo2OxXwHjdTSj5MTvOAXSZndyGerGD6+qj11/FlF/uckd0iGsX286
mTi7IK50DV87+wjSrlLnGXdIpfHY/W3y0D2v587o9Hco6+gq30TIQYatQY+pSKJW
3vn4X1wcKJWhVPjaYOy2TLpFiVft/E5KaKL99voXswEorqVa3AXbh/fGXG6OneqN
H/mCbHuiRyArAfP/Yl6j
=Qx0C
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: p11-kit
Source-Version: 0.11-3
We believe that the bug you reported is fixed in the latest version of
p11-kit, which is due to be installed in the Debian FTP archive:
libp11-kit-dev_0.11-3_i386.deb
to main/p/p11-kit/libp11-kit-dev_0.11-3_i386.deb
libp11-kit0_0.11-3_i386.deb
to main/p/p11-kit/libp11-kit0_0.11-3_i386.deb
p11-kit_0.11-3.debian.tar.gz
to main/p/p11-kit/p11-kit_0.11-3.debian.tar.gz
p11-kit_0.11-3.dsc
to main/p/p11-kit/p11-kit_0.11-3.dsc
p11-kit_0.11-3_i386.deb
to main/p/p11-kit/p11-kit_0.11-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated p11-kit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Sun, 04 Mar 2012 08:07:12 +0100
Source: p11-kit
Binary: libp11-kit-dev libp11-kit0 p11-kit
Architecture: source i386
Version: 0.11-3
Distribution: unstable
Urgency: low
Maintainer: Debian GnuTLS Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Description:
libp11-kit-dev - Library for loading and coordinating access to PKCS#11
modules -
libp11-kit0 - Library for loading and coordinating access to PKCS#11 modules -
p11-kit - Utilities for working with the p11-glue library
Closes: 662100
Changes:
p11-kit (0.11-3) unstable; urgency=low
.
* Do not export CPPFLAGS in debian/rules, it disabled the respective
hardening-options. (Thanks, Simon Ruderich) Closes: #662100
Checksums-Sha1:
87b6ef1fb179433f6d4f3fa6a476a2212084390c 1400 p11-kit_0.11-3.dsc
2eb85a2d8affcf03d8c6281eeb41a5da6e569141 5067 p11-kit_0.11-3.debian.tar.gz
dc87a0bf09cb182d3125ef6e046b4d4b47bd0eb6 67186 libp11-kit-dev_0.11-3_i386.deb
dd240161d469af9d9467543616cd650012ff96be 51216 libp11-kit0_0.11-3_i386.deb
be5e020283a7bc2d560f9a77b3b6dbf776f3ff55 26036 p11-kit_0.11-3_i386.deb
Checksums-Sha256:
6b1d2201358f9a9739b99dc1eee6d5494a297858809d91d86a7df9dc7fbdbea4 1400
p11-kit_0.11-3.dsc
37bef66e2131f36b747986136f886d55aee95f811ecee807f4f9b1ef971d6e93 5067
p11-kit_0.11-3.debian.tar.gz
486af3be2794f417a9ba342be2b8ddd5daf7af3fc395fdde586d69545088e741 67186
libp11-kit-dev_0.11-3_i386.deb
f95d5165eabc384256cf5e07299a4ed4e8bbbc344a8f04a27480f26913630d4d 51216
libp11-kit0_0.11-3_i386.deb
abb5c4687e755ded609cc3ca47778e1efff2489b98bfa585b587a4c438a3378d 26036
p11-kit_0.11-3_i386.deb
Files:
5d488d4616abe59ede0f5beca7a9c480 1400 libs extra p11-kit_0.11-3.dsc
8cb100354af1a11027f935834276ba1a 5067 libs extra p11-kit_0.11-3.debian.tar.gz
a5c563aed72c5797e8e6ce33dbbc3b20 67186 libdevel optional
libp11-kit-dev_0.11-3_i386.deb
a0bd2b5d17625680c62cc876b16c638a 51216 libs standard
libp11-kit0_0.11-3_i386.deb
5ea203004f4485c3789404384a1d816f 26036 misc extra p11-kit_0.11-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAk9TF80ACgkQHTOcZYuNdmN7bgCgh3EP/57Be/yVjC8mT5rMQrYq
g/cAnj2ksekexooi2Xt3hg7tMk7rUas4
=AEke
-----END PGP SIGNATURE-----
--- End Message ---
