Your message dated Mon, 19 Mar 2012 15:02:34 +0000
with message-id <[email protected]>
and subject line Bug#662970: fixed in btag 1.1.3-1
has caused the Debian Bug report #662970,
regarding btag: Please enable -z now hardening flags
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
662970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662970
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: btag
Version: 1.1.2-1
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please enable the last missing hardening flag -z now. The
following patch adds it (+all to also enable possible future
hardening flags). For more hardening information please have a
look at [1], [2] and [3].
Additionally CMake ignores CPPFLAGS, the patch also fixes that by
passing them through CFLAGS/CXXFLAGS.
diff -Nru btag-1.1.2/debian/rules btag-1.1.2/debian/rules
--- btag-1.1.2/debian/rules 2011-12-03 18:59:22.000000000 +0100
+++ btag-1.1.2/debian/rules 2012-03-07 18:06:54.000000000 +0100
@@ -2,9 +2,14 @@
# vi: ts=8 sw=8 noet
DPKG_EXPORT_BUILDFLAGS = 1
-DEB_BUILD_MAINT_OPTIONS = "hardening=+pie"
+export DEB_BUILD_MAINT_OPTIONS = "hardening=+all"
include /usr/share/dpkg/buildflags.mk
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+CFLAGS += $(CPPFLAGS)
+CXXFLAGS += $(CPPFLAGS)
+
EXTRA_CMAKE_FLAGS =
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
EXTRA_CMAKE_FLAGS = -DENABLE_TESTS=1
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/btag
/usr/bin/btag:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
The Fortify Source functions warning is fine, there are no
protectable functions yet.
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPV5e9AAoJEJL+/bfkTDL5mD4P/31AFmg8U0lrJ04RRt0dF6gB
e1KDI9kSTJlciSTAQ05rfrERopYv5jEKgEsXG9876QUcBqslR1xWP+B4X6ck93xg
FqOZka+oFPwQrhJa5hx2j5v18DgUYIN0MWIV9uB4RfjcXvMjERXzHv/VN/HvNBwO
dszgtBdPaFmjAAxlsagOsFsXzQ/nsFn+Uf4ZyExjfYpTyk8Ant5GKqkxVMDolQe7
1FNvRXu1LBkI/b1Nxx654BmlAz0pAU3mM5h3PFBe48r1NlIWo/XJccmwYa88dkhK
7WA68478HuvgSNqM2Nl0HaMF1kpg/qD3eI+on90x1QXt9LWfsfswpuWJQIQyJTLR
yTaDMQh17fcqPBXOQM+avHEZMOkxOlsPFYWZDE8rF5FXHVzPPOsftf5WHfMTFI9v
zo1QFdHMXVAcErkanPeM7d6TwvcB9m68yFVQ5TbI4Yb8uYTwTO6Le/+y9B/aP/ye
M+BfR5Gl5A9u05WY3pZfL0s718FuEQdgDxArEtaPtuHEND8nf0PZFnJzUB7x2nsg
fA8LNKh3lA/vOYZo2jM8xK5E3ZjnSsLEbtl9P+fk40LZFAhs5ElQrYpgYm7rt9dV
gAthPWot+45dH9nPqviS/JJGTm5J4NDt90viRYUWlzxHjm5v10xbnz+2ax/fQ59o
SwvJz3sFC2X4NJiJwnSg
=osoj
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: btag
Source-Version: 1.1.3-1
We believe that the bug you reported is fixed in the latest version of
btag, which is due to be installed in the Debian FTP archive:
btag_1.1.3-1.debian.tar.gz
to main/b/btag/btag_1.1.3-1.debian.tar.gz
btag_1.1.3-1.dsc
to main/b/btag/btag_1.1.3-1.dsc
btag_1.1.3-1_amd64.deb
to main/b/btag/btag_1.1.3-1_amd64.deb
btag_1.1.3.orig.tar.gz
to main/b/btag/btag_1.1.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fernando Tarlá Cardoso Lemos <[email protected]> (supplier of updated btag
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 07 Mar 2012 22:50:32 -0300
Source: btag
Binary: btag
Architecture: source amd64
Version: 1.1.3-1
Distribution: unstable
Urgency: low
Maintainer: Fernando Tarlá Cardoso Lemos <[email protected]>
Changed-By: Fernando Tarlá Cardoso Lemos <[email protected]>
Description:
btag - interactive command-line based multimedia tag editor
Closes: 662970
Changes:
btag (1.1.3-1) unstable; urgency=low
.
* New upstream release
* Bumped Standards-Version to 3.9.3 (no changes needed)
* Fixed the copyright format URL in debian/copyright
* Bumped the copyright years in debian/copyright
* Formatted debian/control with wrap-and-sort
* Imported changes from a patch submitted by Simon Ruderich (thanks!) to
enable all hardening flags and copy CPPFLAGS into CFLAGS/CXXFLAGS since
CMake doesn't use CPPFLAGS (Closes: #662970)
Checksums-Sha1:
7db729556f1a05d498176da10f5f2871c5d1dab3 1792 btag_1.1.3-1.dsc
77012a6e30173e959e0b6defe6848603969481e2 18950 btag_1.1.3.orig.tar.gz
7594dd06fda6ae820203042cc50e49f3a0f5be3c 2785 btag_1.1.3-1.debian.tar.gz
3fc288112ca0a69725a112ef8154ef1dcdbe3cd1 66144 btag_1.1.3-1_amd64.deb
Checksums-Sha256:
88c3592708a6f439acfe4c9483b0299b54d66b25e5b9bbfc69c4e53b110a3b01 1792
btag_1.1.3-1.dsc
63abde4910de327c1b6a4e6c57fc4cd0493dc18eb0821b389c9e86f438d28409 18950
btag_1.1.3.orig.tar.gz
15c4f477523a758a634a230fe68f09e2259a32766244b5ca3be10701f76c3039 2785
btag_1.1.3-1.debian.tar.gz
330f78a699df74dc2b203aadadfa542eeb3cd67d355bbf10a8729a295a4071ec 66144
btag_1.1.3-1_amd64.deb
Files:
071caacf3402dbba0fc29ae92226763f 1792 sound optional btag_1.1.3-1.dsc
45b6ef5e294b10602aa96c12c56f427f 18950 sound optional btag_1.1.3.orig.tar.gz
476560ddc257e3aa809a60dcf7186426 2785 sound optional btag_1.1.3-1.debian.tar.gz
f7640e9b8638bb0661ccec4e527cf7a8 66144 sound optional btag_1.1.3-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPZ0lOAAoJEAo5NUq25X3hwAQQAJt/BxR38wXS6wUr48bv7QRo
6/rqkNXA7M3UBOOihNnT4Smvx3dbHJoPbDK/iuxOy+xCf4x0KQwQI54dyq48/BDI
qIPCasyJBNtoVw/UUy4JXLdKUwTMZ7GKZjS2UzIkodIph2j3TptDb1KFAcUL9r1c
dziU4INWIyJP4H1fkG7msK0Tb5zsoDnLV1oDgxIe3bc1K4/QqitH4gMAFeUjsieq
wywpgcsEd5GQWEG9y5lK5JlPIGzQTa2r1GKpl9XxFd9+3eN5cdm7TeZuYnyvUZeM
ugInR3k/Z0sDLbItYTqfquiy1lxJ6PYDQL3fJsMocYg1Bu1n9phfWBe1WrOegS7m
3wfOZdoB2xoqfQTgJYE5ULXB6jUPcHtB2W7HLpSCwjG6a2lSGxtuIlq4NdkIsHeq
gRjPVygdzLcUcxFiQjb+I5X/VptX+QlnvBo4DS+f5jNj8Nk7brCvCC2ytKYGrlnm
R4nCNeZUBn2RQq/pB1MyMMDQuI7H5RXm3ZrBej5YUe6biPl/aaR1Bc7o6kl+pLXy
BsUxC4WYGoPMU75OglT44rFQ4WS5jUa955Ioqeo0dVma1GyaVJ07Y2KOeMvMJWgI
tTPPdUYfTMgRLUgwjKH8GXG+guJeXeZT+pRX/pUztB5oUa4FjX4bmlobGodyhdoQ
aHvKQbRhcZZsMjPAmEIC
=caZ2
-----END PGP SIGNATURE-----
--- End Message ---
