Bug#655139: marked as done (Please enabled hardened build flags)

[Debian Bug Tracking System]

Your message dated Thu, 24 May 2012 11:48:12 +0000
with message-id <e1sxwwa-0003xr...@franck.debian.org>
and subject line Bug#655139: fixed in openswan 1:2.6.37-2
has caused the Debian Bug report #655139,
regarding Please enabled hardened build flags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
655139: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655139
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openswan
Version: 1:2.6.37-1
Severity: important
Tags: patch

Please enabled hardened build flags through dpkg-buildflags.

Patch attached. Building with the hardened build flags exposed
two cases of missing format strings, for which I attached a
patch as well.

Cheers,
        Moritz

diff -aur openswan-2.6.37.orig/debian/rules openswan-2.6.37/debian/rules
--- openswan-2.6.37.orig/debian/rules	2011-12-21 05:15:35.000000000 +0100
+++ openswan-2.6.37/debian/rules	2012-01-08 20:07:58.000000000 +0100
@@ -6,8 +6,11 @@
 #export DH_VERBOSE=1
 
 export DH_OPTIONS
-export CXXFLAGS = -fno-strict-aliasing
-export CFLAGS = -fno-strict-aliasing
+
+DPKG_EXPORT_BUILDFLAGS = 1
+DEB_CFLAGS_MAINT_APPEND=-fno-strict-aliasing
+DEB_CXXFLAGS_MAINT_APPEND=-fno-strict-aliasing
+include /usr/share/dpkg/buildflags.mk
 
 configure: configure-stamp
 configure-stamp:
Nur in openswan-2.6.37/debian: rules~.

diff -aur openswan-2.6.37.orig/lib/libpluto/packet.c openswan-2.6.37/lib/libpluto/packet.c
--- openswan-2.6.37.orig/lib/libpluto/packet.c	2011-10-28 23:11:53.000000000 +0200
+++ openswan-2.6.37/lib/libpluto/packet.c	2012-01-08 20:13:27.000000000 +0100
@@ -1433,7 +1433,7 @@
     }
 
     /* some failure got us here: report it */
-    openswan_loglog(RC_LOG_SERIOUS, ugh);
+    openswan_loglog(RC_LOG_SERIOUS, "%s", ugh);
     return FALSE;
 }
 
@@ -1653,7 +1653,7 @@
     }
 
     /* some failure got us here: report it */
-    loglog(RC_LOG_SERIOUS, ugh);	/* ??? serious, but errno not relevant */
+    loglog(RC_LOG_SERIOUS, "%s", ugh);	/* ??? serious, but errno not relevant */
     return FALSE;
 }
 
Nur in openswan-2.6.37/lib/libpluto: packet.c~.

--- End Message ---

--- Begin Message ---

Source: openswan
Source-Version: 1:2.6.37-2

We believe that the bug you reported is fixed in the latest version of
openswan, which is due to be installed in the Debian FTP archive:

openswan-dbg_2.6.37-2_amd64.deb
  to main/o/openswan/openswan-dbg_2.6.37-2_amd64.deb
openswan-doc_2.6.37-2_all.deb
  to main/o/openswan/openswan-doc_2.6.37-2_all.deb
openswan-modules-dkms_2.6.37-2_amd64.deb
  to main/o/openswan/openswan-modules-dkms_2.6.37-2_amd64.deb
openswan-modules-source_2.6.37-2_all.deb
  to main/o/openswan/openswan-modules-source_2.6.37-2_all.deb
openswan_2.6.37-2.debian.tar.gz
  to main/o/openswan/openswan_2.6.37-2.debian.tar.gz
openswan_2.6.37-2.dsc
  to main/o/openswan/openswan_2.6.37-2.dsc
openswan_2.6.37-2_amd64.deb
  to main/o/openswan/openswan_2.6.37-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 655...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Harald Jenny <har...@a-little-linux-box.at> (supplier of updated openswan 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 May 2012 22:22:55 +0200
Source: openswan
Binary: openswan openswan-dbg openswan-doc openswan-modules-source 
openswan-modules-dkms
Architecture: source all amd64
Version: 1:2.6.37-2
Distribution: unstable
Urgency: low
Maintainer: Rene Mayrhofer <rm...@debian.org>
Changed-By: Harald Jenny <har...@a-little-linux-box.at>
Description: 
 openswan   - Internet Key Exchange daemon
 openswan-dbg - Internet Key Exchange daemon - debugging symbols
 openswan-doc - Internet Key Exchange daemon - documentation
 openswan-modules-dkms - Internet Key Exchange daemon - DKMS source
 openswan-modules-source - Internet Key Exchange daemon - kernel module source
Closes: 655139
Changes: 
 openswan (1:2.6.37-2) unstable; urgency=low
 .
   [Harald Jenny]
   * Finally migrated all patches to quilt, cleaned up debian rules file a
     little bit, removed build depedency on dpatch and corresponding lintian
     override.
   * Integrated patches for hardening build flags and missing format strings
     (thanks to Moritz Muehlenhoff for his patches), added required versioned
     build depedency on dpkg-dev and enabled all hardening options.
     Closes: #655139: Please enabled hardened build flags
Checksums-Sha1: 
 08037b5a40f54602859d410b6bfc0b488213e1cd 1665 openswan_2.6.37-2.dsc
 0ffeeeeb6bc4f9af6ee6ea75c9774eb0318af742 114694 openswan_2.6.37-2.debian.tar.gz
 1c90611a1b6ce53bbbb43d8ca03902bec20d7f6f 1573886 openswan-doc_2.6.37-2_all.deb
 7396d303a5a35e873fa00a469fd6a6c94a17586d 569082 
openswan-modules-source_2.6.37-2_all.deb
 1d667c91605bd2fd38d3d5866416eddf158f089c 1215852 openswan_2.6.37-2_amd64.deb
 677bd2cd9b7267d243fae5acbe8e13cf4dfc43d0 1751992 
openswan-dbg_2.6.37-2_amd64.deb
 a5a3a47d9587c5752ee9049a221122cf94001b0b 624088 
openswan-modules-dkms_2.6.37-2_amd64.deb
Checksums-Sha256: 
 8010d55dac2f4d17c2e5f86ff98e1cd450df9fd87be32ccb59af89e06b3d755a 1665 
openswan_2.6.37-2.dsc
 ed6b815fbfb4dd028cd6b51d40a64667eb92106dc56e5c034026770522b05225 114694 
openswan_2.6.37-2.debian.tar.gz
 eda26fb9a113badb27273620391ef42a825a31836985785332c6924534c92c61 1573886 
openswan-doc_2.6.37-2_all.deb
 5e7f8d75b25f334dc648249e2e109c0537c3f4242f4298d9cf3b9649ec20caa9 569082 
openswan-modules-source_2.6.37-2_all.deb
 b18a1414d72cec4cc95cfbe88e5b484d028fbb7f07fd83398e9b20dc08dfa9ad 1215852 
openswan_2.6.37-2_amd64.deb
 7c0ca3d70139a846580c280bf1cb8b2ceac0385aec727383c10121fec3c24b54 1751992 
openswan-dbg_2.6.37-2_amd64.deb
 d67c0c9533189cf7bc72b373526adbff4d41590962b565c2cc0725f0dde2ad67 624088 
openswan-modules-dkms_2.6.37-2_amd64.deb
Files: 
 a6106e7879b0eaba1a48a6bb86713613 1665 net optional openswan_2.6.37-2.dsc
 ec0425171e30832b557e85bed5bf3dbd 114694 net optional 
openswan_2.6.37-2.debian.tar.gz
 e52d3d6414cf7a9fc8113b62fe689a8a 1573886 doc optional 
openswan-doc_2.6.37-2_all.deb
 9e4abbe9bd283cc24c3ead9cd1d8f620 569082 kernel optional 
openswan-modules-source_2.6.37-2_all.deb
 00281573bf6d59fa01d9fa62b2e45553 1215852 net optional 
openswan_2.6.37-2_amd64.deb
 c27579e16778f41eeb8764685c8185e8 1751992 debug extra 
openswan-dbg_2.6.37-2_amd64.deb
 8a7a4896874d3a43cba6bb68132e09ab 624088 kernel optional 
openswan-modules-dkms_2.6.37-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk+7XSIACgkQq7SPDcPCS95fwQCeODD94lAv/FyyCyg6CF7ev8iB
rU0An23GkxtI5XHjJIcetzojTk5hRb1H
=A0SA
-----END PGP SIGNATURE-----

--- End Message ---