Bug#674537: marked as done (Hardening build flags are applied only partially)

Sat, 26 May 2012 01:51:36 -0700 

Your message dated Sat, 26 May 2012 08:47:15 +0000
with message-id <[email protected]>
and subject line Bug#674537: fixed in aria2 1.15.0-2
has caused the Debian Bug report #674537,
regarding Hardening build flags are applied only partially
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
674537: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674537
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: aria2
Version: 1.15.0-1
Severity: normal

I looked at build logs and it shows that Fortify Source (-D_FORTIFY_SOURCE=2)
is missing from compile flags. And mostly flags are ignored.
 
When compiling in this directory other harnening features are enabled:

make[7]: Entering directory
`/build/buildd-aria2_1.15.0-1-i386-oexzB9/aria2-1.15.0/deps/wslay/lib'
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I..
-DHAVE_CONFIG_H -I./includes -I./includes  -Wall -g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -MT wslay_frame.lo -MD -MP -MF
.deps/wslay_frame.Tpo -c -o wslay_frame.lo wslay_frame.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -DHAVE_CONFIG_H -I./includes
-I./includes -Wall -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Wformat-security -Werror=format-security -MT wslay_frame.lo -MD
-MP -MF .deps/wslay_frame.Tpo -c wslay_frame.c -o wslay_frame.o

But when entering directory src it seems that no hardening is enabled.

Making all in src
make[3]: Entering directory
`/build/buildd-aria2_1.15.0-1-i386-oexzB9/aria2-1.15.0/src'
g++ -DHAVE_CONFIG_H -I. -I..  -Wall -I../lib -I../intl
-DLOCALEDIR=\"/usr/share/locale\"
-DCA_BUNDLE=\"/etc/ssl/certs/ca-certificates.crt\" -DHAVE_CONFIG_H
-I../deps/wslay/lib/includes -I../deps/wslay/lib/includes
-I/usr/include/p11-kit-1     -I/usr/include/libxml2   -g -O2 -MT
SocketCore.o -MD -MP -MF .deps/SocketCore.Tpo -c -o SocketCore.o
SocketCore.cc

Here are some links that maybe help:
http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
http://wiki.debian.org/Hardening
http://wiki.debian.org/HardeningWalkthrough

--- End Message ---
--- Begin Message --- 
Source: aria2
Source-Version: 1.15.0-2

We believe that the bug you reported is fixed in the latest version of
aria2, which is due to be installed in the Debian FTP archive:

aria2_1.15.0-2.debian.tar.gz
  to main/a/aria2/aria2_1.15.0-2.debian.tar.gz
aria2_1.15.0-2.dsc
  to main/a/aria2/aria2_1.15.0-2.dsc
aria2_1.15.0-2_amd64.deb
  to main/a/aria2/aria2_1.15.0-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kartik Mistry <[email protected]> (supplier of updated aria2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 25 May 2012 17:55:28 +0530
Source: aria2
Binary: aria2
Architecture: source amd64
Version: 1.15.0-2
Distribution: unstable
Urgency: low
Maintainer: Patrick Ruckstuhl <[email protected]>
Changed-By: Kartik Mistry <[email protected]>
Description: 
 aria2      - High speed download utility
Closes: 674537
Changes: 
 aria2 (1.15.0-2) unstable; urgency=low
 .
   * debian/control, debian/rules:
     + Used proper dpkg-buildflags for hardening (Closes: #674537)
Checksums-Sha1: 
 3f33b2deb71bee98ef649d995a709e3593c1c558 1403 aria2_1.15.0-2.dsc
 9c0fb77828f8954f3bfe86721792f146dedb4176 4942 aria2_1.15.0-2.debian.tar.gz
 f6ffc6850d809c506d17b6d410712045fedd39a2 1631986 aria2_1.15.0-2_amd64.deb
Checksums-Sha256: 
 45090aa9ded8f4673941ae9dc8fb9f748c6097555a64f784e8bc23b734c417d0 1403 
aria2_1.15.0-2.dsc
 82d00e6cca2ffe55faf5a1a8636f766ff69bedc74a47d7208562a8b2bea4b4b4 4942 
aria2_1.15.0-2.debian.tar.gz
 474772ceadb96c4aa8226db25ab802c2bfc08d01a4d2d3037631a99bd09cf55f 1631986 
aria2_1.15.0-2_amd64.deb
Files: 
 e55788fb3bd885532fb982b06c7b61c1 1403 net extra aria2_1.15.0-2.dsc
 972c30957319578d456f4be89d64a516 4942 net extra aria2_1.15.0-2.debian.tar.gz
 13f226206811d70bcc716d812050af79 1631986 net extra aria2_1.15.0-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/Akq8ACgkQoRg/jtECjI0MQACdEGlm5qzVg3H296dDwz+ceF30
SHcAoK24UVLwEZTeyms0fVXno5OavCGY
=miCM
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to