Bug#655139: marked as done (Please enabled hardened build flags)

[Debian Bug Tracking System]

Your message dated Sun, 27 May 2012 09:00:46 +0000
with message-id <e1syzlc-000439...@franck.debian.org>
and subject line Bug#655139: fixed in openswan 1:2.6.37-3
has caused the Debian Bug report #655139,
regarding Please enabled hardened build flags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
655139: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655139
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openswan
Version: 1:2.6.37-1
Severity: important
Tags: patch

Please enabled hardened build flags through dpkg-buildflags.

Patch attached. Building with the hardened build flags exposed
two cases of missing format strings, for which I attached a
patch as well.

Cheers,
        Moritz

diff -aur openswan-2.6.37.orig/debian/rules openswan-2.6.37/debian/rules
--- openswan-2.6.37.orig/debian/rules	2011-12-21 05:15:35.000000000 +0100
+++ openswan-2.6.37/debian/rules	2012-01-08 20:07:58.000000000 +0100
@@ -6,8 +6,11 @@
 #export DH_VERBOSE=1
 
 export DH_OPTIONS
-export CXXFLAGS = -fno-strict-aliasing
-export CFLAGS = -fno-strict-aliasing
+
+DPKG_EXPORT_BUILDFLAGS = 1
+DEB_CFLAGS_MAINT_APPEND=-fno-strict-aliasing
+DEB_CXXFLAGS_MAINT_APPEND=-fno-strict-aliasing
+include /usr/share/dpkg/buildflags.mk
 
 configure: configure-stamp
 configure-stamp:
Nur in openswan-2.6.37/debian: rules~.

diff -aur openswan-2.6.37.orig/lib/libpluto/packet.c openswan-2.6.37/lib/libpluto/packet.c
--- openswan-2.6.37.orig/lib/libpluto/packet.c	2011-10-28 23:11:53.000000000 +0200
+++ openswan-2.6.37/lib/libpluto/packet.c	2012-01-08 20:13:27.000000000 +0100
@@ -1433,7 +1433,7 @@
     }
 
     /* some failure got us here: report it */
-    openswan_loglog(RC_LOG_SERIOUS, ugh);
+    openswan_loglog(RC_LOG_SERIOUS, "%s", ugh);
     return FALSE;
 }
 
@@ -1653,7 +1653,7 @@
     }
 
     /* some failure got us here: report it */
-    loglog(RC_LOG_SERIOUS, ugh);	/* ??? serious, but errno not relevant */
+    loglog(RC_LOG_SERIOUS, "%s", ugh);	/* ??? serious, but errno not relevant */
     return FALSE;
 }
 
Nur in openswan-2.6.37/lib/libpluto: packet.c~.

--- End Message ---

--- Begin Message ---

Source: openswan
Source-Version: 1:2.6.37-3

We believe that the bug you reported is fixed in the latest version of
openswan, which is due to be installed in the Debian FTP archive:

openswan-dbg_2.6.37-3_amd64.deb
  to main/o/openswan/openswan-dbg_2.6.37-3_amd64.deb
openswan-doc_2.6.37-3_all.deb
  to main/o/openswan/openswan-doc_2.6.37-3_all.deb
openswan-modules-dkms_2.6.37-3_amd64.deb
  to main/o/openswan/openswan-modules-dkms_2.6.37-3_amd64.deb
openswan-modules-source_2.6.37-3_all.deb
  to main/o/openswan/openswan-modules-source_2.6.37-3_all.deb
openswan_2.6.37-3.debian.tar.gz
  to main/o/openswan/openswan_2.6.37-3.debian.tar.gz
openswan_2.6.37-3.dsc
  to main/o/openswan/openswan_2.6.37-3.dsc
openswan_2.6.37-3_amd64.deb
  to main/o/openswan/openswan_2.6.37-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 655...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Mayrhofer <rm...@debian.org> (supplier of updated openswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 27 May 2012 10:03:00 +0200
Source: openswan
Binary: openswan openswan-dbg openswan-doc openswan-modules-source 
openswan-modules-dkms
Architecture: source all amd64
Version: 1:2.6.37-3
Distribution: unstable
Urgency: low
Maintainer: Rene Mayrhofer <rm...@debian.org>
Changed-By: Rene Mayrhofer <rm...@debian.org>
Description: 
 openswan   - Internet Key Exchange daemon
 openswan-dbg - Internet Key Exchange daemon - debugging symbols
 openswan-doc - Internet Key Exchange daemon - documentation
 openswan-modules-dkms - Internet Key Exchange daemon - DKMS source
 openswan-modules-source - Internet Key Exchange daemon - kernel module source
Closes: 655139
Changes: 
 openswan (1:2.6.37-3) unstable; urgency=low
 .
   * Actually need to pass CPPFLAGS to CFLAGS for the openswan Makefiles
     to use the hardening options. Thanks to Simon Ruderich for pointing
     this out.
     Really Closes: #655139
   * Remove Build-Deps on man2html and htmldoc, they have not been used
     for a while now by the openswan Makefiles.
Checksums-Sha1: 
 f635dbc1a952de2ae1138161f73c82dc89581f84 1646 openswan_2.6.37-3.dsc
 64b298a326357efa0168cfa815e42f2446ecc84f 115033 openswan_2.6.37-3.debian.tar.gz
 243b89cb6601b821e0f77190f7b64b16fcbef88e 1573948 openswan-doc_2.6.37-3_all.deb
 681b0d78458fd0031d0edd8928d64c2387d320b0 569466 
openswan-modules-source_2.6.37-3_all.deb
 9d6c8366ef29443c44c6564b79d3691a88bef211 1216828 openswan_2.6.37-3_amd64.deb
 0a9bb0cf638b565d481899aba19aa1b2326680cc 1794962 
openswan-dbg_2.6.37-3_amd64.deb
 3850abab6ae71ac7ebb0d1f3ac193dc9b85f0ce9 624222 
openswan-modules-dkms_2.6.37-3_amd64.deb
Checksums-Sha256: 
 723582a63b16c3b0e30122d49397b1ee64d63040ae55740651368a32ba56ef15 1646 
openswan_2.6.37-3.dsc
 4e4fc1f70258cd9b55f9db315df15e4534354e32db885554b3ad5a729c3d5e87 115033 
openswan_2.6.37-3.debian.tar.gz
 52e7209a00d8096177cc0a2f8a5d20437dd1f9fb9822a3dfab35dc2723f433f0 1573948 
openswan-doc_2.6.37-3_all.deb
 07a87905eee76f8720936570cb3f9f3b82fab57c3d7d6fc4b07cf8c9bb019c72 569466 
openswan-modules-source_2.6.37-3_all.deb
 7fd38b47f05d5e4a5b3918adbf003b804a42777bbaa0fb0407fb42f861ac5567 1216828 
openswan_2.6.37-3_amd64.deb
 dc126047ac4290280e9b1b60e02be85a839d4c2e4ec8e058c1d9ffe00b808be3 1794962 
openswan-dbg_2.6.37-3_amd64.deb
 d5edceb63b3325a8da5bdd7438be08229b014bdbf28b1a1f01f6968235a12eaf 624222 
openswan-modules-dkms_2.6.37-3_amd64.deb
Files: 
 d7ac1f4856f260de0096a54f47390dca 1646 net optional openswan_2.6.37-3.dsc
 699db60fe6a9de0a8b0bee52f9df1402 115033 net optional 
openswan_2.6.37-3.debian.tar.gz
 9b675e7539fc5b6361cc376cd2afaf38 1573948 doc optional 
openswan-doc_2.6.37-3_all.deb
 61f1bb1058be3f06b0b74f7d4dc0edae 569466 kernel optional 
openswan-modules-source_2.6.37-3_all.deb
 4fdacd05f7e6dde284102724fa02a8bd 1216828 net optional 
openswan_2.6.37-3_amd64.deb
 3bd1b9a67a0ef2307c9727865451f1b6 1794962 debug extra 
openswan-dbg_2.6.37-3_amd64.deb
 3f3dc6ef61961a7b44740f1509124450 624222 kernel optional 
openswan-modules-dkms_2.6.37-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/B5GcACgkQq7SPDcPCS96vegCg65EQbk315SDrpneR+naKfI2j
MZEAoOvhl1XCIcavz82qtDxxZSKX9AWX
=YLZ9
-----END PGP SIGNATURE-----

--- End Message ---