Bug#674537: marked as done (Hardening build flags are applied only partially)

[Debian Bug Tracking System]

Your message dated Mon, 28 May 2012 15:17:44 +0000
with message-id <e1sz1hy-0007rd...@franck.debian.org>
and subject line Bug#674537: fixed in aria2 1.15.1-1
has caused the Debian Bug report #674537,
regarding Hardening build flags are applied only partially
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
674537: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674537
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: aria2
Version: 1.15.0-1
Severity: normal

I looked at build logs and it shows that Fortify Source (-D_FORTIFY_SOURCE=2)
is missing from compile flags. And mostly flags are ignored.
 
When compiling in this directory other harnening features are enabled:

make[7]: Entering directory
`/build/buildd-aria2_1.15.0-1-i386-oexzB9/aria2-1.15.0/deps/wslay/lib'
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I..
-DHAVE_CONFIG_H -I./includes -I./includes  -Wall -g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -MT wslay_frame.lo -MD -MP -MF
.deps/wslay_frame.Tpo -c -o wslay_frame.lo wslay_frame.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -DHAVE_CONFIG_H -I./includes
-I./includes -Wall -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Wformat-security -Werror=format-security -MT wslay_frame.lo -MD
-MP -MF .deps/wslay_frame.Tpo -c wslay_frame.c -o wslay_frame.o

But when entering directory src it seems that no hardening is enabled.

Making all in src
make[3]: Entering directory
`/build/buildd-aria2_1.15.0-1-i386-oexzB9/aria2-1.15.0/src'
g++ -DHAVE_CONFIG_H -I. -I..  -Wall -I../lib -I../intl
-DLOCALEDIR=\"/usr/share/locale\"
-DCA_BUNDLE=\"/etc/ssl/certs/ca-certificates.crt\" -DHAVE_CONFIG_H
-I../deps/wslay/lib/includes -I../deps/wslay/lib/includes
-I/usr/include/p11-kit-1     -I/usr/include/libxml2   -g -O2 -MT
SocketCore.o -MD -MP -MF .deps/SocketCore.Tpo -c -o SocketCore.o
SocketCore.cc

Here are some links that maybe help:
http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
http://wiki.debian.org/Hardening
http://wiki.debian.org/HardeningWalkthrough

--- End Message ---

--- Begin Message ---

Source: aria2
Source-Version: 1.15.1-1

We believe that the bug you reported is fixed in the latest version of
aria2, which is due to be installed in the Debian FTP archive:

aria2_1.15.1-1.debian.tar.gz
  to main/a/aria2/aria2_1.15.1-1.debian.tar.gz
aria2_1.15.1-1.dsc
  to main/a/aria2/aria2_1.15.1-1.dsc
aria2_1.15.1-1_amd64.deb
  to main/a/aria2/aria2_1.15.1-1_amd64.deb
aria2_1.15.1.orig.tar.bz2
  to main/a/aria2/aria2_1.15.1.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 674...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kartik Mistry <kar...@debian.org> (supplier of updated aria2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 28 May 2012 11:45:00 +0530
Source: aria2
Binary: aria2
Architecture: source amd64
Version: 1.15.1-1
Distribution: unstable
Urgency: low
Maintainer: Patrick Ruckstuhl <patr...@tario.org>
Changed-By: Kartik Mistry <kar...@debian.org>
Description: 
 aria2      - High speed download utility
Closes: 674537
Changes: 
 aria2 (1.15.1-1) unstable; urgency=low
 .
   * New upstream release.
   * debian/rules:
     + Applied patch from Simon Ruderich <si...@ruderich.org> to fix partial
       hardening flags (Closes: #674537)
Checksums-Sha1: 
 625e1b08d038858938903f285b40e61f2c7f4a19 1403 aria2_1.15.1-1.dsc
 67b70d3492b0edb3af314a253540b921e1bc0c4e 2047788 aria2_1.15.1.orig.tar.bz2
 632a7ac00ed54a4983d05700148b92b2fc9ed026 4990 aria2_1.15.1-1.debian.tar.gz
 c888168862f045bc1631c1aebd836187df9e2e25 1453438 aria2_1.15.1-1_amd64.deb
Checksums-Sha256: 
 b281e1aa26487f867f99dd703206b70334dfd4793a6c06d467bea0f9468e88d0 1403 
aria2_1.15.1-1.dsc
 5d5207ca3b2276e90200956b1b23885d265d94b97b3b08aa20200038eff61df4 2047788 
aria2_1.15.1.orig.tar.bz2
 e49b8f3025bd68b109949768bc2409a9f1849f1c3f10bf6ce93176b6154df29d 4990 
aria2_1.15.1-1.debian.tar.gz
 7cd17c049a06c696a84d4d51feacb7761aad938b3f4cc5c96da11bce9b8e1db3 1453438 
aria2_1.15.1-1_amd64.deb
Files: 
 5a75a5ad8118ee57f2cd63c69919b4ed 1403 net extra aria2_1.15.1-1.dsc
 a749a1f7cfe03a7518630d2310267c42 2047788 net extra aria2_1.15.1.orig.tar.bz2
 855306f4a40a8b713cbc1060ad97e7c9 4990 net extra aria2_1.15.1-1.debian.tar.gz
 7173fbb0659b96e89205440106c2ed9a 1453438 net extra aria2_1.15.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/DiqcACgkQoRg/jtECjI0nxACfeozDtcHqw5Q5aElMauo/xmbQ
uAcAn1TBEtR4rT07+Wo9NMBvCNmNgBuW
=+10x
-----END PGP SIGNATURE-----

--- End Message ---