Your message dated Sun, 16 Sep 2012 20:10:12 +0930
with message-id <[email protected]>
and subject line Re: Bug#687704: speex: Hardening flags missing
has caused the Debian Bug report #687704,
regarding speex: Hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
687704: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687704
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: speex
Version: 1.2~rc1-6
Severity: normal
Tags: patch
Dear Maintainer,
Some hardening flags (format flags and relro on some archs) are
still missing because they are not set in debian/rules. For more
hardening information please have a look at [1], [2] and [3].
The attached patch fixes the issue by using dpkg-buildflags to
set the default flags. This automatically takes care of old
versions of dpkg-buildpackage setting different flags, handling
noopt and architectures which don't support certain hardening
flags (e.g. relro). -g and -O2 are also added by default (-O0
with noopt). And by using dpkg-buildflags future (hardening)
flags will be automatically added.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/bin/speexenc /usr/bin/speexdec
/usr/lib/x86_64-linux-gnu/libspeexdsp.so.1.5.0
/usr/lib/x86_64-linux-gnu/libspeex.so.1.5.0 ...
/usr/bin/speexenc:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/speexdec:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/x86_64-linux-gnu/libspeexdsp.so.1.5.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/x86_64-linux-gnu/libspeex.so.1.5.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
...
(Position Independent Executable is not enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
diff -u speex-1.2~rc1/debian/rules speex-1.2~rc1/debian/rules
--- speex-1.2~rc1/debian/rules
+++ speex-1.2~rc1/debian/rules
@@ -18,31 +18,14 @@
DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH)
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
+# dpkg-buildflags takes care of hardening flags, respects noopt and prevents
+# old versions of dpkg-buildpackage to interfere with the default flags.
+dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS="hardening=+all,-pie" dpkg-buildflags
+CPPFLAGS = $(shell $(dpkg_buildflags) --get CPPFLAGS)
+CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS) -Wall
+CXXFLAGS = $(shell $(dpkg_buildflags) --get CXXFLAGS)
+LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS)
-HARD_CPPFLAGS = -D_FORTIFY_SOURCE=2
-HARD_CFLAGS = -Wformat=2
-HARD_LDFLAGS = -z now
-
-ifneq (,$(filter-out $(DEB_HOST_ARCH), ia64 alpha mips mipsel hppa arm))
- HARD_CFLAGS += -fstack-protector --param ssp-buffer-size=4
-endif
-ifneq (,$(filter-out $(DEB_HOST_ARCH), ia64 hppa avr32))
- HARD_LDFLAGS += -z relro
-endif
-
-# Keep dpkg-buildpackage the hell out of messing with our compile flags,
-# we should trust upstream to know better than it what to use here.
-# We explicitly re-add -g and -O2 here, since not all configurations do
-# set it explicitly (and instead rely on autoconf's default of doing that,
-# which we override here when we set the hardening flags, if we do).
-CPPFLAGS = $(HARD_CPPFLAGS)
-CFLAGS = $(HARD_CFLAGS) -g -O2
-CXXFLAGS = $(HARD_CFLAGS) -g -O2
-LDFLAGS = $(HARD_LDFLAGS)
-
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS = -Wall -g -O0
-endif
ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
INSTALL_PROGRAM += -s
endif
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Hi Simon,
On Sat, Sep 15, 2012 at 12:53:53PM +0200, Simon Ruderich wrote:
> Package: speex
> Version: 1.2~rc1-6
> Severity: normal
> Tags: patch
>
> Dear Maintainer,
>
> Some hardening flags (format flags and relro on some archs) are
> still missing because they are not set in debian/rules.
Do you have some actual evidence of that?
Since the patch you attached _removes_ the lines that set these
things from rules - I'd have thought the obvious incorrectness
of that statement would be obvious.
But you've given me no indication of whether this is just a form
letter that you've failed to edit, or if there is actually some
problem somewhere that you don't actually mention.
> The attached patch fixes the issue by using dpkg-buildflags to
> set the default flags.
The attached patch would appear to do nothing whatsoever except
make it entirely opaque as to what hardening flags will be applied.
(and if applied to some of my hardened packages, would actually
_remove_ some hardening flags that are presently applied too)
> This automatically takes care of old versions of dpkg-buildpackage
> setting different flags, handling noopt and architectures which
> don't support certain hardening flags (e.g. relro). -g and -O2
> are also added by default (-O0 with noopt).
Things which were already handled by the code your patch removes ...
> And by using dpkg-buildflags future (hardening) flags will be
> automatically added.
I don't think new flags should be automatically added without someone
actually testing things, and being aware that they are being added.
So far as I can see from what you've indicated here, you just indulged
in precisely the sort of voodoo fixery that specifying this openly and
explicitly was designed to avoid -- and have done so without actually
fixing or changing anything real at all ...
If there is something really missing or broken (aside from a false
positive from hardening-check), then please do explain clearly what
that is. Otherwise I see no bug here at all, and if there is one,
the patch that was attached wouldn't appear to fix it anyway.
Ron
[We could possibly make speex{enc,dec} pie, but it's not clear that
they have an attack surface which really makes that worth the effort
of patching upstream - and dpkg-buildflags isn't helpful for that
job either ... If we're going to worry about that, then these flags
should all be supplied by the upstream build itself and it dropped
from the rules file entirely.]
--- End Message ---