Bug#687503: marked as done (unar: CPPFLAGS hardening flags missing for .m and .cpp files)

[Debian Bug Tracking System]

Your message dated Mon, 17 Sep 2012 03:47:50 +0000
with message-id <e1tdsjk-0004pb...@franck.debian.org>
and subject line Bug#687503: fixed in unar 1.2-2
has caused the Debian Bug report #687503,
regarding unar: CPPFLAGS hardening flags missing for .m and .cpp files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
687503: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687503
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: unar
Version: 1.2-1
Severity: normal
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing for .m and .cpp files
because they are not enabled for all *FLAGS in the Makefile. For
more hardening information please have a look at [1], [2] and
[3].

The attached patch is an updated version of
pass-cppflags-for-fortify-functions.patch which fixes the issue.
The revised version should be sent to upstream.

CPPFLAGS are preprocessor flags and should be used for all source
files which use a preprocessor, this includes .m and .cpp files.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):

    $ hardening-check /usr/bin/unar /usr/bin/lsar
    /usr/bin/unar:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/lsar:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

You can see the difference if you add --verbose and check it
without and with the patch.

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Pass CPPFLAGS to use hardening flags, fortify functions.
Forwarded: http://code.google.com/p/theunarchiver/issues/detail?id=529
Author: Julián Moreno Patiño <jul...@debian.org>
Last-Update: 2012-09-08
Index: unar-1.2/UniversalDetector/Makefile.linux
===================================================================
--- unar-1.2.orig/UniversalDetector/Makefile.linux	2012-09-06 14:02:39.000000000 +0200
+++ unar-1.2/UniversalDetector/Makefile.linux	2012-09-13 12:47:53.051756723 +0200
@@ -31,9 +31,9 @@
 
 AUTODEPENDENCY_CFLAGS=-MMD -MF$(@:.o=.d) -MT$@
 
-ALL_OBJCFLAGS = $(OBJC_OPTS) $(GCC_OPTS) $(GNUSTEP_OPTS) $(OBJCFLAGS)
-ALL_CFLAGS = $(C_OPTS) $(GCC_OPTS) $(CFLAGS)
-ALL_CXXFLAGS = $(CXX_OPTS) $(GCC_OPTS) $(CXXFLAGS)
+ALL_OBJCFLAGS = $(OBJC_OPTS) $(GCC_OPTS) $(GNUSTEP_OPTS) $(OBJCFLAGS) $(CPPFLAGS)
+ALL_CFLAGS = $(C_OPTS) $(GCC_OPTS) $(CFLAGS) $(CPPFLAGS)
+ALL_CXXFLAGS = $(CXX_OPTS) $(GCC_OPTS) $(CXXFLAGS) $(CPPFLAGS)
 
 # Options for linking
 
Index: unar-1.2/XADMaster/Makefile.linux
===================================================================
--- unar-1.2.orig/XADMaster/Makefile.linux	2012-09-13 12:40:06.000000000 +0200
+++ unar-1.2/XADMaster/Makefile.linux	2012-09-13 12:44:03.639747990 +0200
@@ -31,9 +31,9 @@
 
 AUTODEPENDENCY_CFLAGS=-MMD -MF$(@:.o=.d) -MT$@
 
-ALL_OBJCFLAGS = $(OBJC_OPTS) $(GCC_OPTS) $(GNUSTEP_OPTS) $(OBJCFLAGS)
-ALL_CFLAGS = $(C_OPTS) $(GCC_OPTS) $(CFLAGS)
-ALL_CXXFLAGS = $(CXX_OPTS) $(GCC_OPTS) $(CXXFLAGS)
+ALL_OBJCFLAGS = $(OBJC_OPTS) $(GCC_OPTS) $(GNUSTEP_OPTS) $(OBJCFLAGS) $(CPPFLAGS)
+ALL_CFLAGS = $(C_OPTS) $(GCC_OPTS) $(CFLAGS) $(CPPFLAGS)
+ALL_CXXFLAGS = $(CXX_OPTS) $(GCC_OPTS) $(CXXFLAGS) $(CPPFLAGS)
 
 # Options for linking
 

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: unar
Source-Version: 1.2-2

We believe that the bug you reported is fixed in the latest version of
unar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 687...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julián Moreno Patiño <jul...@debian.org> (supplier of updated unar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Sep 2012 22:10:27 -0500
Source: unar
Binary: unar
Architecture: source i386
Version: 1.2-2
Distribution: unstable
Urgency: low
Maintainer: Matt Kraai <kr...@debian.org>
Changed-By: Julián Moreno Patiño <jul...@debian.org>
Description: 
 unar       - Unarchiver for a variety of file formats
Closes: 687503
Changes: 
 unar (1.2-2) unstable; urgency=low
 .
   * d/patches/pass-cppflags-for-fortify-functions.patch
     Pass CFLAGS properly. (Closes: #687503)
Checksums-Sha1: 
 26906f7d1b8d752cbed8643cd1f849d7a9fbca5f 2020 unar_1.2-2.dsc
 2e0788b35430fca11695d5a4692706c3a1d00ed7 13434 unar_1.2-2.debian.tar.bz2
 12dd50a7b9611c9a38cb99fc02e518a82c3b9837 1032130 unar_1.2-2_i386.deb
Checksums-Sha256: 
 30b4177fa7f59beb909efaec30706d2c9afbd01a3ed166e4bc31333947d641d0 2020 
unar_1.2-2.dsc
 644b899add36ad4b6ec2ec626a7883dc0c521511d34bdec269ac194e7a294e98 13434 
unar_1.2-2.debian.tar.bz2
 cf0939c91069a5a342bf4a19f32d0bf9d8db38608a47c814aa9b64d469dd0031 1032130 
unar_1.2-2_i386.deb
Files: 
 ba62b74e162f38ad569e519e82c46521 2020 utils optional unar_1.2-2.dsc
 83795eafd5897779a399f60c3914724f 13434 utils optional unar_1.2-2.debian.tar.bz2
 1a54d54b618ec69beef68d35fd93060d 1032130 utils optional unar_1.2-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQVpurAAoJENX9/BVhaL9glwIQANWz0KA9X0PkfYQFFIg9TLRu
zfpOrddcB1hFU6oorZD6Tk3I784AqUEjfjcHB9Uy3EOC8GFn08iuRIHLnxQ2dlfc
gDMDAr6CKEI3J99a7+h5sMhkcCSJDVD8nTNUtTyh27ijeS4woG6ChG/SQbvIxD8s
ahppdeRsErIgJ01NX3ZK7yiLeLFUwd7mcv/3/Cgdlo1vTz72tsAV5Y0/uOju7aHd
7jQxuSnj11DojotrbhcAnTGe3tS3ttqJFPA2Lv8sh5AdOJdd/18Q7uJALm7wmaMA
jea8wqKS3gMITAyE4WEu0cGjjcXQPbwujausgtnPSpdA8W5YH/xM4vUaH/DOxmlL
2VkvQPTEGQgn+y6EaiE+pc6HXTeMuso4wFs8OJU+h744pVi0BMwSC4v4hwwu2qzI
itcH9CkRpR95Px15hwfxHaCpb+1s9xCR/qn9by+R+wJRRWonASApd/mFMTgfGV4I
GicVCZvGXKczrKOeYhXQhXLfKU4uZFL+H0+YzWvSoYep3js8sAJfswAJyGEhUpZd
ukk/BZMaB5Y0YjIc96yszzHHTSP33w8d0q1ipKJtcIUiJFBB+s/+94GguKv7MTcz
mVoCVHC7MTEW/ftXwKQAJPSSkO2YS9/Bj8JGbcMw1l9HOVgtmRQAltwIfaPxTtma
wYILDyIHs5Z+S5QW+pow
=wxzy
-----END PGP SIGNATURE-----

--- End Message ---