Your message dated Sat, 12 Jan 2013 16:47:32 +0000
with message-id <[email protected]>
and subject line Bug#665209: fixed in ctdb 2.1-1
has caused the Debian Bug report #665209,
regarding ctdb: Hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
665209: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665209
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ctdb
Version: 1.12+git20120201-2
Severity: important
Tags: patch
Dear Maintainer,
The hardening flags are missing because the build system ignores
them; LDFLAGS in a few places, CPPFLAGS completely.
The following _and_ the attached patch (use-ldflags.patch) fix
the issue. If possible it should be sent upstream.
diff -Nru ctdb-1.12+git20120201/debian/rules ctdb-1.12+git20120201/debian/rules
--- ctdb-1.12+git20120201/debian/rules 2011-11-06 17:22:42.000000000 +0100
+++ ctdb-1.12+git20120201/debian/rules 2012-03-22 16:20:49.000000000 +0100
@@ -3,7 +3,9 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
-export DEB_CFLAGS_MAINT_APPEND := -Wall
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND := -Wall $(shell dpkg-buildflags --get
CPPFLAGS)
export DEB_BUILD_MAINT_OPTIONS := hardening=+bindnow
DESTDIR=$(CURDIR)/debian/tmp
The second attached patch (verbose-build.patch) enables a verbose
build so missing (hardening) flags can be (automatically)
detected. Please apply it too.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/smnotify /usr/bin/ping_pong /usr/bin/ltdbtool ...
/usr/bin/smnotify:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
/usr/bin/ping_pong:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/ltdbtool:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
...
(Position Independent Executable is not enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Add missing LDFLAGS.
Necessary for hardening flags.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-22
Index: ctdb-1.12+git20120201/Makefile.in
===================================================================
--- ctdb-1.12+git20120201.orig/Makefile.in 2012-03-22 16:36:00.849448791 +0100
+++ ctdb-1.12+git20120201/Makefile.in 2012-03-22 16:37:53.777453089 +0100
@@ -150,7 +150,7 @@
bin/ltdbtool: tools/ltdbtool.o @TDB_OBJ@
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ $+
+ @$(CC) $(CFLAGS) -o $@ $+$ $(LIB_FLAGS)
bin/smnotify: utils/smnotify/gen_xdr.o utils/smnotify/gen_smnotify.o utils/smnotify/smnotify.o $(POPT_OBJ)
@echo Linking $@
@@ -172,7 +172,7 @@
bin/ping_pong: utils/ping_pong/ping_pong.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ utils/ping_pong/ping_pong.o
+ @$(CC) $(CFLAGS) -o $@ utils/ping_pong/ping_pong.o $(LIB_FLAGS)
bin/pmdactdb: $(CTDB_CLIENT_OBJ) utils/pmda/pmda_ctdb.o
@echo Linking $@
Description: Display compiler commands.
Necessary to detect missing (hardening) flags (automatically).
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-22
Index: ctdb-1.12+git20120201/Makefile.in
===================================================================
--- ctdb-1.12+git20120201.orig/Makefile.in 2012-03-22 16:34:51.000000000 +0100
+++ ctdb-1.12+git20120201/Makefile.in 2012-03-22 16:35:51.465448434 +0100
@@ -116,24 +116,24 @@
.c.o:
@echo Compiling $*.c
@mkdir -p `dirname $@`
- @$(CC) $(CFLAGS) -c $< -o $@
+ $(CC) $(CFLAGS) -c $< -o $@
dirs:
@mkdir -p $(DIRS)
bin/ctdbd: $(CTDB_SERVER_OBJ)
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ $(CTDB_SERVER_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ $(CTDB_SERVER_OBJ) $(LIB_FLAGS)
libctdb/libctdb.a: $(CTDB_LIB_OBJ)
@echo Linking $@
- -rm -f libctdb.a
- @$(AR) $(ARFLAGS) libctdb/libctdb.a $(CTDB_LIB_OBJ)
- @$(RANLIB) libctdb/libctdb.a
+ -@rm -f libctdb.a
+ $(AR) $(ARFLAGS) libctdb/libctdb.a $(CTDB_LIB_OBJ)
+ $(RANLIB) libctdb/libctdb.a
libctdb/libctdb.so.0: $(CTDB_LIB_OBJ)
@echo Linking $@
- @$(SHLD) -Wl,-soname=libctdb.so.0 $(CTDB_LIB_OBJ)
+ $(SHLD) -Wl,-soname=libctdb.so.0 $(CTDB_LIB_OBJ)
libctdb/libctdb.so: libctdb/libctdb.so.0
@echo Creating $@
@@ -142,19 +142,19 @@
bin/scsi_io: $(CTDB_CLIENT_OBJ) utils/scsi_io/scsi_io.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ utils/scsi_io/scsi_io.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ utils/scsi_io/scsi_io.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
bin/ctdb: $(CTDB_CLIENT_OBJ) tools/ctdb.o tools/ctdb_vacuum.o libctdb/libctdb.a
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tools/ctdb.o tools/ctdb_vacuum.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS) libctdb/libctdb.a
+ $(CC) $(CFLAGS) -o $@ tools/ctdb.o tools/ctdb_vacuum.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS) libctdb/libctdb.a
bin/ltdbtool: tools/ltdbtool.o @TDB_OBJ@
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ $+$ $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ $+$ $(LIB_FLAGS)
bin/smnotify: utils/smnotify/gen_xdr.o utils/smnotify/gen_smnotify.o utils/smnotify/smnotify.o $(POPT_OBJ)
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ utils/smnotify/smnotify.o utils/smnotify/gen_xdr.o utils/smnotify/gen_smnotify.o $(POPT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ utils/smnotify/smnotify.o utils/smnotify/gen_xdr.o utils/smnotify/gen_smnotify.o $(POPT_OBJ) $(LIB_FLAGS)
utils/smnotify/smnotify.o: utils/smnotify/smnotify.c utils/smnotify/smnotify.h
@@ -172,67 +172,67 @@
bin/ping_pong: utils/ping_pong/ping_pong.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ utils/ping_pong/ping_pong.o $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ utils/ping_pong/ping_pong.o $(LIB_FLAGS)
bin/pmdactdb: $(CTDB_CLIENT_OBJ) utils/pmda/pmda_ctdb.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ utils/pmda/pmda_ctdb.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS) $(PMDA_LIBS)
+ $(CC) $(CFLAGS) -o $@ utils/pmda/pmda_ctdb.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS) $(PMDA_LIBS)
tests/bin/rb_test: $(CTDB_CLIENT_OBJ) tests/src/rb_test.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/rb_test.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/rb_test.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_bench: $(CTDB_CLIENT_OBJ) tests/src/ctdb_bench.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_bench.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_bench.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_fetch: $(CTDB_CLIENT_OBJ) tests/src/ctdb_fetch.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_fetch.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_fetch.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_fetch_one: $(CTDB_CLIENT_OBJ) tests/src/ctdb_fetch_one.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_fetch_one.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_fetch_one.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_fetch_lock_once: libctdb/libctdb.a tests/src/ctdb_fetch_lock_once.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_fetch_lock_once.o @TDB_OBJ@ @POPT_OBJ@ libctdb/libctdb.a $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_fetch_lock_once.o @TDB_OBJ@ @POPT_OBJ@ libctdb/libctdb.a $(LIB_FLAGS)
tests/bin/ctdb_fetch_readonly_once: libctdb/libctdb.a tests/src/ctdb_fetch_readonly_once.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_fetch_readonly_once.o @TDB_OBJ@ @POPT_OBJ@ libctdb/libctdb.a $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_fetch_readonly_once.o @TDB_OBJ@ @POPT_OBJ@ libctdb/libctdb.a $(LIB_FLAGS)
tests/bin/ctdb_fetch_readonly_loop: $(CTDB_CLIENT_OBJ) tests/src/ctdb_fetch_readonly_loop.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_fetch_readonly_loop.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_fetch_readonly_loop.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_trackingdb_test: $(CTDB_CLIENT_OBJ) tests/src/ctdb_trackingdb_test.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_trackingdb_test.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_trackingdb_test.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_update_record: $(CTDB_CLIENT_OBJ) tests/src/ctdb_update_record.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_update_record.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_update_record.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_store: $(CTDB_CLIENT_OBJ) tests/src/ctdb_store.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_store.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_store.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_traverse: $(CTDB_CLIENT_OBJ) tests/src/ctdb_traverse.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_traverse.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_traverse.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_randrec: $(CTDB_CLIENT_OBJ) tests/src/ctdb_randrec.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_randrec.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_randrec.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_persistent: $(CTDB_CLIENT_OBJ) tests/src/ctdb_persistent.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_persistent.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_persistent.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
tests/bin/ctdb_transaction: $(CTDB_CLIENT_OBJ) tests/src/ctdb_transaction.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_transaction.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_transaction.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
CTDB_SERVER_MOST_OBJ = $(CTDB_SERVER_OBJ:server/ctdbd.o=)
CTDBD_TEST_C = $(CTDB_SERVER_MOST_OBJ:.o=.c) tests/src/ctdbd_test.c
@@ -246,17 +246,17 @@
tests/bin/ctdb_takeover_tests: $(CTDB_TEST_OBJ) tests/src/ctdb_takeover_tests.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_takeover_tests.o $(CTDB_TEST_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_takeover_tests.o $(CTDB_TEST_OBJ) $(LIB_FLAGS)
tests/src/ctdb_parse_nodestring.o: tests/src/ctdb_parse_nodestring.c tests/src/libctdb_test.c $(CTDB_TEST_C)
tests/bin/ctdb_parse_nodestring: $(CTDB_TEST_OBJ) tests/src/ctdb_parse_nodestring.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ tests/src/ctdb_parse_nodestring.o $(CTDB_TEST_OBJ) @POPT_OBJ@ $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ tests/src/ctdb_parse_nodestring.o $(CTDB_TEST_OBJ) @POPT_OBJ@ $(LIB_FLAGS)
tests/bin/ibwrapper_test: $(CTDB_CLIENT_OBJ) ib/ibwrapper_test.o
@echo Linking $@
- @$(CC) $(CFLAGS) -o $@ ib/ibwrapper_test.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
+ $(CC) $(CFLAGS) -o $@ ib/ibwrapper_test.o $(CTDB_CLIENT_OBJ) $(LIB_FLAGS)
.1.xml.1:
-test -z "$(XSLTPROC)" || $(XSLTPROC) -o $@ http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: ctdb
Source-Version: 2.1-1
We believe that the bug you reported is fixed in the latest version of
ctdb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Parent <[email protected]> (supplier of updated ctdb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 12 Jan 2013 17:22:06 +0100
Source: ctdb
Binary: ctdb libctdb-dev ctdb-dbg
Architecture: source amd64
Version: 2.1-1
Distribution: experimental
Urgency: low
Maintainer: Debian Samba Maintainers <[email protected]>
Changed-By: Mathieu Parent <[email protected]>
Description:
ctdb - clustered database to store temporary data
ctdb-dbg - clustered database to store temporary data -- debugging symbols a
libctdb-dev - clustered database to store temporary data -- development files
Closes: 665209
Changes:
ctdb (2.1-1) experimental; urgency=low
.
* New upstream release 2.1
- Remove 0001-Load-platform-dependent-objs-instead-of-Linux-one.patch,
integrated
- ctdb.init updated
* Moved to git:
- Added gpb.conf
- Updated VCS-* fields
- Removed d/svn-deblayout
* d/watch, d/uupdate-wrapper: Updated to donwload from ftp.samba.org
* Update standards-version to 3.9.4 (no changes)
* Remove extra-license-file
* Mark ctdb Multi-Arch: foreign
* Fix "Hardening flags missing" (Closes: #665209)
- Append CPPFLAGS to CFLAGS as the build system doesn't use CPPFLAGS
- new 0001-Add-missing-LDFLAGS.patch
- new 0002-Display-compiler-commands.patch
- Thanks to Simon Ruderich
* Release to experimental during freeze
* Updated README.hurd
* Added README.kfreebsd
* ethtool is linux-any
* Add README.Debian for Samba 3 configuration
Checksums-Sha1:
3eb65f8e8b562edaeb9d24208f30ff0419905934 1337 ctdb_2.1-1.dsc
8bde651e5e615fc5a1663c67ece52f1d054501c2 1112227 ctdb_2.1.orig.tar.gz
2b65e13eca4afdc3bf81df5a357c06513ca59fc7 16552 ctdb_2.1-1.debian.tar.gz
e338963ed43ac057f70ced8c8dfdc2fb0aeae616 655570 ctdb_2.1-1_amd64.deb
7839645e64603ba68634e1c8d49be813f695c570 57914 libctdb-dev_2.1-1_amd64.deb
415b7611585b039f56ee68356cf9686cac9f812d 5281068 ctdb-dbg_2.1-1_amd64.deb
Checksums-Sha256:
f72d25976045fde3b06d29e068eda5d266c58be5431461b727cdfb7634eefa8d 1337
ctdb_2.1-1.dsc
e5829edbbc0ec556a508e3d94f2cadd716fbd667110b5be7b4034f5afac3c68a 1112227
ctdb_2.1.orig.tar.gz
a2a826c509c8e8d9845b8853d77c8418b9cb1186093c231d991403c5bc1b39e5 16552
ctdb_2.1-1.debian.tar.gz
0fe58f6baa7bc34ec6bdec12a2cdf771f70462e17cbe998c775fbd1b5b05b433 655570
ctdb_2.1-1_amd64.deb
be8086932c299aa650bd332d08dd5c1995e5e3e551d1d0b36c194c50640c45ce 57914
libctdb-dev_2.1-1_amd64.deb
71e7c21d93d405beac0562f4c80e562ad0e1171a414a2f96a5ab4198659be02f 5281068
ctdb-dbg_2.1-1_amd64.deb
Files:
d0efea8a440fe4df1f7441ae01c6b0ab 1337 net extra ctdb_2.1-1.dsc
e4ba33baadfec2996dbab3eeaad3b333 1112227 net extra ctdb_2.1.orig.tar.gz
f8d91b662e52364017e8025df452edca 16552 net extra ctdb_2.1-1.debian.tar.gz
39e2598122022ce92f30228a50eed857 655570 net extra ctdb_2.1-1_amd64.deb
e35df52b65e1471796f3adf3403dec6a 57914 libdevel extra
libctdb-dev_2.1-1_amd64.deb
bb01627ef4c9c28ca10dfb57036bed48 5281068 debug extra ctdb-dbg_2.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlDxjzMACgkQOW2jYf5fHX/SmgCglMIH2jO6hOadDMjvHc16j0fh
SVYAnRpBfJQ6G9sM9aoZPH5uqsQdqWnZ
=rO3W
-----END PGP SIGNATURE-----
--- End Message ---
