Your message dated Wed, 01 Jan 2014 17:18:28 +0000 with message-id <[email protected]> and subject line Bug#662721: fixed in dash 0.5.7-3+nmu1 has caused the Debian Bug report #662721, regarding dash: Please enable hardening flags to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 662721: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662721 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dash Version: 0.5.7-3 Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear Maintainer, Please consider enabling hardening flags which are a release goal for wheezy. For more information please have a look at [1], [2] and [3]. The attached patch enables the hardening flags and fixes a format string vulnerability detected by -Wformat-security. -g and -O2 is automatically set by dpkg-buildflags (noopt is respected). I've been using the patched version for some time now and it works fine for me. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package: $ hardening-check /bin/dash /bin/dash: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dash depends on: ii debianutils 4.2.1 ii dpkg 1.16.1.2 ii libc6 2.13-27 dash recommends no packages. dash suggests no packages. - -- debconf information excluded -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPVVVTAAoJEJL+/bfkTDL5GjQP/0RVCtUjx0QmqLtiLlAbYG8f uX1t/SEBZ6VbpaUzJtoac3AN3h3x0ByE3T+tZlmC+CAdpP1EnSOskhtOCZF2qsNn 7HtaNSu6Mdi4etrbbKa4C9W/dJwA+sKwWDCyHuL+A8D8Pv1ObkQBnToRhQcCkB0m yngp66vfQC739SiQjl5TyMAlrlvlxZDNiYI0Dc3rIHYFyjTLp35zckwidbB64gco zdlfhp7RSwKhY6f1iSVr7TSZMSU7yMYjJET+Hzv9uPfGwih9G76/WZ4MjHv4QOcb NAVYiv+TGGE737bSZG8+Zi9c+PR+OlQz0dXntscKn6U9GYzhdJBDK5FMv09E5abV /+NS4uBrzCF5r+qcKxVQWoT2LET7pTkM5Bi+bojFOcAqi9jRXhik4rFuW6r/B6S+ aGvOvE78aZhhi3W7TkBQpTYYGHoZCn5BZsm0tdQMyxco8sljxTcDOQGtAeItWXb3 X61ICbSkHfzmMEcOqp0xG0fWoGrZg1HD9CSp5zOFw9pM5QLcLJav8QqPCcZ0iymK CqSpYH0Y4q9Qw1c4DxEa76TKeVi8hX93DM39CI4Xx221AbJcMl1gkrtoPTC/pR/C pVtg9LcPvw+LB8pvNXvQDGum48LBaad5Hh1UADcPZE8DS2wzvYwY1GOtgY1i3OJg AjHQFW1H6IxB+15CtsPf =tzaV -----END PGP SIGNATURE-----diff -u dash-0.5.7/debian/control dash-0.5.7/debian/control --- dash-0.5.7/debian/control +++ dash-0.5.7/debian/control @@ -2,7 +2,7 @@ Section: shells Priority: optional Maintainer: Gerrit Pape <[email protected]> -Build-Depends: po-debconf +Build-Depends: po-debconf, dpkg-dev (>= 1.16.1) Standards-Version: 3.9.3.0 Homepage: http://gondor.apana.org.au/~herbert/dash/ Vcs-Git: http://smarden.org/git/dash.git/ diff -u dash-0.5.7/debian/rules dash-0.5.7/debian/rules --- dash-0.5.7/debian/rules +++ dash-0.5.7/debian/rules @@ -1,7 +1,10 @@ #!/usr/bin/make -f +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + CC =gcc -CFLAGS =-g -O2 -Wall +CFLAGS +=-Wall STRIP =strip DEB_HOST_GNU_TYPE =$(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) only in patch2: unchanged: --- dash-0.5.7.orig/src/jobs.c +++ dash-0.5.7/src/jobs.c @@ -427,7 +427,7 @@ goto out; #endif } - col = fmtstr(s, 32, strsignal(st)); + col = fmtstr(s, 32, "%s", strsignal(st)); #ifdef WCOREDUMP if (WCOREDUMP(status)) { col += fmtstr(s + col, 16, " (core dumped)");
--- End Message ---
--- Begin Message ---Source: dash Source-Version: 0.5.7-3+nmu1 We believe that the bug you reported is fixed in the latest version of dash, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert <[email protected]> (supplier of updated dash package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 25 Dec 2013 13:46:03 -0500 Source: dash Binary: dash ash Architecture: source all amd64 Version: 0.5.7-3+nmu1 Distribution: unstable Urgency: medium Maintainer: Gerrit Pape <[email protected]> Changed-By: Michael Gilbert <[email protected]> Description: ash - compatibility package for dash dash - POSIX-compliant shell Closes: 662721 Changes: dash (0.5.7-3+nmu1) unstable; urgency=medium . * Non-maintainer upload. * Enable build-hardening flags (closes: #662721). Checksums-Sha1: 38e33abd3617551bd6b6969989e6359345a4d57a 2459 dash_0.5.7-3+nmu1.dsc 073c8ddfbe33d8b5e8bc419498031d65df4eb84d 42133 dash_0.5.7-3+nmu1.diff.gz 546cae9237ff09ececb407aaf95ce1d32718f30d 28956 ash_0.5.7-3+nmu1_all.deb 4222c675303e127701249185d772381f3a075fcf 106926 dash_0.5.7-3+nmu1_amd64.deb Checksums-Sha256: 83344406eb86292ff4bf7dc234e58e4e1dda289d6554ee665fdc68df94df62ad 2459 dash_0.5.7-3+nmu1.dsc ea8675b269bae866e737649da37010be478f6db401f49b775922b9349b47c5d7 42133 dash_0.5.7-3+nmu1.diff.gz 865e68bae7aecdbe0644593412f5d0cbb09669476b3219c7dc715b599f419000 28956 ash_0.5.7-3+nmu1_all.deb da16f5821044789794442b63d42c407b6a7362053f9afb651e2cb51f59fb1a9c 106926 dash_0.5.7-3+nmu1_amd64.deb Files: 22b05efd6251583ba44557643ee885fb 2459 shells optional dash_0.5.7-3+nmu1.dsc 2ce1aad46106ecc38980843d845f144e 42133 shells optional dash_0.5.7-3+nmu1.diff.gz a2d91d8efe924353a0876f30aa45cdf0 28956 shells optional ash_0.5.7-3+nmu1_all.deb 4eb83d32f9d015b081c70ca730fdeb1a 106926 shells required dash_0.5.7-3+nmu1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQQcBAEBCgAGBQJSvbCGAAoJELjWss0C1vRzBM4f/R6vdXNLjlKyczRlynQb6own 1KvCLUVpbBPFW1ZoIn3EZA77pJDX3Cv4nhDbrijk24fCp6aoIJU95C+GGwNXs63E MVSfG7epeTKBYoZIpReUXXsA8p9LlzckJUiK3R+9HGoSnKnNLFH7ghOj1CD7nh2L bX267kuMfP+svjqO7fLaaBBYvfrZbgxU+/Sy+xTJsJWsp4d2FPXdp2XpaffpTwhz 2LwZJlMB5N+8FW02arc+++3FgsrGc7fGwatDETHHO8xGK+1aWAhFE1rJqSn+2Zg6 9ISnDZPX0C18H7VnepuWkFCthL6gVcMQBgQBrkeghCGfOILUES4uMvsAxx/AU6J/ atArEE8Yip4u6CN5pfGKp2X2VetJTnxpsARJYEJM3mZhvSCWpMkZFvKe95wj4RV9 OIGaNZ5F7lRpJ5XClyDG/rKDr/bI2lZ2/bh9R/VvZr2gwOiBnhPqUGh+cxJF/04f lbWxzmkyhaYD+DevT2z6/Arxc9Bh5vPjSaQgK4xaiivUK83dhp0Dgqul3ZYPIZlU /St1efYO4EUW1FSWhBns7u+Hdqyys8q3Vc8Wt2xt6ub4n8ZlofLtCLNSVtJgO0Gm eE6rae3kzL9EpNfu15H+K/ij29jVtGwX87H59pjjtqq4yG2azP719jmHBr2/ArqH AF2/wRUvqstTn32MAMFxOpqRH7SiPM0OJsddEUkIQmmub236p0bOZecBgccRQTlA y2Uod9E4X9QpE2aH9ng5nBrMX7eiE41rpf2Lg1jFSLYndySKcjEUYMQkfgfAr24E AXvqoMj3lZVY30RqI2Vd6nNDtU3wyNbkUMlHJfVY5rKKA4rRS5k/p07bzzV644Pi jDSq3A6IybenaTeDYc234lmQbYseLu6r1Vw+3hRGtXjGt2F1eWjkYFF2nP/8dGll PDXAiucUIn9Wi6m3Z5T/WGTDiSkTRn9oxz19yeeW6lj0hLp6EqKzQ1BioAj4R3RV xyvj31bpNKsoB1dvt3EucyUKI4cjMEuF2zAa1oNTUM0tLoYB0GJLoEK0vysqiA4h 1YN1rtjQVNlFTm9UR3i3chJHSuDZnvb6XutBbWXQ3btJZpcuBOuPgMujnATQWoI1 gR3e/QbBQcUEqK2c1AzKiXUAfqlzu2EQjnLJ+qu+qYBKb2RZ2wqDWo8LpolP6Oqr 0Mvg52dFuv284CULt+ud49jOft1wQft9Ia/Ja18SYUdnI/JrT1P/wAK6ST8Vvlh8 Pm/TAJrOpxS/R1FZA0SfZdHhsXeLkDCoJWOEmK6XjetfLappiNYNeOMEjyyx79lM qQIepCHrV3lstQfMNhk29LPH7rAVu1ofsIx9LgffRg+CPzjyCqGs4yCtT3Zizfg= =itTB -----END PGP SIGNATURE-----
--- End Message ---
