Your message dated Wed, 24 Sep 2014 21:21:24 +0000
with message-id <[email protected]>
and subject line Bug#762662: fixed in hardening-wrapper 2.6
has caused the Debian Bug report #762662,
regarding hardening-wrapper: please use -fstack-protector-strong
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
762662: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762662
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: src:hardening-wrapper
Version: 2.5+nmu1
A few months ago dpkg-buildflags switched its default SSP hardening flag
to -fstack-protector-strong, see:
https://lists.debian.org/debian-devel/2014/06/msg00453.html
It would be great if hardening-wrapper could follow suit and use the new
flag as well; some high-profile packages still use it. I'm attaching a
patch against the latest NMU (which is not in bzr) with the minimal set
of changes to make the switch.
Let me know if you want me to upload this, or if you want to use another
approach.
Thanks for your consideration,
--
Romain Francoise <[email protected]>
http://people.debian.org/~rfrancoise/
diffstat for hardening-wrapper-2.5+nmu1 hardening-wrapper-2.5+nmu2
debian/README.Debian | 2 +-
debian/changelog | 8 ++++++++
hardened-cc | 2 +-
hardening.make | 2 +-
tests/Makefile.common | 1 -
5 files changed, 11 insertions(+), 4 deletions(-)
diff -Nru hardening-wrapper-2.5+nmu1/debian/changelog hardening-wrapper-2.5+nmu2/debian/changelog
--- hardening-wrapper-2.5+nmu1/debian/changelog 2014-08-21 13:54:44.000000000 +0200
+++ hardening-wrapper-2.5+nmu2/debian/changelog 2014-09-24 10:22:21.000000000 +0200
@@ -1,3 +1,11 @@
+hardening-wrapper (2.5+nmu2) UNRELEASED; urgency=medium
+
+ * hardened-cc, hardening.make: switch SSP flag to -fstack-protector-strong.
+ * tests/Makefile.common: disable ssp-buffer-size-skip test since all
+ buffer sizes are protected now.
+
+ -- Romain Francoise <[email protected]> Wed, 24 Sep 2014 10:22:21 +0200
+
hardening-wrapper (2.5+nmu1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru hardening-wrapper-2.5+nmu1/debian/README.Debian hardening-wrapper-2.5+nmu2/debian/README.Debian
--- hardening-wrapper-2.5+nmu1/debian/README.Debian 2012-12-16 23:58:02.000000000 +0100
+++ hardening-wrapper-2.5+nmu2/debian/README.Debian 2014-09-24 10:20:24.000000000 +0200
@@ -23,7 +23,7 @@
Features
--------
--fstack-protector --param ssp-buffer-size=4 (DEB_BUILD_HARDENING_STACKPROTECTOR)
+-fstack-protector-strong (DEB_BUILD_HARDENING_STACKPROTECTOR)
This is a mainline GCC feature, which adds safety checks against stack
overwrites. This renders many potential code injection attacks into
diff -Nru hardening-wrapper-2.5+nmu1/hardened-cc hardening-wrapper-2.5+nmu2/hardened-cc
--- hardening-wrapper-2.5+nmu1/hardened-cc 2013-09-13 22:31:30.000000000 +0200
+++ hardening-wrapper-2.5+nmu2/hardened-cc 2014-09-24 10:20:45.000000000 +0200
@@ -104,7 +104,7 @@
# Enable SSP by default
if ($force_stack) {
- push(@args,'-fstack-protector','--param=ssp-buffer-size=4');
+ push(@args,'-fstack-protector-strong');
}
# Enable -fPIE by default
diff -Nru hardening-wrapper-2.5+nmu1/hardening.make hardening-wrapper-2.5+nmu2/hardening.make
--- hardening-wrapper-2.5+nmu1/hardening.make 2013-12-17 19:08:41.000000000 +0100
+++ hardening-wrapper-2.5+nmu2/hardening.make 2014-09-24 10:20:35.000000000 +0200
@@ -73,7 +73,7 @@
_HARDENED_PIE_CFLAGS := -fPIE
_HARDENED_PIE_LDFLAGS := -fPIE -pie
-_HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector --param ssp-buffer-size=4
+_HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector-strong
# Fortify Source requires that -O1 or higher is used, but that should be
# handled outside of this include file.
diff -Nru hardening-wrapper-2.5+nmu1/tests/Makefile.common hardening-wrapper-2.5+nmu2/tests/Makefile.common
--- hardening-wrapper-2.5+nmu1/tests/Makefile.common 2012-04-01 01:44:21.000000000 +0200
+++ hardening-wrapper-2.5+nmu2/tests/Makefile.common 2014-09-24 10:20:52.000000000 +0200
@@ -26,7 +26,6 @@
$(BUILD_TREE)/$(NAME)-test-fPIC \
$(BUILD_TREE)/$(NAME)-test-format-security \
$(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-protect \
- $(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-skip \
$(BUILD_TREE)/$(NAME)-test-all.o \
$(BUILD_TREE)/$(NAME)-test-all.a \
$(BUILD_TREE)/$(NAME)-test-none.o \
--- End Message ---
--- Begin Message ---
Source: hardening-wrapper
Source-Version: 2.6
We believe that the bug you reported is fixed in the latest version of
hardening-wrapper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kees Cook <[email protected]> (supplier of updated hardening-wrapper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Sep 2014 07:51:25 -0700
Source: hardening-wrapper
Binary: hardening-wrapper hardening-includes
Architecture: source amd64 all
Version: 2.6
Distribution: unstable
Urgency: medium
Maintainer: Package Hardening <[email protected]>
Changed-By: Kees Cook <[email protected]>
Description:
hardening-includes - Makefile for enabling compiler flags for security
hardening
hardening-wrapper - Compiler wrapper to enable security hardening flags
Closes: 762662
Changes:
hardening-wrapper (2.6) unstable; urgency=medium
.
* Acknowledge NMU, thanks Aurelien Jarno!
* debian/rules: add clarifying comment about dpkg-buildflags.
* hardening.make, debian/README.Debian:
- switch to -fstack-protector-strong, thanks to Romain Francoise
(Closes: 762662).
- enable stack protector on mips*, arm64.
* hardened-cc: use -fstack-protector-strong when old GCC not found.
* tests/
- Makefile: add -fstack-protector-strong to logs
- Makefile.common, ssp-buffer-type-protect.c: check for -strong behavior
Checksums-Sha1:
506ea7731f601691aa23b860027de3be6d3bb922 1857 hardening-wrapper_2.6.dsc
25be7ce2fc5ec1359c56050549b62e8e691d7fc0 19436 hardening-wrapper_2.6.tar.xz
e714ea3817a7bb2e5862e8a7c99cb2e5477ddf7d 14108 hardening-wrapper_2.6_amd64.deb
3c2fd5c60270c3b6ad5b5f5ea61b03691a45e266 17438 hardening-includes_2.6_all.deb
Checksums-Sha256:
5fc4e3a3905703c2044798edeb8a754c54b05f4179bfff9abd40deb2333dedfb 1857
hardening-wrapper_2.6.dsc
c5fc46439646d0929a0605e4f3db67e57eefbbf5ceec5a2888440dbdf4450224 19436
hardening-wrapper_2.6.tar.xz
96f3d70752429ec4978d62d2a3e8739bdd70286d7f123658337355086552835e 14108
hardening-wrapper_2.6_amd64.deb
3c77d296ead148bf755d43289d4b86b2efe266a23ad1842e9d65350d31f80716 17438
hardening-includes_2.6_all.deb
Files:
61dd40be60a8a86c9d59683b1ccd5214 14108 devel optional
hardening-wrapper_2.6_amd64.deb
b601ab0e8273fabb6c8a90399ec8b99e 17438 devel optional
hardening-includes_2.6_all.deb
76d2e2c19d41ecc9dced5ec96a62b50e 1857 devel optional hardening-wrapper_2.6.dsc
47c93c05b4d0199be8df0d35dbd68192 19436 devel optional
hardening-wrapper_2.6.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Kees Cook <[email protected]>
iQIcBAEBCgAGBQJUIyXZAAoJEIly9N/cbcAm5W4P/A9F47jvxHH6nk0XcHz/d23u
VldkiENre8CHDDdwYF1gjvph15ocE0g/fDF3rTKHJJLQPr0XC2Sr0Adsa0ECrvsF
/scQyEaZ8+wKsn58cvLDDg2qKnjm1WCljdpFNTnnzN6TpchlS3rqlnfOd8yTj83c
OITeJrIZh8vfSZ9mbvim3gWRk5OOJz+HF0zZWRtgPQAHJURnOkI3J8bCF5JORiVW
y1y9EhUr4hMNXTRfySVQCCt9g4VUzJ0VaW7+4jasQ3mYDsSfuLYs9MT7mI2phXVZ
L+K1c7FWZDUPHyjlaGIdizAiNHhlEbI+5UtdwPR+zrJOIgJG4gn7OSMlfivTpLBP
y6TXa4KA81JFA0nKAvk0st8rM4dueiiw35Z9oqAMIZ6J0u/gaS6kytHxFXjZrfkr
KCKTviei+Lv0pd2iDGnDPflIUxrXrGUWCfjET+spEI5iA7YTcset7aQs5jZ51M/0
1uetcx5IOavkBaWDhd2uI/1Sat23KY91lw01cKsUkfIkwFfTS0WEg5EQQrWQnzV2
bbQ6IXsjvqVZWHkShM5vOBni2JSkgzDu6B+G5SFwfOXpELFPelakAWGKQ1BHLBiZ
qnf+iADwbKx+dnjpbFTev1AcD6mmMKA6BZGq56pe7hopRpCaSsXsYi1y/3Vo4sGv
/AlpoVgO4B7QqayUK20J
=bFmI
-----END PGP SIGNATURE-----
--- End Message ---
