Package: desproxy Version: 0.1.0~pre3-7 Severity: important Tags: patch Dear Maintainer,
The hardening flags are missing because the build system ignores
them.
DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].
The attached patches fix the issue. If possible they should be
sent upstream (LDFLAGS is used when linking, not CFLAGS).
compat=9 automatically exports the build flags, it's not
necessary to pass them manually to configure. debian-compile.mk
was patched because it overwrites CFLAGS.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/socket2socket /usr/bin/desproxy-socksserver
/usr/bin/desproxy-dns ..
/usr/bin/socket2socket:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/desproxy-socksserver:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/desproxy-dns:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
diff -Nru desproxy-0.1.0~pre3/debian/debian-compile.mk desproxy-0.1.0~pre3/debian/debian-compile.mk
--- desproxy-0.1.0~pre3/debian/debian-compile.mk 2012-02-11 23:21:58.000000000 +0100
+++ desproxy-0.1.0~pre3/debian/debian-compile.mk 2012-03-22 17:08:37.000000000 +0100
@@ -54,13 +54,13 @@
#######################################################################
-CFLAGS = -Wall -g
-
-ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O2
-else
- CFLAGS += -O0
-endif
+#CFLAGS = -Wall -g
+#
+#ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+# CFLAGS += -O2
+#else
+# CFLAGS += -O0
+#endif
#######################################################################
# [Add this to use multiple CPU cores]
diff -Nru desproxy-0.1.0~pre3/debian/rules desproxy-0.1.0~pre3/debian/rules
--- desproxy-0.1.0~pre3/debian/rules 2012-02-11 23:21:58.000000000 +0100
+++ desproxy-0.1.0~pre3/debian/rules 2012-03-22 17:08:37.000000000 +0100
@@ -6,9 +6,8 @@
include debian/debian-vars.mk
include debian/debian-compile.mk
-include /usr/share/dpkg/buildflags.mk
-CFLAGS += -Wall -pedantic
-LDFLAGS += -Wl,--as-needed
+DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic
+DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
man:
# target: man
@@ -28,9 +27,7 @@
--build=$(DEB_BUILD_GNU_TYPE) \
--prefix=/usr \
--mandir=\$${prefix}/share/man \
- --infodir=\$${prefix}/share/info \
- CFLAGS="$(CFLAGS)" \
- LDFLAGS="$(LDFLAGS)"
+ --infodir=\$${prefix}/share/info
override_dh_auto_install: man
$(MAKE) DESTDIR=$(PKGDIR) install
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <[email protected]> Last-Update: 2012-03-22 --- desproxy-0.1.0~pre3.orig/src/Makefile.in +++ desproxy-0.1.0~pre3/src/Makefile.in @@ -17,6 +17,7 @@ SHELL = /bin/sh INSTALL_PROGRAM = @INSTALL_PROGRAM@ CC = @CC@ CFLAGS = @CFLAGS@ -Wall +LDFLAGS = @LDFLAGS@ DEFS = @DEFS@ -DLOCALEDIR=\"$(localedir)\" LIBS = @LIBS@ @@ -29,38 +30,38 @@ bins = desproxy desproxy-inetd desproxy all: $(bins) desproxy: desproxy.o util.o - $(CC) $(CFLAGS) $(LIBS) util.o desproxy.o -o desproxy + $(CC) $(LDFLAGS) $(LIBS) util.o desproxy.o -o desproxy desproxy-inetd: desproxy-inetd.o util.o - $(CC) $(CFLAGS) $(LIBS) util.o desproxy-inetd.o -o desproxy-inetd + $(CC) $(LDFLAGS) $(LIBS) util.o desproxy-inetd.o -o desproxy-inetd desproxy-socksserver: desproxy-socksserver.o util.o - $(CC) $(CFLAGS) $(LIBS) util.o desproxy-socksserver.o -o desproxy-socksserver + $(CC) $(LDFLAGS) $(LIBS) util.o desproxy-socksserver.o -o desproxy-socksserver desproxy-dns: desproxy-dns.o util.o - $(CC) $(CFLAGS) $(LIBS) util.o desproxy-dns.o -o desproxy-dns + $(CC) $(LDFLAGS) $(LIBS) util.o desproxy-dns.o -o desproxy-dns socket2socket: socket2socket.o util.o - $(CC) $(CFLAGS) $(LIBS) util.o socket2socket.o -o socket2socket + $(CC) $(LDFLAGS) $(LIBS) util.o socket2socket.o -o socket2socket desproxy.o: desproxy.c desproxy.h - $(CC) $(CFLAGS) $(DEFS) -c desproxy.c + $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) -c desproxy.c desproxy-inetd.o: desproxy-inetd.c desproxy.h - $(CC) $(CFLAGS) $(DEFS) -c desproxy-inetd.c + $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) -c desproxy-inetd.c desproxy-socksserver.o: desproxy-socksserver.c desproxy.h - $(CC) $(CFLAGS) $(DEFS) -c desproxy-socksserver.c + $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) -c desproxy-socksserver.c desproxy-dns.o: desproxy-dns.c desproxy.h - $(CC) $(CFLAGS) $(DEFS) -c desproxy-dns.c + $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) -c desproxy-dns.c socket2socket.o: socket2socket.c desproxy.h - $(CC) $(CFLAGS) $(DEFS) -c socket2socket.c + $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) -c socket2socket.c util.o: util.c desproxy.h - $(CC) $(CFLAGS) $(DEFS) -c util.c + $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) -c util.c clean: rm -rf $(objects) $(bins) desproxy.conf
signature.asc
Description: Digital signature
