Package: solid-pop3d Version: 0.15-25 Severity: important Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because the build system
ignores them.
The following patch fixes the issue by appending them to CFLAGS.
diff -Nru solid-pop3d-0.15/debian/rules solid-pop3d-0.15/debian/rules
--- solid-pop3d-0.15/debian/rules 2012-02-11 23:18:42.000000000 +0100
+++ solid-pop3d-0.15/debian/rules 2012-03-24 16:47:41.000000000 +0100
@@ -6,6 +6,9 @@
DESTDIR := $(CURDIR)/debian/$(shell dh_listpackages)
CFLAGS := $(shell dpkg-buildflags --get CFLAGS)
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the
+# missing (hardening) flags.
+CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS)
CFLAGS += -DDEBIAN -Wall
LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS)
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/pop_auth /usr/sbin/solid-pop3d
/usr/bin/pop_auth:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/sbin/solid-pop3d:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
