Package: openal-soft Version: 1:1.13-6 Severity: important Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because CMake ignores them by default. The following patch fixes the issue by adding them to CFLAGS. For more hardening information please have a look at [1], [2] and [3]. diff -Nru openal-soft-1.13/debian/rules openal-soft-1.13/debian/rules --- openal-soft-1.13/debian/rules 2012-03-19 15:13:07.000000000 +0100 +++ openal-soft-1.13/debian/rules 2012-03-28 18:12:58.000000000 +0200 @@ -11,6 +11,9 @@ DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) CFLAGS = -Wall $(shell dpkg-buildflags --get CFLAGS 2>/dev/null | sed -e 's/-g\|-O2//g') +# CMake doesn't use CPPFLAGS, pass them to CFLAGS to enable the missing +# (hardening) flags. +CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS) # Use this variable to allow options passed to cmake to be overridable DEB_CMAKE_OPTIONS ?= -DCMAKE_VERBOSE_MAKEFILE=ON \ Btw. it's not necessary to strip -g and -O2 from dpkg-buildflags. -O2 is overruled by the build system if -O3 is specified (in this case the buildsystem uses -O2 as well). -g is necessary for a debug package (#659364) and DEB_BUILD_OPTIONS=nostrip. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/lib/x86_64-linux-gnu/libopenal.so.1.13.0 /usr/lib/x86_64-linux-gnu/libopenal.so.1.13.0: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature