Bug#666095: openal-soft: CPPFLAGS hardening flags missing

Wed, 28 Mar 2012 09:54:16 -0700 

Package: openal-soft
Version: 1:1.13-6
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because CMake ignores
them by default.

The following patch fixes the issue by adding them to CFLAGS. For
more hardening information please have a look at [1], [2] and
[3].

diff -Nru openal-soft-1.13/debian/rules openal-soft-1.13/debian/rules
--- openal-soft-1.13/debian/rules       2012-03-19 15:13:07.000000000 +0100
+++ openal-soft-1.13/debian/rules       2012-03-28 18:12:58.000000000 +0200
@@ -11,6 +11,9 @@
 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
 
 CFLAGS = -Wall $(shell dpkg-buildflags --get CFLAGS 2>/dev/null | sed -e 
's/-g\|-O2//g')
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS to enable the missing
+# (hardening) flags.
+CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS)
 
 # Use this variable to allow options passed to cmake to be overridable
 DEB_CMAKE_OPTIONS ?= -DCMAKE_VERBOSE_MAKEFILE=ON \

Btw. it's not necessary to strip -g and -O2 from dpkg-buildflags.
-O2 is overruled by the build system if -O3 is specified (in this
case the buildsystem uses -O2 as well). -g is necessary for a
debug package (#659364) and DEB_BUILD_OPTIONS=nostrip.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/lib/x86_64-linux-gnu/libopenal.so.1.13.0
    /usr/lib/x86_64-linux-gnu/libopenal.so.1.13.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Immediate binding is not enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature

Reply via email to