Package: theseus
Version: 1.6.2-1
Severity: normal
Tags: patch

Dear Maintainer,

The hardening flags are missing because the build system ignores
them. For more hardening information please have a look at [1],
[2] and [3].

The two attached patches fix the issue. The first one
(21_use_dpkg_buildflags.patch) should be sent to upstream if
possible, the second (22_hardening_compile.patch) is only
necessary for the debian package. The second patch also sets
-Wno-error=unused-result to prevent a build failure - fixing all
those warnings is a lot of work.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/bin/theseus
    /usr/bin/theseus:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags).
 Necessary for hardening flags.
 .
 Also use CPPFLAGS and LDFLAGS where appropriate.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-04-09

Index: theseus-1.6.2/make.inc
===================================================================
--- theseus-1.6.2.orig/make.inc	2012-04-09 02:09:33.411167605 +0200
+++ theseus-1.6.2/make.inc	2012-04-09 02:10:23.355167827 +0200
@@ -25,7 +25,10 @@
 #OPT = -O0 -ggdb
 OPT = -O3 -ffast-math -fstrict-aliasing -funroll-loops -fomit-frame-pointer 
 WARN = -Werror -Wall -pedantic -std=c99 #-Wstrict-aliasing=2
-CFLAGS = $(WARN) #-force_cpusubtype_ALL -mmacosx-version-min=10.4 -arch x86_64 -arch i386 #-DNDEBUG
+CFLAGS += $(WARN) #-force_cpusubtype_ALL -mmacosx-version-min=10.4 -arch x86_64 -arch i386 #-DNDEBUG
+# CPPFLAGS are ignored by the rest of the build system but necessary for
+# hardening flags.
+CFLAGS += $(CPPFLAGS)
 CC = /usr/bin/gcc
 
 #
Index: theseus-1.6.2/Makefile
===================================================================
--- theseus-1.6.2.orig/Makefile	2012-04-09 02:09:02.995167470 +0200
+++ theseus-1.6.2/Makefile	2012-04-09 02:09:34.139167608 +0200
@@ -36,12 +36,12 @@
 
 distfitexe:
 					$(CC) $(OPT) $(CFLAGS) -c distfit.c
-					$(CC) $(OPT) $(CFLAGS) $(LIBDIR) $(LAPACKLIBDIR) $(BLASLIBDIR) distfit.o $(LIBS) $(LAPACKLIB) $(BLASLIB) $(SYSLIBS) -o distfit
+					$(CC) $(OPT) $(CFLAGS) $(LDFLAGS) $(LIBDIR) $(LAPACKLIBDIR) $(BLASLIBDIR) distfit.o $(LIBS) $(LAPACKLIB) $(BLASLIB) $(SYSLIBS) -o distfit
 
 
 # THESEUS-specific files
 theseus:			theseus.o $(OBJECTS)
-					$(CC) $(OPT) $(CFLAGS) $(LIBDIR) $(LAPACKLIBDIR) $(BLASLIBDIR) theseus.o $(OBJECTS) $(LIBS) $(LAPACKLIB) $(BLASLIB) $(SYSLIBS) -o theseus
+					$(CC) $(OPT) $(CFLAGS) $(LDFLAGS) $(LIBDIR) $(LAPACKLIBDIR) $(BLASLIBDIR) theseus.o $(OBJECTS) $(LIBS) $(LAPACKLIB) $(BLASLIB) $(SYSLIBS) -o theseus
 
 CovMat.o:			CovMat.c
 					$(CC) $(OPT) $(CFLAGS) $(INCDIR) -c CovMat.c
Description: Fix compile with dpkg-buildflags.
 Use -Wno-error=unused-result to ignore unimportant warnings and filter out
 -O2.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-04-09

Index: theseus-1.6.2/make.inc
===================================================================
--- theseus-1.6.2.orig/make.inc	2012-04-09 02:10:23.355167827 +0200
+++ theseus-1.6.2/make.inc	2012-04-09 02:11:03.507168001 +0200
@@ -24,11 +24,14 @@
 INSTALLDIR = /usr/local/bin
 #OPT = -O0 -ggdb
 OPT = -O3 -ffast-math -fstrict-aliasing -funroll-loops -fomit-frame-pointer 
-WARN = -Werror -Wall -pedantic -std=c99 #-Wstrict-aliasing=2
+WARN = -Werror -Wno-error=unused-result -Wall -pedantic -std=c99 #-Wstrict-aliasing=2
 CFLAGS += $(WARN) #-force_cpusubtype_ALL -mmacosx-version-min=10.4 -arch x86_64 -arch i386 #-DNDEBUG
 # CPPFLAGS are ignored by the rest of the build system but necessary for
 # hardening flags.
 CFLAGS += $(CPPFLAGS)
+# Filter out -O2 which overwrites the default -O3 because OPT is used before
+# CFLAGS.
+CFLAGS := $(filter-out -O2,$(CFLAGS))
 CC = /usr/bin/gcc
 
 #

Attachment: signature.asc
Description: Digital signature

Reply via email to