Package: pidgin-twitter Version: 0.9.2.1-2 Severity: important Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because the build system
ignores them. For more hardening information please have a look
at [1], [2] and [3].
The following patch fixes the issue.
Btw. instead of renaming CFLAGS to PT_CFLAGS you could just use
CFLAGS += (instead of CFLAGS = in the original Makefile).
diff -Nru
pidgin-twitter-0.9.2.1/debian/patches/enable_hardening_build_flags.patch
pidgin-twitter-0.9.2.1/debian/patches/enable_hardening_build_flags.patch
--- pidgin-twitter-0.9.2.1/debian/patches/enable_hardening_build_flags.patch
2012-03-25 12:45:12.000000000 +0200
+++ pidgin-twitter-0.9.2.1/debian/patches/enable_hardening_build_flags.patch
2012-04-09 02:34:49.000000000 +0200
@@ -25,7 +25,7 @@
.c.o:
- $(CC) -o $@ $< -c $(CFLAGS)
-+ $(CC) -o $@ $< -c $(PT_CFLAGS)
++ $(CC) -o $@ $< -c $(CPPFLAGS) $(PT_CFLAGS)
install: $(TARGET)
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/pidgin/pidgin-twitter.so
/usr/lib/pidgin/pidgin-twitter.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature

