On Wed, May 16, 2012 at 12:55:13AM +0200, Simon Ruderich wrote: > Package: libnspr4 > Version: 2:4.9-2 > Severity: important > > Dear Maintainer, > > The LDFLAGS hardening flags are missing. For more hardening > information please have a look at [1], [2] and [3]. > > $ hardening-check /usr/lib/x86_64-linux-gnu/libplc4.so > /usr/lib/x86_64-linux-gnu/libplds4.so /usr/lib/x86_64-linux-gnu/libnspr4.so > /usr/lib/x86_64-linux-gnu/libplc4.so: > Position Independent Executable: no, regular shared library (ignored) > Stack protected: no, not found! > Fortify Source functions: no, only unprotected functions found! > Read-only relocations: no, not found! > Immediate binding: no not found! > /usr/lib/x86_64-linux-gnu/libplds4.so: > Position Independent Executable: no, regular shared library (ignored) > Stack protected: no, not found! > Fortify Source functions: no, only unprotected functions found! > Read-only relocations: no, not found! > Immediate binding: no not found! > /usr/lib/x86_64-linux-gnu/libnspr4.so: > Position Independent Executable: no, regular shared library (ignored) > }tack protected: yes > Fortify Source functions: yes (some protected functions found) > Read-only relocations: no, not found! > Immediate binding: no not found! > > To check if all flags were correctly enabled you can use > `hardening-check` from the hardening-includes package and check > the build log (for example with blhc [4]) (hardening-check > doesn't catch everything). > > I've no idea what the code in debian/rules in lines 4-7 is > supposed to do, so I can't propose a patch. If relro should be > disabled please add a comment so non-make-geeks are not confused > ;-)
It was meant to be disabled, but otoh, rethinking about it, it's not that useful to disable it in nspr. Mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

