On Mon, May 28, 2012 at 07:31:54AM +0900, Hideki Yamane wrote: > Hi Simon, > > Thanks for your patch, but how about attached one? (almost same)
Hi Hideki, Your patch works fine to fix the missing flags. However AM_CPPFLAGS/CPPFLAGS are not meant for compiler flags, but for preprocessor flags. The correct fix is to use AM_CFLAGS in this case, the attached patch (against the original source) does that and works fine. If you're willing to fix the build system, then using AM_CFLAGS is the correct approach. >> Even though the "Fortify Source functions" are now correctly >> passed, they are not used at the moment. But that's fine. > > I'm not familiar with hardening, so could you explain why this > is fine? "Fortify Source" (which is enabled by -D_FORTIFY_SOURCE=2) tries to harden the source by adding among other things additional boundary checks when compiling. Sometimes this is not possible because the compiler doesn't know the sizes used in a strcpy() operation for example (or it's not necessary because the compiler knows the operation is always safe). If that's the case then the normal unprotected function is used. `hardening-check` prints "no, only unprotected functions found!" if no protected functions are found. If you run it with --verbose you can see that only two functions memove() and memcpy() are not protected. However `hardening-check` can't know if no protection was necessary or if the flags are missing. To be sure you have to check the build log (which is what I did with blhc). So in the case of loqui no checks are necessary (or possible with the curren -D_FORTIFY_SOURCE). If the code changes in the future (or -D_FORTIFY_SOURCE gets better) and the checks can be added when compiling, they will be automatically used, because -D_FORTIFY_SOURCE=2 is now correctly passed to the compiler. Regards, Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
Index: loqui-0.5.3/libloqui/Makefile.am =================================================================== --- loqui-0.5.3.orig/libloqui/Makefile.am 2012-05-24 14:39:41.000000000 +0200 +++ loqui-0.5.3/libloqui/Makefile.am 2012-05-28 01:21:06.040103405 +0200 @@ -25,7 +25,7 @@ SUBDIRS = . protocols INCLUDES = $(GLIB_CFLAGS) $(GNET_CFLAGS) $(EXTRA_WARNING_CFLAGS) -I$(includedir) -I$(top_srcdir) -DG_LOG_DOMAIN=\"libloqui\" -CPPFLAGS = -g -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes +AM_CFLAGS = -g -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes %.c %.h %-private.h: %.gob gob2 --always-private-header $< Index: loqui-0.5.3/libloqui/protocols/jabber/Makefile.am =================================================================== --- loqui-0.5.3.orig/libloqui/protocols/jabber/Makefile.am 2012-05-24 14:39:41.000000000 +0200 +++ loqui-0.5.3/libloqui/protocols/jabber/Makefile.am 2012-05-28 01:21:06.048103405 +0200 @@ -24,7 +24,7 @@ INCLUDES = $(GLIB_CFLAGS) $(GNET_CFLAGS) $(EXTRA_WARNING_CFLAGS) -I$(includedir) -I$(top_srcdir) -DG_LOG_DOMAIN=\"libloqui\" -CPPFLAGS = -g -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes +AM_CFLAGS = -g -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes %.c %.h %-private.h: %.gob gob2 --always-private-header $< Index: loqui-0.5.3/src/Makefile.am =================================================================== --- loqui-0.5.3.orig/src/Makefile.am 2012-05-24 14:39:41.000000000 +0200 +++ loqui-0.5.3/src/Makefile.am 2012-05-28 01:21:06.048103405 +0200 @@ -40,7 +40,7 @@ bin_PROGRAMS = loqui INCLUDES = -I$(includedir) -I$(top_srcdir)/libloqui -I$(top_builddir)/libloqui -I$(top_srcdir) -I$(top_builddir) -DG_LOG_DOMAIN=\"Loqui\" -CPPFLAGS = $(GTK_CFLAGS) $(EXTRA_WARNING_CFLAGS) -g -DDATADIR=\""$(datadir)"\" $(GNET_CFLAGS) -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes +AM_CFLAGS = $(GTK_CFLAGS) $(EXTRA_WARNING_CFLAGS) -g -DDATADIR=\""$(datadir)"\" $(GNET_CFLAGS) -Wall -Wredundant-decls -Wmissing-declarations -Wmissing-prototypes loqui_SOURCES = \
pgpmV8r5LrjNJ.pgp
Description: PGP signature
