Bug#674967: letterize: CPPFLAGS hardening flags missing

Mon, 28 May 2012 18:51:15 -0700 

Package: letterize
Version: 1.3-2
Severity: normal
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing due to a typo in
makefile_add_flags.patch. For more hardening information please
have a look at [1], [2] and [3].

The following patch fixes the issue. Btw. CXXFLAGS are not
necessary in this case because no C++ files are built.

diff -Nru letterize-1.3/debian/patches/makefile_add_flags.patch 
letterize-1.3/debian/patches/makefile_add_flags.patch
--- letterize-1.3/debian/patches/makefile_add_flags.patch       2012-05-28 
05:48:49.000000000 +0200
+++ letterize-1.3/debian/patches/makefile_add_flags.patch       2012-05-29 
03:45:52.000000000 +0200
@@ -3,13 +3,15 @@
 Author: Francois Marier <franc...@debian.org>
 Last-Update: 2012-05-28
 
---- a/Makefile
-+++ b/Makefile
-@@ -6,6 +6,7 @@ VERS=$(shell sed <letterize.spec -n -e '/Version: 
\(.*\)/s//\1/p')
+Index: letterize-1.3/Makefile
+===================================================================
+--- letterize-1.3.orig/Makefile        2012-05-29 03:43:16.000000000 +0200
++++ letterize-1.3/Makefile     2012-05-29 03:45:44.324712366 +0200
+@@ -6,6 +6,7 @@
  all: letterize
  
  letterize: letterize.c
-+      gcc -o letterize $(CFLAGS) $(CPPFLAGES) $(CXXFLAGS) $(LDFLAGS) 
letterize.c
++      gcc -o letterize $(CFLAGS) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) 
letterize.c
  
  SOURCES = README COPYING letterize.xml Makefile letterize.c letterize.spec
  

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/bin/letterize
    /usr/bin/letterize:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature

Reply via email to