Package: less Version: 444-3 Severity: normal Tags: patch Dear Maintainer,
The CFLAGS hardening flags are missing because they are overwritten in debian/rules. For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue. diff -Nru less-444/debian/rules less-444/debian/rules --- less-444/debian/rules 2012-06-09 12:35:35.000000000 +0200 +++ less-444/debian/rules 2012-06-10 14:42:26.000000000 +0200 @@ -16,7 +16,7 @@ DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk -CFLAGS = -Wall -g #-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 +CFLAGS += -Wall -g #-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) CFLAGS += -O0 To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /bin/lessecho /bin/lesskey /bin/less /bin/lessecho: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes Read-only relocations: yes Immediate binding: no not found! /bin/lesskey: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /bin/less: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature