Package: less Version: 444-3 Severity: normal Tags: patch Dear Maintainer,
The CFLAGS hardening flags are missing because they are
overwritten in debian/rules. For more hardening information
please have a look at [1], [2] and [3].
The following patch fixes the issue.
diff -Nru less-444/debian/rules less-444/debian/rules
--- less-444/debian/rules 2012-06-09 12:35:35.000000000 +0200
+++ less-444/debian/rules 2012-06-10 14:42:26.000000000 +0200
@@ -16,7 +16,7 @@
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk
-CFLAGS = -Wall -g #-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
+CFLAGS += -Wall -g #-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
CFLAGS += -O0
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):
$ hardening-check /bin/lessecho /bin/lesskey /bin/less
/bin/lessecho:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
/bin/lesskey:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/bin/less:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature

