Package: sysvinit Version: 2.88dsf-27 Severity: normal Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags (-D_FORTIFY_SOURCE=2) are missing because they are not set in debian/rules. For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue by passing $CPPFLAGS with $CFLAGS. diff -Nru sysvinit-2.88dsf/debian/rules sysvinit-2.88dsf/debian/rules --- sysvinit-2.88dsf/debian/rules 2012-06-08 23:22:27.000000000 +0200 +++ sysvinit-2.88dsf/debian/rules 2012-06-24 21:08:59.000000000 +0200 @@ -38,10 +38,10 @@ dh $@ $(DH_OPTIONS) override_dh_auto_build: - $(MAKE) $(CROSS) $(CONFFLAGS) -C src DISTRO=Debian LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" - $(MAKE) $(CROSS) COPTS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" -C startpar + $(MAKE) $(CROSS) $(CONFFLAGS) -C src DISTRO=Debian LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) CFLAGS="$(CFLAGS) $(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" + $(MAKE) $(CROSS) COPTS="$(CFLAGS) $(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" -C startpar ifeq ($(DEB_HOST_ARCH_OS),linux) - $(MAKE) $(CROSS) COPTS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" -C startpar startpar-upstart-inject + $(MAKE) $(CROSS) COPTS="$(CFLAGS) $(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" -C startpar startpar-upstart-inject endif override_dh_auto_install-arch: To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log with `blhc` (hardening-check doesn't catch everything): $ hardening-check /sbin/shutdown /sbin/runlevel /sbin/halt ... /sbin/shutdown: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /sbin/runlevel: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes Read-only relocations: yes Immediate binding: no not found! /sbin/halt: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) blhc reports three false positives: CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cc -Wl,-z,relro halt.o ifdown.o hddown.o utmp.o reboot.h -o halt CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cc -Wl,-z,relro shutdown.o dowall.o utmp.o reboot.h -o shutdown CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cc -Wl,-z,relro last.o oldutmp.h -o last I'm not sure why the header files are used when linking, building works fine without them. Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature