Package: sysvinit Version: 2.88dsf-27 Severity: normal Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags (-D_FORTIFY_SOURCE=2) are missing
because they are not set in debian/rules. For more hardening
information please have a look at [1], [2] and [3].
The following patch fixes the issue by passing $CPPFLAGS with
$CFLAGS.
diff -Nru sysvinit-2.88dsf/debian/rules sysvinit-2.88dsf/debian/rules
--- sysvinit-2.88dsf/debian/rules 2012-06-08 23:22:27.000000000 +0200
+++ sysvinit-2.88dsf/debian/rules 2012-06-24 21:08:59.000000000 +0200
@@ -38,10 +38,10 @@
dh $@ $(DH_OPTIONS)
override_dh_auto_build:
- $(MAKE) $(CROSS) $(CONFFLAGS) -C src DISTRO=Debian
LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)"
- $(MAKE) $(CROSS) COPTS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" -C startpar
+ $(MAKE) $(CROSS) $(CONFFLAGS) -C src DISTRO=Debian
LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) CFLAGS="$(CFLAGS) $(CPPFLAGS)"
LDFLAGS="$(LDFLAGS)"
+ $(MAKE) $(CROSS) COPTS="$(CFLAGS) $(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" -C
startpar
ifeq ($(DEB_HOST_ARCH_OS),linux)
- $(MAKE) $(CROSS) COPTS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" -C startpar
startpar-upstart-inject
+ $(MAKE) $(CROSS) COPTS="$(CFLAGS) $(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" -C
startpar startpar-upstart-inject
endif
override_dh_auto_install-arch:
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /sbin/shutdown /sbin/runlevel /sbin/halt ...
/sbin/shutdown:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/sbin/runlevel:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
/sbin/halt:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
blhc reports three false positives:
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cc -Wl,-z,relro halt.o ifdown.o
hddown.o utmp.o reboot.h -o halt
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cc -Wl,-z,relro shutdown.o
dowall.o utmp.o reboot.h -o shutdown
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cc -Wl,-z,relro last.o oldutmp.h
-o last
I'm not sure why the header files are used when linking, building
works fine without them.
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
