Bug#681482: ecryptfs-utils: Hardening flags missing

Fri, 13 Jul 2012 07:54:20 -0700 

Package: ecryptfs-utils
Version: 98-2
Severity: normal
Tags: patch

Dear Maintainer,

The hardening flags are missing because they are disabled in
debian/rules. For more hardening information please have a look
at [1], [2] and [3].

Please don't disable all hardening flags just because a single
one doesn't work. See man dpkg-buildflags for ways to disable
them separately (e.g. -format in this case).

The attached patches enable all hardening flags.

- $CPPFLAGS are lost in ./configure because ac_python_devel.m4
  overwrites it, configure-fix-missing-cppflags.patch fixes this
  issue.
- The -Werror=format-security issues is fixed in
  wformat-security.patch.

These patches should be sent to upstream if possible.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):

    $ hardening-check 
/usr/lib/python2.7/dist-packages/ecryptfs-utils/_libecryptfs.so 
/usr/lib/x86_64-linux-gnu/libecryptfs.so.0.0.0 /usr/bin/ecryptfs-manager 
/usr/bin/ecryptfs-wrap-passphrase ...
    /usr/lib/python2.7/dist-packages/ecryptfs-utils/_libecryptfs.so:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/lib/x86_64-linux-gnu/libecryptfs.so.0.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/bin/ecryptfs-manager:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/bin/ecryptfs-wrap-passphrase:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes
     Read-only relocations: yes
     Immediate binding: yes
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Don't overwrite CPPFLAGS in configure.
 Necessary for (hardening) flags from dpkg-buildflags.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-07-11

--- ecryptfs-utils-98.orig/configure
+++ ecryptfs-utils-98/configure
@@ -14258,6 +14258,8 @@ ac_link='$CC -o conftest$ac_exeext $CFLA
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
         # save current global flags
+        ac_save_CPPFLAGS="$CPPFLAGS"
+        ac_save_LIBS="$LIBS"
         LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--- ecryptfs-utils-98.orig/m4/ac_python_devel.m4
+++ ecryptfs-utils-98/m4/ac_python_devel.m4
@@ -158,6 +158,8 @@ $ac_distutils_result])
         AC_MSG_CHECKING([consistency of all components of python development environment])
         AC_LANG_PUSH([C])
         # save current global flags
+        ac_save_CPPFLAGS="$CPPFLAGS"
+        ac_save_LIBS="$LIBS"
         LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
         AC_TRY_LINK([

Description: Fix compiling with -Werror=format-security.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-07-11

--- ecryptfs-utils-98.orig/src/libecryptfs/module_mgr.c
+++ ecryptfs-utils-98/src/libecryptfs/module_mgr.c
@@ -813,7 +813,7 @@ int ecryptfs_process_decision_graph(stru
 	}
 	ad_cursor = ad_cursor->next;
 	ad_cursor->next = NULL;
-	if ((rc = asprintf(&ad_cursor->name,
+	if ((rc = asprintf(&ad_cursor->name, "%s",
 			   key_module_select_node.mnt_opt_names[0])) == -1) {
 		rc = -ENOMEM;
 		goto out_free_allowed_duplicates;

diff -Nru ecryptfs-utils-98/debian/ecryptfs-utils.lintian-overrides ecryptfs-utils-98/debian/ecryptfs-utils.lintian-overrides
--- ecryptfs-utils-98/debian/ecryptfs-utils.lintian-overrides	2012-06-29 13:22:29.000000000 +0200
+++ ecryptfs-utils-98/debian/ecryptfs-utils.lintian-overrides	2012-07-11 03:05:41.000000000 +0200
@@ -1,8 +1,3 @@
-# ecryptfs-utils does not (yet) build with hardening build flags
-ecryptfs-utils: hardening-no-stackprotector
-ecryptfs-utils: hardening-no-fortify-functions
-ecryptfs-utils: hardening-no-relro
-
 # false positives
 ecryptfs-utils: setuid-binary sbin/mount.ecryptfs_private 4755 root/root
 ecryptfs-utils: executable-not-elf-or-script usr/share/ecryptfs-utils/ecryptfs-record-passphrase
diff -Nru ecryptfs-utils-98/debian/libecryptfs0.lintian-overrides ecryptfs-utils-98/debian/libecryptfs0.lintian-overrides
--- ecryptfs-utils-98/debian/libecryptfs0.lintian-overrides	2012-06-29 13:22:36.000000000 +0200
+++ ecryptfs-utils-98/debian/libecryptfs0.lintian-overrides	1970-01-01 01:00:00.000000000 +0100
@@ -1,4 +0,0 @@
-# ecryptfs-utils does not (yet) build with hardening build flags
-libecryptfs0: hardening-no-stackprotector
-libecryptfs0: hardening-no-fortify-functions
-libecryptfs0: hardening-no-relro
diff -Nru ecryptfs-utils-98/debian/python-ecryptfs.lintian-overrides ecryptfs-utils-98/debian/python-ecryptfs.lintian-overrides
--- ecryptfs-utils-98/debian/python-ecryptfs.lintian-overrides	2012-06-29 13:22:43.000000000 +0200
+++ ecryptfs-utils-98/debian/python-ecryptfs.lintian-overrides	2012-07-11 03:05:41.000000000 +0200
@@ -1,8 +1,3 @@
-# ecryptfs-utils does not (yet) build with hardening build flags
-python-ecryptfs: hardening-no-stackprotector
-python-ecryptfs: hardening-no-fortify-functions
-python-ecryptfs: hardening-no-relro
-
 # false positives
 python-ecryptfs: postinst-has-useless-call-to-ldconfig
 python-ecryptfs: postrm-has-useless-call-to-ldconfig
diff -Nru ecryptfs-utils-98/debian/rules ecryptfs-utils-98/debian/rules
--- ecryptfs-utils-98/debian/rules	2012-06-29 16:42:04.000000000 +0200
+++ ecryptfs-utils-98/debian/rules	2012-07-11 03:42:56.000000000 +0200
@@ -5,8 +5,7 @@
 
 CFLAGS += -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
 
-# ecryptfs-utils does not (yet) build with hardening build flags
-export DEB_BUILD_MAINT_OPTIONS = hardening=-all
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 
 %:
 	dh ${@} --with autotools_dev,python2
@@ -15,7 +14,6 @@
 	dh_auto_configure -- \
 		--enable-gpg --enable-pam --enable-static --enable-tspi \
 		--disable-gui --disable-openssl --disable-pkcs11-helper \
-		CFLAGS="$(CFLAGS)"
 
 override_dh_auto_install:
 	dh_auto_install

Attachment: signature.asc
Description: Digital signature

Reply via email to