Bug#656023: Please enabled hardened build flags

Simon Ruderich Wed, 29 Aug 2012 07:18:18 -0700

Package: iputils
Version: 3:20101006-2
Followup-For: Bug #656023

Dear Maintainer,


3:20101006-2 didn't correctly enable the CFLAGS hardening flags
because they are not set in debian/rules and overwritten in
Makefile.

The attached patch fixes the issue. For more hardening
information please have a look at [1], [2] and [3].

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):

    $ hardening-check /usr/bin/tracepath6 /usr/bin/tracepath 
/usr/bin/traceroute6.iputils ...
    /usr/bin/tracepath6:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/tracepath:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/traceroute6.iputils:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

diff -Nru iputils-20101006/debian/patches/fix-format-security.patch iputils-20101006/debian/patches/fix-format-security.patch
--- iputils-20101006/debian/patches/fix-format-security.patch	1970-01-01 01:00:00.000000000 +0100
+++ iputils-20101006/debian/patches/fix-format-security.patch	2012-08-29 16:02:53.000000000 +0200
@@ -0,0 +1,17 @@
+Description: Fix compiling with -Wformat=security.
+Author: Simon Ruderich <si...@ruderich.org>
+Last-Update: 2012-08-29
+
+Index: iputils-20101006/rdisc.c
+===================================================================
+--- iputils-20101006.orig/rdisc.c	2011-01-24 09:10:05.000000000 +0100
++++ iputils-20101006/rdisc.c	2012-08-29 15:59:38.887301839 +0200
+@@ -231,7 +231,7 @@
+ 
+ static void prusage(void)
+ {
+-	(void) fprintf(stderr, usage);
++	(void) fprintf(stderr, "%s", usage);
+ 	exit(1);
+ }
+ 
diff -Nru iputils-20101006/debian/patches/series iputils-20101006/debian/patches/series
--- iputils-20101006/debian/patches/series	2012-08-20 09:10:23.000000000 +0200
+++ iputils-20101006/debian/patches/series	2012-08-29 16:03:15.000000000 +0200
@@ -9,3 +9,4 @@
 bug_601147_audible_flood
 bug_628893_flush_stdout_on_truncated_packets
 set_buildflags
+fix-format-security.patch
diff -Nru iputils-20101006/debian/patches/set_buildflags iputils-20101006/debian/patches/set_buildflags
--- iputils-20101006/debian/patches/set_buildflags	2012-08-20 09:10:23.000000000 +0200
+++ iputils-20101006/debian/patches/set_buildflags	2012-08-29 16:03:50.000000000 +0200
@@ -1,10 +1,15 @@
-Index: iputils/Makefile
+Index: iputils-20101006/Makefile
 ===================================================================
---- iputils.orig/Makefile	2012-08-19 23:44:30.000000000 -0700
-+++ iputils/Makefile	2012-08-19 23:50:23.000000000 -0700
-@@ -16,7 +16,7 @@
- CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g
- CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) 
+--- iputils-20101006.orig/Makefile	2012-08-29 15:47:40.000000000 +0200
++++ iputils-20101006/Makefile	2012-08-29 15:55:23.255303301 +0200
+@@ -13,10 +13,10 @@
+ CC=gcc
+ # What a pity, all new gccs are buggy and -Werror does not work. Sigh.
+ #CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror
+-CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g
+-CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) 
++CCOPT=-D_GNU_SOURCE -Wstrict-prototypes -Wall
++CFLAGS+=$(CCOPT) $(GLIBCFIX) $(DEFINES)
  
 -IPV4_TARGETS=tracepath ping arping clockdiff
 +IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
@@ -16,14 +21,14 @@
  
  tftpd: tftpd.o tftpsubs.o
 -arping: arping.o -lsysfs
-+	$(CC) $(LDFLAGS) tftpd.o tftpsubs.o -o tftpd
++	$(CC) $(CFLAGS) $(LDFLAGS) tftpd.o tftpsubs.o -o tftpd
 +arping: arping.o
-+	$(CC) $(LDFLAGS) arping.o -o arping -lsysfs
++	$(CC) $(CFLAGS) $(LDFLAGS) arping.o -o arping -lsysfs
  ping: ping.o ping_common.o
 -ping6: ping6.o ping_common.o -lresolv -lcrypto
-+	$(CC) $(LDFLAGS) ping.o ping_common.o -o ping
++	$(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -o ping
 +ping6: ping6.o ping_common.o
-+	$(CC) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
++	$(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
  ping.o ping6.o ping_common.o: ping_common.h
  tftpd.o tftpsubs.o: tftp.h
  
diff -Nru iputils-20101006/debian/rules iputils-20101006/debian/rules
--- iputils-20101006/debian/rules	2012-08-20 09:10:23.000000000 +0200
+++ iputils-20101006/debian/rules	2012-08-29 15:58:04.000000000 +0200
@@ -4,7 +4,7 @@
 #export DH_VERBOSE=1
 
 export CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
-export DEBIAN_CFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
+export CFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
 export LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
 
 # This has to be exported to make some magic below work.

signature.asc
Description: Digital signature

Bug#656023: Please enabled hardened build flags

Reply via email to