Package: iputils Version: 3:20101006-2 Followup-For: Bug #656023 Dear Maintainer,
3:20101006-2 didn't correctly enable the CFLAGS hardening flags because they are not set in debian/rules and overwritten in Makefile. The attached patch fixes the issue. For more hardening information please have a look at [1], [2] and [3]. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log with `blhc` (hardening-check doesn't catch everything): $ hardening-check /usr/bin/tracepath6 /usr/bin/tracepath /usr/bin/traceroute6.iputils ... /usr/bin/tracepath6: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/tracepath: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/traceroute6.iputils: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
diff -Nru iputils-20101006/debian/patches/fix-format-security.patch iputils-20101006/debian/patches/fix-format-security.patch --- iputils-20101006/debian/patches/fix-format-security.patch 1970-01-01 01:00:00.000000000 +0100 +++ iputils-20101006/debian/patches/fix-format-security.patch 2012-08-29 16:02:53.000000000 +0200 @@ -0,0 +1,17 @@ +Description: Fix compiling with -Wformat=security. +Author: Simon Ruderich <si...@ruderich.org> +Last-Update: 2012-08-29 + +Index: iputils-20101006/rdisc.c +=================================================================== +--- iputils-20101006.orig/rdisc.c 2011-01-24 09:10:05.000000000 +0100 ++++ iputils-20101006/rdisc.c 2012-08-29 15:59:38.887301839 +0200 +@@ -231,7 +231,7 @@ + + static void prusage(void) + { +- (void) fprintf(stderr, usage); ++ (void) fprintf(stderr, "%s", usage); + exit(1); + } + diff -Nru iputils-20101006/debian/patches/series iputils-20101006/debian/patches/series --- iputils-20101006/debian/patches/series 2012-08-20 09:10:23.000000000 +0200 +++ iputils-20101006/debian/patches/series 2012-08-29 16:03:15.000000000 +0200 @@ -9,3 +9,4 @@ bug_601147_audible_flood bug_628893_flush_stdout_on_truncated_packets set_buildflags +fix-format-security.patch diff -Nru iputils-20101006/debian/patches/set_buildflags iputils-20101006/debian/patches/set_buildflags --- iputils-20101006/debian/patches/set_buildflags 2012-08-20 09:10:23.000000000 +0200 +++ iputils-20101006/debian/patches/set_buildflags 2012-08-29 16:03:50.000000000 +0200 @@ -1,10 +1,15 @@ -Index: iputils/Makefile +Index: iputils-20101006/Makefile =================================================================== ---- iputils.orig/Makefile 2012-08-19 23:44:30.000000000 -0700 -+++ iputils/Makefile 2012-08-19 23:50:23.000000000 -0700 -@@ -16,7 +16,7 @@ - CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g - CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) +--- iputils-20101006.orig/Makefile 2012-08-29 15:47:40.000000000 +0200 ++++ iputils-20101006/Makefile 2012-08-29 15:55:23.255303301 +0200 +@@ -13,10 +13,10 @@ + CC=gcc + # What a pity, all new gccs are buggy and -Werror does not work. Sigh. + #CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror +-CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g +-CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) ++CCOPT=-D_GNU_SOURCE -Wstrict-prototypes -Wall ++CFLAGS+=$(CCOPT) $(GLIBCFIX) $(DEFINES) -IPV4_TARGETS=tracepath ping arping clockdiff +IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd @@ -16,14 +21,14 @@ tftpd: tftpd.o tftpsubs.o -arping: arping.o -lsysfs -+ $(CC) $(LDFLAGS) tftpd.o tftpsubs.o -o tftpd ++ $(CC) $(CFLAGS) $(LDFLAGS) tftpd.o tftpsubs.o -o tftpd +arping: arping.o -+ $(CC) $(LDFLAGS) arping.o -o arping -lsysfs ++ $(CC) $(CFLAGS) $(LDFLAGS) arping.o -o arping -lsysfs ping: ping.o ping_common.o -ping6: ping6.o ping_common.o -lresolv -lcrypto -+ $(CC) $(LDFLAGS) ping.o ping_common.o -o ping ++ $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -o ping +ping6: ping6.o ping_common.o -+ $(CC) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6 ++ $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6 ping.o ping6.o ping_common.o: ping_common.h tftpd.o tftpsubs.o: tftp.h diff -Nru iputils-20101006/debian/rules iputils-20101006/debian/rules --- iputils-20101006/debian/rules 2012-08-20 09:10:23.000000000 +0200 +++ iputils-20101006/debian/rules 2012-08-29 15:58:04.000000000 +0200 @@ -4,7 +4,7 @@ #export DH_VERBOSE=1 export CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS) -export DEBIAN_CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) +export CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) export LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) # This has to be exported to make some magic below work.
signature.asc
Description: Digital signature