Package: chktex Version: 1.6.6-1 Severity: normal Tags: patch Dear Maintainer,
The CFLAGS (hardening) flags (which include -g) are missing
because they are overwritten in debian/rules. For more hardening
information please have a look at [1], [2] and [3].
The following patch fixes the issue.
diff -Nru chktex-1.6.6/debian/rules chktex-1.6.6/debian/rules
--- chktex-1.6.6/debian/rules 2012-09-10 15:44:04.000000000 +0200
+++ chktex-1.6.6/debian/rules 2012-09-13 12:58:02.000000000 +0200
@@ -14,10 +14,9 @@
CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
TMPCFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
-CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS)
LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS)
-CFLAGS = -Wall -fstack-protector --param=ssp-buffer-size=4 -Wformat $(CPPFLAGS)
+CFLAGS = $(CPPFLAGS) $(TMPCFLAGS) -Wall
INSTALL = install
INSTALL_FILE = $(INSTALL) -p -o root -g root -m 644
INSTALL_PROGRAM = $(INSTALL) -p -o root -g root -m 755
The patch also removes CXXFLAGS because they are not used in
debian/rules.
When compiling with all flags some -Werror=format-security errors
occurred, the attached patch fixes them. If possible it should be
forwarded to upstream (they are not dangerous though).
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/bin/chktex
/usr/bin/chktex:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Fix compiling with -Werror=format-security.
Prevents format string attacks.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-09-13
Index: chktex-1.6.6/ChkTeX.c
===================================================================
--- chktex-1.6.6.orig/ChkTeX.c 2010-12-18 22:18:13.000000000 +0100
+++ chktex-1.6.6/ChkTeX.c 2012-09-13 13:01:20.539787455 +0200
@@ -350,7 +350,7 @@
}
if (!Quiet || LicenseOnly)
- fprintf(stderr, Banner);
+ fprintf(stderr, "%s", Banner);
if (CurArg == argc)
UsingStdIn = TRUE;
@@ -368,7 +368,7 @@
if ((UsingStdIn && StdInTTY && !Quiet) || LicenseOnly)
{
- fprintf(stderr, BigBanner);
+ fprintf(stderr, "%s", BigBanner);
}
if (!StdOutTTY && PipeOutputFormat)
@@ -376,7 +376,7 @@
if (LicenseOnly)
{
- fprintf(stderr, Distrib);
+ fprintf(stderr, "%s", Distrib);
}
else
{
@@ -953,7 +953,7 @@
nextc = ParseBoolArg(&HeadErrOut, &optarg);
break;
case 'W':
- printf(Banner);
+ printf("%s", Banner);
exit(EXIT_SUCCESS);
case '?':
default:
signature.asc
Description: Digital signature
