Package: chktex Version: 1.6.6-1 Severity: normal Tags: patch Dear Maintainer,
The CFLAGS (hardening) flags (which include -g) are missing because they are overwritten in debian/rules. For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue. diff -Nru chktex-1.6.6/debian/rules chktex-1.6.6/debian/rules --- chktex-1.6.6/debian/rules 2012-09-10 15:44:04.000000000 +0200 +++ chktex-1.6.6/debian/rules 2012-09-13 12:58:02.000000000 +0200 @@ -14,10 +14,9 @@ CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS) TMPCFLAGS:=$(shell dpkg-buildflags --get CFLAGS) -CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS) LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) -CFLAGS = -Wall -fstack-protector --param=ssp-buffer-size=4 -Wformat $(CPPFLAGS) +CFLAGS = $(CPPFLAGS) $(TMPCFLAGS) -Wall INSTALL = install INSTALL_FILE = $(INSTALL) -p -o root -g root -m 644 INSTALL_PROGRAM = $(INSTALL) -p -o root -g root -m 755 The patch also removes CXXFLAGS because they are not used in debian/rules. When compiling with all flags some -Werror=format-security errors occurred, the attached patch fixes them. If possible it should be forwarded to upstream (they are not dangerous though). To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log with `blhc` (hardening-check doesn't catch everything): $ hardening-check /usr/bin/chktex /usr/bin/chktex: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
Description: Fix compiling with -Werror=format-security. Prevents format string attacks. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-09-13 Index: chktex-1.6.6/ChkTeX.c =================================================================== --- chktex-1.6.6.orig/ChkTeX.c 2010-12-18 22:18:13.000000000 +0100 +++ chktex-1.6.6/ChkTeX.c 2012-09-13 13:01:20.539787455 +0200 @@ -350,7 +350,7 @@ } if (!Quiet || LicenseOnly) - fprintf(stderr, Banner); + fprintf(stderr, "%s", Banner); if (CurArg == argc) UsingStdIn = TRUE; @@ -368,7 +368,7 @@ if ((UsingStdIn && StdInTTY && !Quiet) || LicenseOnly) { - fprintf(stderr, BigBanner); + fprintf(stderr, "%s", BigBanner); } if (!StdOutTTY && PipeOutputFormat) @@ -376,7 +376,7 @@ if (LicenseOnly) { - fprintf(stderr, Distrib); + fprintf(stderr, "%s", Distrib); } else { @@ -953,7 +953,7 @@ nextc = ParseBoolArg(&HeadErrOut, &optarg); break; case 'W': - printf(Banner); + printf("%s", Banner); exit(EXIT_SUCCESS); case '?': default:
signature.asc
Description: Digital signature