Package: exim4 Version: 4.80-4 Severity: important Tags: patch Dear Maintainer,
The CPPFLAGS and LDFLAGS hardening flags are missing because they
are ignored by the build system. For more hardening information
please have a look at [1], [2] and [3].
The attached patches (exim_debian_rules.patch and
fix-missing-ldflags.patch) fix the issue but I'm not sure if
forcing LFLAGS to LDFLAGS is the best way to handle the LDFLAGS
problem.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/lib/exim4/eximon.bin /usr/sbin/exim4 /usr/sbin/exim4
/usr/sbin/exim_lock /usr/sbin/exim_dbmbuild /usr/sbin/exim_tidydb ...
/usr/lib/exim4/eximon.bin:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/exim4:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/exim4:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/exim_lock:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/exim_dbmbuild:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/exim_tidydb:
Position Independent Executable: yes
...
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
When checking the build log with blhc the build system causes
many false positives, the attached patches
makefile-missing-fullecho.patch and fix-too-verbose.patch fix
this issue - I'm not sure if it's worth including them but they
are useful while testing.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
diff -Nru exim4-4.80/debian/rules exim4-4.80/debian/rules --- exim4-4.80/debian/rules 2012-06-03 16:28:53.000000000 +0200 +++ exim4-4.80/debian/rules 2012-09-14 17:11:25.000000000 +0200 @@ -22,6 +22,8 @@ endif CFLAGS := $(CFLAGS) $(shell getconf LFS_CFLAGS) -D_LARGEFILE_SOURCE -fno-strict-aliasing -Wall +# The build system ignores CPPFLAGS, append them to CFLAGS. +CFLAGS += $(CPPFLAGS) export CFLAGS LC_ALL=C
Description: Use LDFLAGS from environment (dpkg-buildflags). Necessary for hardening flags. . The buildsystem uses LFLAGS and LDFLAGS, but doesn't pass LDFLAGS when linking some binaries, fix that. Author: Simon Ruderich <[email protected]> Last-Update: 2012-09-14 Index: exim4-4.80/OS/Makefile-Linux =================================================================== --- exim4-4.80.orig/OS/Makefile-Linux 2012-09-14 17:07:28.926489036 +0200 +++ exim4-4.80/OS/Makefile-Linux 2012-09-14 17:07:31.190489123 +0200 @@ -22,6 +22,8 @@ XLFLAGS=-L$(X11)/lib X11_LD_LIB=$(X11)/lib +LFLAGS=$(LDFLAGS) + EXIWHAT_PS_ARG=ax EXIWHAT_EGREP_ARG='/exim4( |$$)' EXIWHAT_MULTIKILL_CMD=killall Index: exim4-4.80/OS/Makefile-Base =================================================================== --- exim4-4.80.orig/OS/Makefile-Base 2012-09-14 17:07:28.926489036 +0200 +++ exim4-4.80/OS/Makefile-Base 2012-09-14 17:07:31.190489123 +0200 @@ -113,7 +113,7 @@ # Targets for special-purpose configuration header builders buildconfig: buildconfig.c @echo "$(CC) buildconfig.c" - $(FE)$(CC) $(CFLAGS) $(INCLUDE) -o buildconfig buildconfig.c $(LIBS) + $(FE)$(CC) $(CFLAGS) $(LFLAGS) $(INCLUDE) -o buildconfig buildconfig.c $(LIBS) # Target for the exicyclog utility script
Description: Add missing $(FE) to Makefiles. Author: Simon Ruderich <[email protected]> Last-Update: 2012-09-14 Index: exim4-4.80/src/transports/Makefile =================================================================== --- exim4-4.80.orig/src/transports/Makefile 2012-09-14 17:07:28.110489005 +0200 +++ exim4-4.80/src/transports/Makefile 2012-09-14 17:07:34.374489244 +0200 @@ -7,7 +7,7 @@ transports.a: $(OBJ) @$(RM_COMMAND) -f transports.a @echo "$(AR) transports.a" - @$(AR) transports.a $(OBJ) + $(FE)$(AR) transports.a $(OBJ) $(RANLIB) $@ .SUFFIXES: .o .c Index: exim4-4.80/src/routers/Makefile =================================================================== --- exim4-4.80.orig/src/routers/Makefile 2012-09-14 17:07:28.110489005 +0200 +++ exim4-4.80/src/routers/Makefile 2012-09-14 17:07:34.374489244 +0200 @@ -14,7 +14,7 @@ routers.a: $(OBJ) @$(RM_COMMAND) -f routers.a @echo "$(AR) routers.a" - @$(AR) routers.a $(OBJ) + $(FE)$(AR) routers.a $(OBJ) $(RANLIB) $@ .SUFFIXES: .o .c Index: exim4-4.80/src/lookups/Makefile =================================================================== --- exim4-4.80.orig/src/lookups/Makefile 2012-09-14 17:07:28.110489005 +0200 +++ exim4-4.80/src/lookups/Makefile 2012-09-14 17:07:34.374489244 +0200 @@ -14,7 +14,7 @@ lookups.a: $(OBJ) @$(RM_COMMAND) -f lookups.a @echo "$(AR) lookups.a" - @$(AR) lookups.a $(OBJ) + $(FE)$(AR) lookups.a $(OBJ) $(RANLIB) $@ .SUFFIXES: .o .c .so
Description: WTF Author: Simon Ruderich <[email protected]> Last-Update: 2012-09-14 Index: exim4-4.80/OS/Makefile-Base =================================================================== --- exim4-4.80.orig/OS/Makefile-Base 2012-09-14 17:07:31.190489123 +0200 +++ exim4-4.80/OS/Makefile-Base 2012-09-14 17:07:37.078489347 +0200 @@ -112,7 +112,6 @@ # Targets for special-purpose configuration header builders buildconfig: buildconfig.c - @echo "$(CC) buildconfig.c" $(FE)$(CC) $(CFLAGS) $(LFLAGS) $(INCLUDE) -o buildconfig buildconfig.c $(LIBS) @@ -320,7 +319,6 @@ exim: lookups/lookups.a auths/auths.a pdkim/pdkim.a \ routers/routers.a transports/transports.a \ $(OBJ_EXIM) version.o - @echo "$(LNCC) -o exim" $(FE)$(PURIFY) $(LNCC) -o exim $(LFLAGS) $(OBJ_EXIM) version.o \ routers/routers.a transports/transports.a lookups/lookups.a \ auths/auths.a pdkim/pdkim.a \ @@ -341,7 +339,6 @@ OBJ_DUMPDB = exim_dumpdb.o util-os.o util-store.o exim_dumpdb: $(OBJ_DUMPDB) - @echo "$(LNCC) -o exim_dumpdb" $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_dumpdb $(LFLAGS) $(OBJ_DUMPDB) \ $(LIBS) $(EXTRALIBS) $(DBMLIB) @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ @@ -356,7 +353,6 @@ OBJ_FIXDB = exim_fixdb.o util-os.o util-store.o exim_fixdb: $(OBJ_FIXDB) auths/auths.a - @echo "$(LNCC) -o exim_fixdb" $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_fixdb $(LFLAGS) $(OBJ_FIXDB) \ auths/auths.a $(LIBS) $(EXTRALIBS) $(DBMLIB) @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ @@ -371,7 +367,6 @@ OBJ_TIDYDB = exim_tidydb.o util-os.o util-store.o exim_tidydb: $(OBJ_TIDYDB) - @echo "$(LNCC) -o exim_tidydb" $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_tidydb $(LFLAGS) $(OBJ_TIDYDB) \ $(LIBS) $(EXTRALIBS) $(DBMLIB) @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ @@ -384,7 +379,6 @@ # The utility for building dbm files exim_dbmbuild: exim_dbmbuild.o - @echo "$(LNCC) -o exim_dbmbuild" $(FE)$(LNCC) -o exim_dbmbuild $(LFLAGS) exim_dbmbuild.o \ $(LIBS) $(EXTRALIBS) $(DBMLIB) @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ @@ -397,9 +391,7 @@ # The utility for locking a mailbox while messing around with it exim_lock: exim_lock.c - @echo "$(CC) exim_lock.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) exim_lock.c - @echo "$(LNCC) -o exim_lock" $(FE)$(LNCC) -o exim_lock $(LFLAGS) exim_lock.o \ $(LIBS) $(EXTRALIBS) @if [ x"$(STRIP_COMMAND)" != x"" ]; then \ @@ -427,10 +419,8 @@ eximon.bin: $(EXIMON_EDITME) eximon $(OBJ_MONBIN) \ ../exim_monitor/em_version.c - @echo "$(CC) exim_monitor/em_version.c" $(FE)$(CC) -o em_version.o -c \ $(CFLAGS) $(XINCLUDE) -I. ../exim_monitor/em_version.c - @echo "$(LNCC) -o eximon.bin" $(FE)$(PURIFY) $(LNCC) -o eximon.bin em_version.o $(LFLAGS) $(XLFLAGS) \ $(OBJ_MONBIN) -lXaw -lXmu -lXt -lXext -lX11 $(PCRE_LIBS) \ $(LIBS) $(LIBS_EXIMON) $(EXTRALIBS) $(EXTRALIBS_EXIMON) -lc @@ -452,7 +442,7 @@ PHDRS = ../config.h ../dbfunctions.h ../dbstuff.h ../exim.h ../functions.h ../globals.h ../local_scan.h ../macros.h ../mytypes.h ../structs.h .SUFFIXES: .o .c -.c.o:; @echo "$(CC) $*.c" +.c.o: $(FE)$(CC) -c $(CFLAGS) -I. $(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE) $*.c # Update Exim's version information and build the version object. @@ -473,27 +463,23 @@ # Compile instructions for perl.o for when EXIM_PERL is set perl.o: $(HDRS) perl.c - @echo "$(PERL_CC) perl.c" $(FE)$(PERL_CC) $(PERL_CCOPTS) $(CFLAGS) $(INCLUDE) -c perl.c # Compile instructions for the database utility modules exim_dumpdb.o: $(HDRS) exim_dbutil.c - @echo "$(CC) -DEXIM_DUMPDB exim_dbutil.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) \ -DCOMPILE_UTILITY \ -DEXIM_DUMPDB \ -o exim_dumpdb.o exim_dbutil.c exim_fixdb.o: $(HDRS) exim_dbutil.c - @echo "$(CC) -DEXIM_FIXDB exim_dbutil.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) \ -DCOMPILE_UTILITY \ -DEXIM_FIXDB \ -o exim_fixdb.o exim_dbutil.c exim_tidydb.o: $(HDRS) exim_dbutil.c - @echo "$(CC) -DEXIM_TIDYDB exim_dbutil.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) \ -DCOMPILE_UTILITY \ -DEXIM_TIDYDB \ @@ -502,26 +488,21 @@ # Compile instructions for exim_dbmbuild exim_dbmbuild.o: $(HDRS) exim_dbmbuild.c - @echo "$(CC) exim_dbmbuild.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) -o exim_dbmbuild.o exim_dbmbuild.c # Utilities use special versions of some modules - typically with debugging # calls cut out. util-spool_in.o: $(HDRS) spool_in.c - @echo "$(CC) -DCOMPILE_UTILITY spool_in.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) -DCOMPILE_UTILITY -o util-spool_in.o spool_in.c util-store.o: $(HDRS) store.c - @echo "$(CC) -DCOMPILE_UTILITY store.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) -DCOMPILE_UTILITY -o util-store.o store.c util-string.o: $(HDRS) string.c - @echo "$(CC) -DCOMPILE_UTILITY string.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) -DCOMPILE_UTILITY -o util-string.o string.c util-os.o: $(HDRS) os.c - @echo "$(CC) -DCOMPILE_UTILITY os.c" $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) \ -DCOMPILE_UTILITY \ -DOS_LOAD_AVERAGE \ @@ -532,7 +513,6 @@ # from a source whose location is set by configuration. local_scan.o: Makefile config.h local_scan.h ../$(LOCAL_SCAN_SOURCE) - @echo "$(CC) local_scan.c" $(FE)$(CC) -c $(CFLAGS) -I. $(INCLUDE) -o local_scan.o ../$(LOCAL_SCAN_SOURCE) # Dependencies for the "ordinary" exim modules @@ -639,7 +619,6 @@ em_xs.o: ../exim_monitor/em_xs.c ../exim_monitor/em_hdr.h em_version.o: ../exim_monitor/em_version.c ../exim_monitor/em_hdr.h $(MONBIN): $(HDRS) - @echo "$(CC) exim_monitor/`echo $@ | sed 's/o$$/c/'`" $(FE)$(CC) -o $@ -c $(CFLAGS) -I. -I../exim_monitor $(INCLUDE) $(XINCLUDE) \ ../exim_monitor/`echo $@ | sed 's/o$$/c/'` Index: exim4-4.80/src/transports/Makefile =================================================================== --- exim4-4.80.orig/src/transports/Makefile 2012-09-14 17:07:34.374489244 +0200 +++ exim4-4.80/src/transports/Makefile 2012-09-14 17:07:37.078489347 +0200 @@ -6,12 +6,11 @@ transports.a: $(OBJ) @$(RM_COMMAND) -f transports.a - @echo "$(AR) transports.a" $(FE)$(AR) transports.a $(OBJ) $(RANLIB) $@ .SUFFIXES: .o .c -.c.o:; @echo "$(CC) $*.c" +.c.o: $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c appendfile.o: $(HDRS) appendfile.c appendfile.h tf_maildir.h Index: exim4-4.80/src/routers/Makefile =================================================================== --- exim4-4.80.orig/src/routers/Makefile 2012-09-14 17:07:34.374489244 +0200 +++ exim4-4.80/src/routers/Makefile 2012-09-14 17:07:37.078489347 +0200 @@ -13,12 +13,11 @@ routers.a: $(OBJ) @$(RM_COMMAND) -f routers.a - @echo "$(AR) routers.a" $(FE)$(AR) routers.a $(OBJ) $(RANLIB) $@ .SUFFIXES: .o .c -.c.o:; @echo "$(CC) $*.c" +.c.o: $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c rf_change_domain.o: $(HDRS) rf_change_domain.c rf_functions.h Index: exim4-4.80/src/pdkim/Makefile =================================================================== --- exim4-4.80.orig/src/pdkim/Makefile 2012-09-14 17:07:27.374488977 +0200 +++ exim4-4.80/src/pdkim/Makefile 2012-09-14 17:07:37.082489347 +0200 @@ -4,12 +4,11 @@ pdkim.a: $(OBJ) @$(RM_COMMAND) -f pdkim.a - @echo "$(AR) pdkim.a" $(FE)$(AR) pdkim.a $(OBJ) $(RANLIB) $@ .SUFFIXES: .o .c -.c.o:; @echo "$(CC) $*.c" +.c.o: $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c base64.o: $(HDRS) base64.c Index: exim4-4.80/src/lookups/Makefile =================================================================== --- exim4-4.80.orig/src/lookups/Makefile 2012-09-14 17:07:34.374489244 +0200 +++ exim4-4.80/src/lookups/Makefile 2012-09-14 17:07:37.082489347 +0200 @@ -13,15 +13,14 @@ lookups.a: $(OBJ) @$(RM_COMMAND) -f lookups.a - @echo "$(AR) lookups.a" $(FE)$(AR) lookups.a $(OBJ) $(RANLIB) $@ .SUFFIXES: .o .c .so -.c.o:; @echo "$(CC) $*.c" +.c.o: $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c -.c.so:; @echo "$(CC) -shared $*.c" +.c.so: $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $*.c -o $@ lf_check_file.o: $(PHDRS) lf_check_file.c lf_functions.h Index: exim4-4.80/src/auths/Makefile =================================================================== --- exim4-4.80.orig/src/auths/Makefile 2012-09-14 17:07:27.374488977 +0200 +++ exim4-4.80/src/auths/Makefile 2012-09-14 17:07:37.082489347 +0200 @@ -13,12 +13,11 @@ auths.a: $(OBJ) @$(RM_COMMAND) -f auths.a - @echo "$(AR) auths.a" $(FE)$(AR) auths.a $(OBJ) $(RANLIB) $@ .SUFFIXES: .o .c -.c.o:; @echo "$(CC) $*.c" +.c.o: $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c auth-spa.o: $(HDRS) auth-spa.c
signature.asc
Description: Digital signature
