Package: speex Version: 1.2~rc1-6 Severity: normal Tags: patch Dear Maintainer,
Some hardening flags (format flags and relro on some archs) are still missing because they are not set in debian/rules. For more hardening information please have a look at [1], [2] and [3]. The attached patch fixes the issue by using dpkg-buildflags to set the default flags. This automatically takes care of old versions of dpkg-buildpackage setting different flags, handling noopt and architectures which don't support certain hardening flags (e.g. relro). -g and -O2 are also added by default (-O0 with noopt). And by using dpkg-buildflags future (hardening) flags will be automatically added. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log with `blhc` (hardening-check doesn't catch everything): $ hardening-check /usr/bin/speexenc /usr/bin/speexdec /usr/lib/x86_64-linux-gnu/libspeexdsp.so.1.5.0 /usr/lib/x86_64-linux-gnu/libspeex.so.1.5.0 ... /usr/bin/speexenc: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes /usr/bin/speexdec: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes /usr/lib/x86_64-linux-gnu/libspeexdsp.so.1.5.0: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes /usr/lib/x86_64-linux-gnu/libspeex.so.1.5.0: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes ... (Position Independent Executable is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
diff -u speex-1.2~rc1/debian/rules speex-1.2~rc1/debian/rules --- speex-1.2~rc1/debian/rules +++ speex-1.2~rc1/debian/rules @@ -18,31 +18,14 @@ DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +# dpkg-buildflags takes care of hardening flags, respects noopt and prevents +# old versions of dpkg-buildpackage to interfere with the default flags. +dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS="hardening=+all,-pie" dpkg-buildflags +CPPFLAGS = $(shell $(dpkg_buildflags) --get CPPFLAGS) +CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS) -Wall +CXXFLAGS = $(shell $(dpkg_buildflags) --get CXXFLAGS) +LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS) -HARD_CPPFLAGS = -D_FORTIFY_SOURCE=2 -HARD_CFLAGS = -Wformat=2 -HARD_LDFLAGS = -z now - -ifneq (,$(filter-out $(DEB_HOST_ARCH), ia64 alpha mips mipsel hppa arm)) - HARD_CFLAGS += -fstack-protector --param ssp-buffer-size=4 -endif -ifneq (,$(filter-out $(DEB_HOST_ARCH), ia64 hppa avr32)) - HARD_LDFLAGS += -z relro -endif - -# Keep dpkg-buildpackage the hell out of messing with our compile flags, -# we should trust upstream to know better than it what to use here. -# We explicitly re-add -g and -O2 here, since not all configurations do -# set it explicitly (and instead rely on autoconf's default of doing that, -# which we override here when we set the hardening flags, if we do). -CPPFLAGS = $(HARD_CPPFLAGS) -CFLAGS = $(HARD_CFLAGS) -g -O2 -CXXFLAGS = $(HARD_CFLAGS) -g -O2 -LDFLAGS = $(HARD_LDFLAGS) - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS = -Wall -g -O0 -endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif
signature.asc
Description: Digital signature