Package: speex Version: 1.2~rc1-6 Severity: normal Tags: patch Dear Maintainer,
Some hardening flags (format flags and relro on some archs) are
still missing because they are not set in debian/rules. For more
hardening information please have a look at [1], [2] and [3].
The attached patch fixes the issue by using dpkg-buildflags to
set the default flags. This automatically takes care of old
versions of dpkg-buildpackage setting different flags, handling
noopt and architectures which don't support certain hardening
flags (e.g. relro). -g and -O2 are also added by default (-O0
with noopt). And by using dpkg-buildflags future (hardening)
flags will be automatically added.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/bin/speexenc /usr/bin/speexdec
/usr/lib/x86_64-linux-gnu/libspeexdsp.so.1.5.0
/usr/lib/x86_64-linux-gnu/libspeex.so.1.5.0 ...
/usr/bin/speexenc:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/bin/speexdec:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/x86_64-linux-gnu/libspeexdsp.so.1.5.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/x86_64-linux-gnu/libspeex.so.1.5.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
...
(Position Independent Executable is not enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
diff -u speex-1.2~rc1/debian/rules speex-1.2~rc1/debian/rules --- speex-1.2~rc1/debian/rules +++ speex-1.2~rc1/debian/rules @@ -18,31 +18,14 @@ DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +# dpkg-buildflags takes care of hardening flags, respects noopt and prevents +# old versions of dpkg-buildpackage to interfere with the default flags. +dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS="hardening=+all,-pie" dpkg-buildflags +CPPFLAGS = $(shell $(dpkg_buildflags) --get CPPFLAGS) +CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS) -Wall +CXXFLAGS = $(shell $(dpkg_buildflags) --get CXXFLAGS) +LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS) -HARD_CPPFLAGS = -D_FORTIFY_SOURCE=2 -HARD_CFLAGS = -Wformat=2 -HARD_LDFLAGS = -z now - -ifneq (,$(filter-out $(DEB_HOST_ARCH), ia64 alpha mips mipsel hppa arm)) - HARD_CFLAGS += -fstack-protector --param ssp-buffer-size=4 -endif -ifneq (,$(filter-out $(DEB_HOST_ARCH), ia64 hppa avr32)) - HARD_LDFLAGS += -z relro -endif - -# Keep dpkg-buildpackage the hell out of messing with our compile flags, -# we should trust upstream to know better than it what to use here. -# We explicitly re-add -g and -O2 here, since not all configurations do -# set it explicitly (and instead rely on autoconf's default of doing that, -# which we override here when we set the hardening flags, if we do). -CPPFLAGS = $(HARD_CPPFLAGS) -CFLAGS = $(HARD_CFLAGS) -g -O2 -CXXFLAGS = $(HARD_CFLAGS) -g -O2 -LDFLAGS = $(HARD_LDFLAGS) - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS = -Wall -g -O0 -endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif
signature.asc
Description: Digital signature
