Package: sendmail Version: 8.14.4-2.1 Severity: normal Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing on all architectures because they are not set in debian/rules, some other hardening flags (e.g. relro) are missing on some architectures. For more hardening information please have a look at [1], [2] and [3]. The attached patch fixes the issue. I haven't found a better way to set CPPFLAGS for sensible_mda, it doesn't seem to get passed down from debian/rules. Better solutions are welcome. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log with `blhc` (hardening-check doesn't catch everything): $ hardening-check /usr/sbin/sensible-mda /usr/lib/sm.bin/vacation.sendmail /usr/lib/sm.bin/smrsh /usr/lib/sm.bin/sendmail ... /usr/sbin/sensible-mda: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes Read-only relocations: yes Immediate binding: yes /usr/lib/sm.bin/vacation.sendmail: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes /usr/lib/sm.bin/smrsh: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes /usr/lib/sm.bin/sendmail: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes ... (Position Independent Executable is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
diff -u sendmail-8.14.4/debian/rules sendmail-8.14.4/debian/rules --- sendmail-8.14.4/debian/rules +++ sendmail-8.14.4/debian/rules @@ -20,16 +20,19 @@ # Well, almost impossible now 8-) # * Compile all with -fPIC (works for pic or pie objects) # * Link with either -pie or -shared -ifeq ($(DEB_HOST_GNU_CPU),arm) - MY_CFLAGS := -fPIC -else - MY_CFLAGS := -fPIC -fstack-protector-all +dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS="hardening=+all,-pie" dpkg-buildflags +CFLAGS := $(shell $(dpkg_buildflags) --get CFLAGS) +CFLAGS += -fPIC +ifneq (,$(filter -fstack-protector,$(CFLAGS))) + CFLAGS += -fstack-protector-all endif -CFLAGS += ${MY_CFLAGS} -export CFLAGS -MY_LDFLAGS := -Wl,-z,noexecstack,-z,relro,-z,now -Wl,--warn-shared-textrel -LDFLAGS += -pie ${MY_LDFLAGS} -export LDFLAGS +CXXFLAGS := $(shell $(dpkg_buildflags) --get CXXFLAGS) +CPPFLAGS := $(shell $(dpkg_buildflags) --get CPPFLAGS) +LDFLAGS := $(shell $(dpkg_buildflags) --get LDFLAGS) +LDFLAGS += -Wl,-z,noexecstack -Wl,--warn-shared-textrel +MY_LDFLAGS := $(LDFLAGS) +LDFLAGS += -fpie +export CFLAGS CXXFLAGS CPPFLAGS LDFLAGS # Obtain package/version information from the path (debian/changelog is walkabout) ifneq (y, $(shell test -f debian/changelog && echo 'y')) @@ -414,7 +417,7 @@ (cd ${DEB_SRCDIR}/obj*/libmilter && \ gcc -shared -pthread \ -o libmilter.so.${sm_libmilter_version} \ - -fPIC ${MY_CFLAGS} \ + -fPIC ${CFLAGS} \ -Wl,-soname,libmilter.so.${sm_libmilter_version} \ ${MY_LDFLAGS} \ *.o;); \ diff -u sendmail-8.14.4/debian/sensible_mda/Makefile.in sendmail-8.14.4/debian/sensible_mda/Makefile.in --- sendmail-8.14.4/debian/sensible_mda/Makefile.in +++ sendmail-8.14.4/debian/sensible_mda/Makefile.in @@ -98,7 +98,7 @@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ +CPPFLAGS = @CPPFLAGS@ $(shell dpkg-buildflags --get CPPFLAGS) CYGPATH_W = @CYGPATH_W@ DEBIAN = @DEBIAN@ DEBIAN_DH = @DEBIAN_DH@
signature.asc
Description: Digital signature