Package: sendmail Version: 8.14.4-2.1 Severity: normal Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing on all architectures
because they are not set in debian/rules, some other hardening
flags (e.g. relro) are missing on some architectures. For more
hardening information please have a look at [1], [2] and [3].
The attached patch fixes the issue.
I haven't found a better way to set CPPFLAGS for sensible_mda, it
doesn't seem to get passed down from debian/rules. Better
solutions are welcome.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/sbin/sensible-mda /usr/lib/sm.bin/vacation.sendmail
/usr/lib/sm.bin/smrsh /usr/lib/sm.bin/sendmail ...
/usr/sbin/sensible-mda:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
/usr/lib/sm.bin/vacation.sendmail:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/sm.bin/smrsh:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/lib/sm.bin/sendmail:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
...
(Position Independent Executable is not enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
diff -u sendmail-8.14.4/debian/rules sendmail-8.14.4/debian/rules
--- sendmail-8.14.4/debian/rules
+++ sendmail-8.14.4/debian/rules
@@ -20,16 +20,19 @@
# Well, almost impossible now 8-)
# * Compile all with -fPIC (works for pic or pie objects)
# * Link with either -pie or -shared
-ifeq ($(DEB_HOST_GNU_CPU),arm)
- MY_CFLAGS := -fPIC
-else
- MY_CFLAGS := -fPIC -fstack-protector-all
+dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS="hardening=+all,-pie" dpkg-buildflags
+CFLAGS := $(shell $(dpkg_buildflags) --get CFLAGS)
+CFLAGS += -fPIC
+ifneq (,$(filter -fstack-protector,$(CFLAGS)))
+ CFLAGS += -fstack-protector-all
endif
-CFLAGS += ${MY_CFLAGS}
-export CFLAGS
-MY_LDFLAGS := -Wl,-z,noexecstack,-z,relro,-z,now -Wl,--warn-shared-textrel
-LDFLAGS += -pie ${MY_LDFLAGS}
-export LDFLAGS
+CXXFLAGS := $(shell $(dpkg_buildflags) --get CXXFLAGS)
+CPPFLAGS := $(shell $(dpkg_buildflags) --get CPPFLAGS)
+LDFLAGS := $(shell $(dpkg_buildflags) --get LDFLAGS)
+LDFLAGS += -Wl,-z,noexecstack -Wl,--warn-shared-textrel
+MY_LDFLAGS := $(LDFLAGS)
+LDFLAGS += -fpie
+export CFLAGS CXXFLAGS CPPFLAGS LDFLAGS
# Obtain package/version information from the path (debian/changelog is walkabout)
ifneq (y, $(shell test -f debian/changelog && echo 'y'))
@@ -414,7 +417,7 @@
(cd ${DEB_SRCDIR}/obj*/libmilter && \
gcc -shared -pthread \
-o libmilter.so.${sm_libmilter_version} \
- -fPIC ${MY_CFLAGS} \
+ -fPIC ${CFLAGS} \
-Wl,-soname,libmilter.so.${sm_libmilter_version} \
${MY_LDFLAGS} \
*.o;); \
diff -u sendmail-8.14.4/debian/sensible_mda/Makefile.in sendmail-8.14.4/debian/sensible_mda/Makefile.in
--- sendmail-8.14.4/debian/sensible_mda/Makefile.in
+++ sendmail-8.14.4/debian/sensible_mda/Makefile.in
@@ -98,7 +98,7 @@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
+CPPFLAGS = @CPPFLAGS@ $(shell dpkg-buildflags --get CPPFLAGS)
CYGPATH_W = @CYGPATH_W@
DEBIAN = @DEBIAN@
DEBIAN_DH = @DEBIAN_DH@
signature.asc
Description: Digital signature
