Package: readline6 Version: 6.2-8 Severity: normal Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because they are not set
in debian/rules; the format string hardening flags are missing
because they are disabled in debian/rules. For more hardening
information please have a look at [1], [2] and [3].
The attached patches fix the issues.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/bin/rlfe /lib/x86_64-linux-gnu/libreadline.so.6.2
/lib/x86_64-linux-gnu/libhistory.so.6.2 /usr/lib/debug/libhistory.so.6.2 ...
/usr/bin/rlfe:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/lib/x86_64-linux-gnu/libreadline.so.6.2:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/lib/x86_64-linux-gnu/libhistory.so.6.2:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/debug/libhistory.so.6.2:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
diff -Nru readline6-6.2/debian/rules readline6-6.2/debian/rules --- readline6-6.2/debian/rules 2011-10-09 11:30:10.000000000 +0200 +++ readline6-6.2/debian/rules 2012-09-15 13:47:15.000000000 +0200 @@ -58,6 +58,7 @@ endif CFLAGS := $(shell dpkg-buildflags --get CFLAGS) +CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS) LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS) CFLAGS := $(CFLAGS) -I/usr/include/ncursesw @@ -107,7 +108,7 @@ mkdir $(builddir) find . -type d | xargs chmod g-s cd $(builddir) && \ - CC=$(CC) CFLAGS="$(CFLAGS)" $(srcdir)/configure \ + CC=$(CC) CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" $(srcdir)/configure \ --prefix=/usr\ --host=$(DEB_HOST_GNU_TYPE) \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) @@ -116,7 +117,7 @@ rm -rf $(builddir32) mkdir $(builddir32) cd $(builddir32) && \ - CC="$(CC32)" CFLAGS="$(CFLAGS)" $(srcdir)/configure \ + CC="$(CC32)" CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" $(srcdir)/configure \ --host=$(HOST32) --prefix=/usr endif @@ -124,7 +125,7 @@ rm -rf $(builddir64) mkdir $(builddir64) cd $(builddir64) && \ - CC="$(CC64)" CFLAGS="$(CFLAGS)" $(srcdir)/configure \ + CC="$(CC64)" CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" $(srcdir)/configure \ --host=$(HOST64) --prefix=/usr endif @@ -141,7 +142,7 @@ build-stamp: configure-stamp dh_testdir $(MAKE) -C $(builddir) \ - CFLAGS="$(CFLAGS)" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" \ SHOBJ_CFLAGS="-fPIC -D_REENTRANT" \ SHOBJ_LDFLAGS='$(LDFLAGS) -shared' \ SHLIB_LIBS="-ltinfo" @@ -149,7 +150,7 @@ ifneq ($(build32),) $(MAKE) -C $(builddir32) \ CC="$(CC32)" \ - CFLAGS="$(CFLAGS)" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" \ SHOBJ_CFLAGS="-fPIC -D_REENTRANT" \ SHOBJ_LDFLAGS='$(LDFLAGS) -shared' \ SHLIB_LIBS="-ltinfo" @@ -159,7 +160,7 @@ ifneq ($(build64),) $(MAKE) -C $(builddir64) \ CC="$(CC64)" \ - CFLAGS="$(CFLAGS)" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" \ SHOBJ_CFLAGS="-fPIC -D_REENTRANT" \ SHOBJ_LDFLAGS='$(LDFLAGS) -shared' \ SHLIB_LIBS="-ltinfo" @@ -183,7 +184,7 @@ cd $(builddir)/examples/rlfe \ && ./configure --prefix=/usr --host=$(DEB_HOST_GNU_TYPE) $(MAKE) -C $(builddir)/examples/rlfe \ - CFLAGS="$(filter-out -Werror=%,$(CFLAGS))" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" \ LDFLAGS="$(LDFLAGS) -g -L$(builddir)/shlib" \ LIBS="-lreadline -ltinfo -lutil" rlfe touch build-rlfe-stamp @@ -209,7 +210,7 @@ rm -rf $(d) mkdir -p $(d)/usr/bin $(MAKE) -C $(builddir) install \ - CFLAGS="$(CFLAGS) -D_REENTRANT" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS) -D_REENTRANT" \ SHOBJ_LDFLAGS='-shared $(LDFLAGS)' \ DESTDIR=$(CURDIR)/$(d) \ mandir=/usr/share/man \ @@ -295,7 +296,7 @@ mkdir -p $(d32)/usr/bin $(MAKE) -C $(builddir32) install \ CC="$(CC32)" \ - CFLAGS="$(CFLAGS) -D_REENTRANT" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS) -D_REENTRANT" \ SHOBJ_LDFLAGS='-shared $(LDFLAGS)' \ SHLIB_XLDFLAGS='-soname,`echo $$@ | sed s/\\..$$$$//`' \ SHLIB_LIBS=-lncurses \ @@ -328,7 +329,7 @@ mkdir -p $(d64)/usr/bin $(MAKE) -C $(builddir64) install \ CC="$(CC64)" \ - CFLAGS="$(CFLAGS) -D_REENTRANT" \ + CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS) -D_REENTRANT" \ SHOBJ_LDFLAGS='-shared $(LDFLAGS)' \ SHLIB_XLDFLAGS='-soname,`echo $$@ | sed s/\\..$$$$//`' \ SHLIB_LIBS=-lncurses \
Description: Fix compiling with -Werror=format-security.
Prevents format string attacks.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-09-15
--- readline6-6.2.orig/examples/rlfe/rlfe.c
+++ readline6-6.2/examples/rlfe/rlfe.c
@@ -273,7 +273,7 @@ static void maybe_emphasize_input (int o
if (on == current_emphasize_input
|| (on && ! do_emphasize_input))
return;
- fprintf (rl_outstream, on ? start_input_mode : end_input_mode);
+ fprintf (rl_outstream, "%s", on ? start_input_mode : end_input_mode);
fflush (rl_outstream);
current_emphasize_input = on;
}
signature.asc
Description: Digital signature
