Bug#688694: hotot: CPPFLAGS hardening flags missing

Simon Ruderich Mon, 24 Sep 2012 13:48:14 -0700

Package: hotot
Version: 1:0.9.8.5+git20120630.884797d-1
Severity: normal
Tags: patch


Dear Maintainer,

The following CPPFLAGS hardening flags are missing because
CPPFLAGS are not respected by the build system:

    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cd 
/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/obj-i486-linux-gnu/qt
 && /usr/bin/c++    -Wall -Wextra -Wno-sign-compare -Wno-unused-parameter 
-fvisibility=hidden -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security  -I/usr/include/qt4 -I/usr/include/qt4/QtCore 
-I/usr/include/qt4/QtGui -I/usr/include/qt4/QtWebKit 
-I/usr/include/qt4/QtNetwork 
-I/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/obj-i486-linux-gnu/qt
 
-I/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/qt
    -o CMakeFiles/hotot-qt.dir/formpost.cpp.o -c 
/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/qt/formpost.cpp
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cd 
/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/obj-i486-linux-gnu/qt
 && /usr/bin/c++    -Wall -Wextra -Wno-sign-compare -Wno-unused-parameter 
-fvisibility=hidden -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security  -I/usr/include/qt4 -I/usr/include/qt4/QtCore 
-I/usr/include/qt4/QtGui -I/usr/include/qt4/QtWebKit 
-I/usr/include/qt4/QtNetwork 
-I/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/obj-i486-linux-gnu/qt
 
-I/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/qt
    -o CMakeFiles/hotot-qt.dir/hototrequest.cpp.o -c 
/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/qt/hototrequest.cpp
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): cd 
/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/obj-i486-linux-gnu/qt
 && /usr/bin/c++    -Wall -Wextra -Wno-sign-compare -Wno-unused-parameter 
-fvisibility=hidden -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security  -I/usr/include/qt4 -I/usr/include/qt4/QtCore 
-I/usr/include/qt4/QtGui -I/usr/include/qt4/QtWebKit 
-I/usr/include/qt4/QtNetwork 
-I/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/obj-i486-linux-gnu/qt
 
-I/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/qt
    -o CMakeFiles/hotot-qt.dir/main.cpp.o -c 
/build/buildd-hotot_0.9.8.5+git20120630.884797d-1-i386-OAtrKF/hotot-0.9.8.5+git20120630.884797d/qt/main.cpp
    [...]

For more hardening information please have a look at [1], [2] and
[3].

The following patch fixes the issue.

diff -Nru hotot-0.9.8.5+git20120630.884797d/debian/rules 
hotot-0.9.8.5+git20120630.884797d/debian/rules
--- hotot-0.9.8.5+git20120630.884797d/debian/rules      2012-07-07 
14:58:36.000000000 +0200
+++ hotot-0.9.8.5+git20120630.884797d/debian/rules      2012-09-24 
16:26:48.000000000 +0200
@@ -4,6 +4,10 @@
 DPKG_EXPORT_BUILDFLAGS = 1
 include /usr/share/dpkg/buildflags.mk
 
+# The build system ignores CPPFLAGS, pass them in CFLAGS/CXXFLAGS instead.
+CFLAGS   += $(CPPFLAGS)
+CXXFLAGS += $(CPPFLAGS)
+
 %:
        dh $@ --with python2
 

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything).

    $ hardening-check /usr/bin/hotot-qt
    /usr/bin/hotot-qt:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!

In this case the fortification is not yet used, but it will be
available in the future because the CPPFLAGS are now passed
correctly.

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

signature.asc
Description: Digital signature

Bug#688694: hotot: CPPFLAGS hardening flags missing

Reply via email to