Bug#688697: texmaker: CPPFLAGS hardening flags missing

Simon Ruderich Mon, 24 Sep 2012 14:09:15 -0700

Package: texmaker
Version: 3.4-1
Severity: normal
Tags: patch

Dear Maintainer,


The following CPPFLAGS hardening flags are missing because they
are not correctly set in debian/rules:

    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c -g -O2 -fstack-protector 
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -w -D_REENTRANT 
-DQT_WEBKIT -DTEXMAKERVERSION=\"3.4\" -DHAVE_SPLASH -DPREFIX=\"/usr\" 
-DDEBIAN_SPELLDIR -DQT_NO_DEBUG -DQT_WEBKIT_LIB -DQT_XML_LIB -DQT_GUI_LIB 
-DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ 
-I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork 
-I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtWebKit 
-I/usr/include/qt4 -I/usr/include/poppler/qt4 -I.moc -I.ui -o .obj/main.o 
main.cpp
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c -g -O2 -fstack-protector 
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -w -D_REENTRANT 
-DQT_WEBKIT -DTEXMAKERVERSION=\"3.4\" -DHAVE_SPLASH -DPREFIX=\"/usr\" 
-DDEBIAN_SPELLDIR -DQT_NO_DEBUG -DQT_WEBKIT_LIB -DQT_XML_LIB -DQT_GUI_LIB 
-DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ 
-I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork 
-I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtWebKit 
-I/usr/include/qt4 -I/usr/include/poppler/qt4 -I.moc -I.ui -o 
.obj/texmakerapp.o texmakerapp.cpp
    CPPFLAGS missing (-D_FORTIFY_SOURCE=2): g++ -c -g -O2 -fstack-protector 
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -w -D_REENTRANT 
-DQT_WEBKIT -DTEXMAKERVERSION=\"3.4\" -DHAVE_SPLASH -DPREFIX=\"/usr\" 
-DDEBIAN_SPELLDIR -DQT_NO_DEBUG -DQT_WEBKIT_LIB -DQT_XML_LIB -DQT_GUI_LIB 
-DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ 
-I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork 
-I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtWebKit 
-I/usr/include/qt4 -I/usr/include/poppler/qt4 -I.moc -I.ui -o .obj/texmaker.o 
texmaker.cpp
    [...]

For more hardening information please have a look at [1], [2] and
[3].

The problem is that Qt doesn't respect CPPFLAGS by default.
However dh_auto_build automatically handles that for you. I
haven't tested the resulting binary, but it should work fine.

The following patch fixes the issue by using the default
dh_auto_build, if that doesn't work you have to pass the flags
manually (best way is to look what dh_auto_build uses by setting
export DH_VERBOSE=1 in the rules file) - or call dh_auto_build
with the necessary flags.

diff -Nru texmaker-3.4/debian/rules texmaker-3.4/debian/rules
--- texmaker-3.4/debian/rules   2012-07-19 12:13:26.000000000 +0200
+++ texmaker-3.4/debian/rules   2012-09-24 23:05:44.000000000 +0200
@@ -11,9 +11,6 @@
        $(RM) .obj/* .moc/* .ui/* 
        dh_auto_clean
 
-override_dh_auto_build:
-       qmake-qt4 -unix PREFIX=/usr QMAKE_CFLAGS="$(CPPFLAGS)" 
QMAKE_CXXFLAGS="$(CXXFLAGS)" QMAKE_LFLAGS="$(LDFLAGS)" texmaker.pro
-
 override_dh_auto_test:
        # do not try testing
 

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):

    $ hardening-check --verbose /usr/bin/texmaker
    /usr/bin/texmaker:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
            unprotected: strncpy
            unprotected: memset
            unprotected: strcat
            unprotected: fgets
            unprotected: memmove
            unprotected: strcpy
            unprotected: memcpy
            unprotected: fprintf
            unprotected: fread
            protected: strncpy
            protected: vfprintf
            protected: stpcpy
            protected: strcpy
            protected: memcpy
            protected: printf
            protected: sprintf
            protected: fprintf
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

signature.asc
Description: Digital signature

Bug#688697: texmaker: CPPFLAGS hardening flags missing

Reply via email to