Bug#655881: Please enabled hardened build flags

Sat, 14 Jan 2012 06:36:18 -0800 

Source: netcat
Severity: important
Tags: patch

Please enabled hardened build flags through dpkg-buildflags.

Patch attached. (dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS)

The hardened build flags also exposed a missing format string in
netcat.c. I've attached a patch as well.

Cheers,
        Moritz

diff -aur netcat-1.10.harden/debian/rules netcat-1.10/debian/rules
--- netcat-1.10.harden/debian/rules	2011-02-11 05:58:55.000000000 +0100
+++ netcat-1.10/debian/rules	2012-01-14 15:25:34.000000000 +0100
@@ -4,12 +4,11 @@
 export DH_OPTIONS
 
 # TODO: there are a lot of warnings with -Wall on. Fix them.
-DEB_CFLAGS = -g -Wall
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-DEB_CFLAGS += -O0
-else
-DEB_CFLAGS += -O2
-endif
+DEB_CFLAGS = `dpkg-buildflags --get CFLAGS`
+DEB_CFLAGS += -Wall
+DEB_CFLAGS += `dpkg-buildflags --get CPPFLAGS`
+LDFLAGS = `dpkg-buildflags --get LDFLAGS`
+
 ifneq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
 INSTALL_PROG = install -m 0755
 else
@@ -32,7 +31,7 @@
 build-arch-stamp: patch-stamp
 	dh_testdir
 	$(MAKE) linux \
-	    CFLAGS='$(DEB_CFLAGS)' STATIC='' \
+	    CFLAGS='$(DEB_CFLAGS)' LDFLAGS='$(LDFLAGS)' STATIC='' \
 	    DFLAGS='-DLINUX -DTELNET -DGAPING_SECURITY_HOLE -DIP_TOS -DDEBIAN_VERSION=\"$(DEB_VER)\"'
 	touch $@
 
Nur in netcat-1.10/debian: rules~.
diff -aur netcat-1.10.harden/Makefile netcat-1.10/Makefile
--- netcat-1.10.harden/Makefile	2012-01-14 15:22:54.000000000 +0100
+++ netcat-1.10/Makefile	2012-01-14 15:24:09.000000000 +0100
@@ -15,7 +15,7 @@
 # -Bstatic for sunos,  -static for gcc, etc.  You want this, trust me.
 STATIC =
 CC = gcc $(CFLAGS)
-LD = $(CC)	# linker; defaults to unstripped executables
+LD = $(CC) $(LDFLAGS)	# linker; defaults to unstripped executables
 o = o		# object extension
 
 ALL = nc
Nur in netcat-1.10: Makefile~.

diff -aur netcat-1.10.orig/netcat.c netcat-1.10/netcat.c
--- netcat-1.10.orig/netcat.c	2012-01-14 15:27:30.000000000 +0100
+++ netcat-1.10/netcat.c	2012-01-14 15:28:37.000000000 +0100
@@ -216,7 +216,7 @@
       if (h_errno > 4)		/* oh no you don't, either */
 	fprintf (stderr, "preposterous h_errno: %d", h_errno);
       else
-	fprintf (stderr, h_errs[h_errno]);	/* handle it here */
+	fprintf (stderr,"%s", h_errs[h_errno]);	/* handle it here */
       h_errno = 0;				/* and reset for next call */
     }
 #endif
Nur in netcat-1.10: netcat.c~.

Reply via email to