Package: tcpdump
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The hardening flags from CPPFLAGS are missing.
The problem is that configure.in doesn't correctly restore
CPPFLAGS in a test - which clears CPPFLAGS. The attached patch
fixes this issue (two typos). If possible it should also be send
to upstream to fix their configure.in.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/sbin/tcpdump
/usr/sbin/tcpdump:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
For more information please have a look at [1], [2] and [3].
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPUjuHAAoJEJL+/bfkTDL5mk8QALmn7E+R8rmExuvSQcYWAF9c
ABeCXiBxYm9sunYE+vtC4y/4Fq8yLFRIGVjIRlywCvP5gzbWrxkALZ/mcJKoA6eq
QUq6VjERh0nWaMmK9utZDvRMf4232GAsCL5tbdzmvjvDt999sawVvq/ElvXOurRz
i+YopjDOKbmZsgDTEh6fs4eS8gyFEr8AFiWvs22MFF2XZ+pyAx9wlTTv/7mozi3I
CZU1aS0GqYKRbbGdmhFjoI+1kMHlivgNAT2lZgrH/oe7oyvHajQcoltpimzNDqTh
Toz26SQ3R97b/9Ab8zVYjmnlyl8zu+aQPO/Cto2n0N4dzIp1XrXrS8kShQsZAiLs
as9zlnbdLYQGLsO8bceMG1xI0c6dTH7GWDDAkTvx8Mbu+tYIRBqbBtapuBMjRY/4
QQghmKY2HFe4TcznvRMaZnjOSW9ScW0h5BPPkRS6k5pGjISAX0ZWgxMIWKFWUukQ
czN1ooXfXQPWocYSFQfW/hgVhrR67SCon9x4ve1UaS3BE+/HTT0FxRhbEqgzWyaX
CQtt/jUDkfXsFurkcxCko6TT9Yyys+pf+OAzLhbu5NXNOIYX1QK/L1FltjvN7B3y
Maygt5/resS2pvLprFSYZrWqZV1qNiBYGcsZr/rYIWYdboNUOiBjYNdXSQV0AJDl
mA2guYDBTIEh0Hdvqpsq
=vQ2q
-----END PGP SIGNATURE-----
Description: Fix incorrect restore of CPPFLAGS in configure.in.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-03
Index: tcpdump-4.2.1/configure.in
===================================================================
--- tcpdump-4.2.1.orig/configure.in 2012-03-03 16:28:48.000000000 +0100
+++ tcpdump-4.2.1/configure.in 2012-03-03 16:33:56.000000000 +0100
@@ -732,7 +732,7 @@
dnl Check for Mac OS X, which may ship pcap.h from 0.6 but libpcap may
dnl be 0.8; this means that lib has pcap_findalldevs but header doesn't
dnl have pcap_if_t.
- savedppflags="$CPPLAGS"
+ savedcppflags="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS $V_INCLS"
AC_CHECK_TYPES(pcap_if_t, , , [#include <pcap.h>])
CPPFLAGS="$savedcppflags"
