Package: pdfcube
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The LDFLAGS hardening flags are missing because export LDFLAGS +=
in debian/rules overwrites the default hardening flags.
DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].
The following patch fixes the issue.
diff -u pdfcube-0.0.4/debian/rules pdfcube-0.0.4/debian/rules
--- pdfcube-0.0.4/debian/rules
+++ pdfcube-0.0.4/debian/rules
@@ -1,7 +1,7 @@
#!/usr/bin/make -f
#export DH_VERBOSE=1
-export LDFLAGS += -Wl,--as-needed
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
%:
dh $@ --parallel
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/bin/pdfcube
/usr/bin/pdfcube:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
(The stack protected and fortify source warnings are fine in this
case, the flags are correctly applied.)
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPU952AAoJEJL+/bfkTDL5UHIQAIG97RSw5fn2iM0lP8R0ZOYq
sJPrzZUs2t6TWh7gzm59GTY9ZS6Enelxb2kxhG7QB3ypOqt/tvbuTg7g+ZS7ohVz
YQu3hyeOK5L0dKhmwI/GoCOtQYA+gfcLp4Czn5ba+9On9OLbukV2MiXp6SRxtyjf
Hl5DzKJjn9l+vuM8wi2GlMCDYYe0QbJDn5wvnVwODZCSaol+fqvc2V4O6Zk9zuPD
MnuoS26tLTC52oljIoK6aAvtWSo+XaZ5FcSDGJxpnd2EdaIyLvTbPKo5hkCpRA5x
9/3T4NeLLrkFNE/VLbFruIxwr1BvTN/JOK4Xtqx7yosO5GooLNQuOe3ZFdqBwu+S
xHjUSrlXr0u+OvlA7O1OEPwDRkIbPvf4ET8uq5iEXokZsW9XsnmTW377kPbVtF4G
xwsFVvHmQDGVrjedKg7e+he3c+U1W+aiM5CzDB8Tc5AojIl+0SQF2AgEx7PIIxZ6
zgLXRTI4+4VZD7MBOMnt2BPuUqrLnu5/AuGSnytX0mbxitvkD2c5tDDQdbDHjA1H
GeEnS5a5NdgpmKLf+Ll4+n0khhp4bx1RJvW/3RgpYG0WCN9hTX6YoZUSwuhQtfXL
OEBs2R2Pw8fWPPYZ4LMjyWEoaibMXVlbjADm42tzPOi+4jKpZJaa5pxtbtKAf0/w
UwBqsniVVsd22uSXzl3n
=zQcm
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]