Package: redir
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
The following patch bumps debian/compat to 9 to automatically
enable the hardening flags and enables all flags (including PIE
because redir runs as server); you could also enable them without
changing compat (see [2]), but compat=9 is the preferred and
simplest solution.
diff -Nru redir-2.2.1/debian/compat redir-2.2.1/debian/compat
--- redir-2.2.1/debian/compat 2012-03-04 23:42:05.000000000 +0100
+++ redir-2.2.1/debian/compat 2012-03-05 23:38:32.000000000 +0100
@@ -1 +1 @@
-8
+9
diff -Nru redir-2.2.1/debian/control redir-2.2.1/debian/control
--- redir-2.2.1/debian/control 2012-03-04 23:53:04.000000000 +0100
+++ redir-2.2.1/debian/control 2012-03-05 23:38:32.000000000 +0100
@@ -2,7 +2,7 @@
Section: net
Priority: extra
Maintainer: Daniel Kahn Gillmor <[email protected]>
-Build-Depends: debhelper (>=8), libwrap0-dev
+Build-Depends: debhelper (>=9), libwrap0-dev
Standards-Version: 3.9.3
Homepage: http://sammy.net/~sammy/hacks/
Vcs-Git: git://lair.fifthhorseman.net/~dkg/redir
diff -Nru redir-2.2.1/debian/rules redir-2.2.1/debian/rules
--- redir-2.2.1/debian/rules 2012-03-04 23:41:47.000000000 +0100
+++ redir-2.2.1/debian/rules 2012-03-05 23:40:58.000000000 +0100
@@ -1,3 +1,6 @@
#!/usr/bin/make -f
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
%:
dh $@
The build system ignores flags from the environment, which
includes the hardening flags. The attached patch fixes this. -O2
is automatically added when necessary (noopt is respected).
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/bin/redir
/usr/bin/redir:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVUY6AAoJEJL+/bfkTDL5MngP+gJVZoX+vrOwh8qE9MOpsqAy
Xhfwhw5QL9hBViub4OQNYTarZIFcUddpOq9tjLuB7iEnm0E1hrpxKBdgMl5iEFU5
8b3UGe1tLUCwsI5C/u2W0tUKkmfDo1OAXAPPEGq9v6W1P0eSqXszsYGkcfRZWGNq
Elk7CIpaUH/GdMtEJRFAGjjcqrguRJFmeJs+lGIwdExcvpOd4MSzo0TiowIwKbzE
FlYFdgrqpQZ573YKBi67eHKtzc6J8a49ao+ZELPb23HPruLpFIKECliBQEfltG/K
6RPPzyvr4R55YMNFIwDwToG9pnzlgGUdJaeDYh+z2+m1d5BWSibRzwUqHKAIdCxw
XJw90l97cnuJUdKmsj5wsAsWcVMt4qC//2LTKHSeg2ayK93EtOaOnn4+kdfE5f6w
I7Ofo6C5Z7SMplSGnVWr9SFyr/HTe/8Smavl2IQaXjXURJBa8JUm/7c5iRj9iJis
+5PpFgoycuwMIM2V35P+KBr4s+e68xfWU4r9E7rMJ35J7hBeDIMQu2iabFB6Q7HY
JKiCYoZfmkKJxxIHoZ5PoEzaDmap7vBMzHV4HxzO/DHFSqgeJxC2aTm6NhUUmnPf
y8QWpk2SzWtCCfDvqXRtqTR3sIoRHj3A1OoD29aHCO2gOaBS0Fh6yW2JAao2RXSv
nYQNyg2mCFIXUdXBELa8
=CfNE
-----END PGP SIGNATURE-----
Description: Use build flags from the environment (dpkg-buildflags).
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-05
--- redir-2.2.1.orig/Makefile
+++ redir-2.2.1/Makefile
@@ -32,8 +32,8 @@ CC = gcc
# if your system lacks getopt_long, remove the comment from this line
OBJS = redir.o $(GETOPT_OBJS)
-CFLAGS = -O2 -Wall --pedantic $(STR_CFLAGS) $(WRAP_CFLAGS) $(EXTRA_CFLAGS)
-LDFLAGS = # -s
+CFLAGS += -Wall --pedantic $(STR_CFLAGS) $(WRAP_CFLAGS) $(EXTRA_CFLAGS)
+LDFLAGS += # -s
# solaris, and others, may also need these libraries to link
# also edit here if you're using the TCP wrappers code
