Package: multipath-tools
Version: 0.4.9+git0.4dfdaf2b-2
Tags: patch
Followup-For: Bug #657848
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The LDFLAGS hardening flags are not applied everywhere, some
files don't use hardening flags.
An updated 0009-hardened-build-flags.patch is attached which
enables it for all files by setting LDFLAGS in ./Makefile.inc
which is included by all Makefiles. $(shell ..) is used instead
of `..` because it's already used in other Makefiles.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package.
$ hardening-check /sbin/multipathd /sbin/multipath /lib/libmultipath.so.0
...
/sbin/multipathd:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/sbin/multipath:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/lib/libmultipath.so.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPViXKAAoJEJL+/bfkTDL5pnYP/Rp+zQ2JJbUBQ62Vhyc+7Htr
ROP0ojjdl1E0LZHZGKB9KAnuGCdgFSsUknrQwdn8jONq3NnJHUbJZEF4rfCjWSTZ
gje0bRQf7YK7lvn2yPtlXD9pbh9pMHIbSt6xg7fiCWecGKC+hOd/Cfa2ZJ5BDvrq
hSdHXVWyeI8xLqjY5b4KBfZkmRixj8pL5+7ciTJNUQi4wx1j7lCQTGOKbAb+rj7E
Mo4QfuLYLYjt4AS8LvVMeJpvisQ2WJsFWR9ZWuZJmeWMIalvw6zUQsu7jjcpUOX8
rEPM8XCUzH+bBqyZAeuUCzdShJHoqCSItpEiz0I6cwJedQznSJ1PoH4mw8U5TnPX
JUcyqiXpazZ531n3EJjcOf2Q8c3mjUYBeDSEZ6vW0mtEyDv/2UC5WJJdzAIHJTik
alX7H09FH8QgPu3osGCvU038TGpjClJ3e8NevVEighy+D8C2VWoYOEIeBHOgsuRR
dxdgwCVl18EZDTmQyrGf6cXN1ocp/EGwLrJ5ih6i5Xg3lAtPNWAemsvme/MvqZLe
AAmhuntXXlbW9zCCOmbqBvn1wzcYxzsP24t/CRr3GU7MYv7+BQq+bKQF7/y8wxEz
FytKCUGRHzj1EwcAg2doUZZtaXMbTBOm6qUa7ZP9rlaBlPtQzubWykp+HXv3Jsb4
gr3RnM8gwJnbzz2FwLNK
=jYnS
-----END PGP SIGNATURE-----
Multipath Hardening Patch
Index: multipath-tools-0.4.9+git0.4dfdaf2b/kpartx/Makefile
===================================================================
--- multipath-tools-0.4.9+git0.4dfdaf2b.orig/kpartx/Makefile 2012-03-06 15:24:14.150277158 +0100
+++ multipath-tools-0.4.9+git0.4dfdaf2b/kpartx/Makefile 2012-03-06 15:24:57.598276770 +0100
@@ -12,7 +12,7 @@
CFLAGS += -DLIBDM_API_COOKIE
endif
-LDFLAGS = -ldevmapper
+LDFLAGS += -ldevmapper
OBJS = bsd.o dos.o kpartx.o solaris.o unixware.o dasd.o sun.o \
gpt.o mac.o crc32.o lopart.o xstrncpy.o devmapper.o
EXEC = kpartx
Index: multipath-tools-0.4.9+git0.4dfdaf2b/Makefile.inc
===================================================================
--- multipath-tools-0.4.9+git0.4dfdaf2b.orig/Makefile.inc 2012-03-06 15:24:14.150277158 +0100
+++ multipath-tools-0.4.9+git0.4dfdaf2b/Makefile.inc 2012-03-06 15:24:57.598276770 +0100
@@ -36,8 +36,10 @@
GZIP = /bin/gzip -9 -c
INSTALL_PROGRAM = install
-OPTFLAGS = -pipe -g -Wall -Wunused -Wstrict-prototypes
-CFLAGS = $(OPTFLAGS) -fPIC -DLIB_STRING=\"${LIB}\"
+OPTFLAGS = -pipe -Wall -Wunused -Wstrict-prototypes
+CFLAGS = $(shell dpkg-buildflags --get CFLAGS) $(shell dpkg-buildflags --get CPPFLAGS) $(OPTFLAGS) -fPIC -DLIB_STRING=\"${LIB}\"
+LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
+
SHARED_FLAGS = -shared
%.o: %.c
Index: multipath-tools-0.4.9+git0.4dfdaf2b/multipath/Makefile
===================================================================
--- multipath-tools-0.4.9+git0.4dfdaf2b.orig/multipath/Makefile 2012-03-06 15:24:14.150277158 +0100
+++ multipath-tools-0.4.9+git0.4dfdaf2b/multipath/Makefile 2012-03-06 15:24:57.598276770 +0100
@@ -7,7 +7,7 @@
OBJS = main.o
CFLAGS += -I$(multipathdir)
-LDFLAGS += -lpthread -ldevmapper -ldl -L$(multipathdir) -lmultipath
+LDFLAGS += -lpthread -ldevmapper -ldl -lmultipath -L$(multipathdir)
EXEC = multipath
