Package: cups
Version: 1.5.2-6
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

Most hardening flags are already enabled by default, but +now is
missing. The attached enables it. For more information please
have a look at [1], [2] and [3].

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/Hardening
[3]: https://wiki.debian.org/HardeningWalkthrough

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPVjcYAAoJEJL+/bfkTDL5A1MP/20RkPASv9VDW6ePK70RAMMd
ThinpvINHlhYs4ezmU4HdNJovWIq5w+22EAzwLukhxTOZ3ZaAs5wVyl/pGGYX0sg
Hn9/D7VUXW8+2Sm8A8dp90ztNzsUCSyItEqXHs/1tgtifzq+m8VAjRzyc7QABf1c
oLgrK1np0+zs5av19kjhd6VK80a6VuPpuF2N6LKQ+hqCVKnaeRc8gsx518OLUmoM
wbgXh/8/V3UUGIJDSJHQstmYoO4G3KvopqN9daNZSCU0vjyQ0qf0K1uZJKDohLH/
vmvfW3JcynYYLOsEFRVKgKhlbpEDlWHCjiMkvxCwjlt3hx2F0ox6JX1IKm8GHXDB
aOo6kffRPGmkI5QYaZTNXm+QOQnmTc+eOAveP07vojXBPq1fg4dpH9Rkh89g9Frf
MhUdQXVkJdeFSTmKt/l4K3pPtsaivmjFJU3Txa86yeDGuF5NeNO2SpNo+2ECbZpX
6EGJsCwux03+2oaRSj0YMN3cD9HYXY83osuBBjUdZKysCyY8f0wYtC5xqnFMK83g
Ru5wvkOrfGXtnNso+VuIqVUn9R+Uv+niLRjn4tXrpqdaazs8V2mbpI+06mMweJCP
uE/GdZnipPic7t91djGLTOPQM067eCff8+afyeO8zlLM7DUav5c9PCfSJmXnb/1A
2PKkP3Sjtnz1uJ7drUJx
=GRUT
-----END PGP SIGNATURE-----
diff -Nru cups-1.5.2/debian/rules cups-1.5.2/debian/rules
--- cups-1.5.2/debian/rules	2012-03-05 08:05:56.000000000 +0100
+++ cups-1.5.2/debian/rules	2012-03-06 00:35:48.000000000 +0100
@@ -12,10 +12,15 @@
 # work around libpng crash on our test PNGs with 8 bit colormaps (LP #710881)
 export NO_PNG_PKG_MANGLE=1
 
-#export DEB_BUILD_MAINT_OPTIONS=hardening
+# Enabling PIE globally doesn't work, but ./configure already enables PIE
+# where necessary.
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
 DPKG_EXPORT_BUILDFLAGS=1
 include /usr/share/dpkg/buildflags.mk
 LDFLAGS+= -Wl,--as-needed
+# The build system uses only DSOFLAGS but not LDFLAGS to build some libraries.
+# Add LDFLAGS to enable (hardening) build flags.
+export DSOFLAGS = $(LDFLAGS)
 
 include /usr/share/cdbs/1/rules/debhelper.mk
 include /usr/share/cdbs/1/class/autotools.mk

Reply via email to