Package: ltpanel
Version: 0.2-3
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The hardening flags are missing because the build system ignores
them.
DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].
The following patch updates debian/rules to use
DEB_*_MAINT_APPEND. CFLAGS is not necessary as the Makefile
already sets the same values. dpkg-dev is no longer necessary,
the buildflags are automatically used with compat=9.
diff -Nru ltpanel-0.2/debian/control ltpanel-0.2/debian/control
--- ltpanel-0.2/debian/control 2012-02-13 10:38:53.000000000 +0100
+++ ltpanel-0.2/debian/control 2012-03-07 15:09:30.000000000 +0100
@@ -2,7 +2,7 @@
Section: x11
Priority: optional
Maintainer: Jari Aalto <[email protected]>
-Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.1), libx11-dev,
x11proto-core-dev, libxpm-dev
+Build-Depends: debhelper (>= 9), libx11-dev, x11proto-core-dev, libxpm-dev
Standards-Version: 3.9.2
Vcs-Browser: http://git.debian.org/?p=collab-maint/ltpanel.git
Vcs-Git: git://git.debian.org/git/collab-maint/ltpanel.git
diff -Nru ltpanel-0.2/debian/rules ltpanel-0.2/debian/rules
--- ltpanel-0.2/debian/rules 2012-02-13 10:38:27.000000000 +0100
+++ ltpanel-0.2/debian/rules 2012-03-07 15:17:30.000000000 +0100
@@ -2,10 +2,7 @@
PACKAGE = ltpanel
-include /usr/share/dpkg/buildflags.mk
-CFLAGS += -Wall -pedantic
-LDFLAGS += -Wl,--as-needed
-export CFLAGS LDFLAGS
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
override_dh_auto_build:
$(MAKE) -C src
The attached patch fixes the missing hardening flags.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/bin/ltpanel
/usr/bin/ltpanel:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPV29KAAoJEJL+/bfkTDL5A30P/2UeO1rST5etl0ydyBXTg8gQ
qOWuqT5fvsb2j6srMY30pN5H9dvF2A7U4d6fRPAkM2BtpPZcAQ3k+q4q+QZK1unb
PBUBKpfpMJUfFsJeSmGs0NAzP0DCLNpkZ/ARRSkph29ZY4ev/Toy0b6Qoly6UfhX
NpXXC8q7podGV6Wh14LczV3zeZf+AW7g5NDPHl6bHaFrbD7ggHzlBru1p5hY1Q5j
u+u8zpFgF88zzblysMNnZ+pJL4ab2CIy5eIAfEjJb0jH9YKHxHzZZ5znyMCbKDsj
opGggvdWJjGno5dVvoSL/wBO+TrHM1dG3LKyjQeEjYrg211LE7mUfQpCH4EEm1Zb
7DjzDQZOTtGt1zMH/uithj6/DHLxFtIuZ2ckdy8D+aGkw6LMJ5P0NxkZKaXxkV/u
rlzlytSZAAGCmUTYglA3nllrZJ7UTTyAZJU8HDlearg7Jfog5tazYa8CkDQsjjgy
loE+ewwMikGy3hn15WvN/r8WNeQLBmVYqdCHQ5ZDA/gf/4qELsCSbAtYhg1CrIUa
deBr2+9W//twU1NQswu/iDgiWib5vhjdPfhusJPaTStftmPdzOUEFif+lPzVcDFD
cO/Yj8P0Bb3E60rz/0ROeZrYoKdXIm3/zYazIWuJGtyJZw9+/giYv3cgbK8zERTp
PHrz13cZSQgqYeOrtUC/
=z6FL
-----END PGP SIGNATURE-----
Description: Use build flags from environment (dpkg-buildflags).
Also use $CPPFLAGS, necessary for hardening.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-07
Index: ltpanel-0.2/src/Makefile
===================================================================
--- ltpanel-0.2.orig/src/Makefile 2012-03-07 15:12:40.000000000 +0100
+++ ltpanel-0.2/src/Makefile 2012-03-07 15:15:52.026971956 +0100
@@ -1,7 +1,7 @@
CC = gcc
-C_FLAGS = -g -c -DHAVE_XPM -Wall -pedantic -I/usr/X11R6/include
+C_FLAGS = $(CFLAGS) $(CPPFLAGS) -c -DHAVE_XPM -Wall -pedantic -I/usr/X11R6/include
# L_FLAGS = -O3 -s -Xlinker -L/usr/X11R6/lib -lX11 -lXpm
-L_FLAGS = -g -Xlinker -L/usr/X11R6/lib
+L_FLAGS = $(LDFLAGS) -Xlinker -L/usr/X11R6/lib
L_LIBS = -lX11 -lXpm
PROGNAME = lpanel
OBJS = lpanel.o drawing.o
