Bug#662981: evolution: Please enable hardened build flags properly

Florent Daigniere Wed, 07 Mar 2012 10:51:20 -0800

Package: evolution
Version: 3.2.2-1
Severity: important
Tags: patch

Dear Maintainer,


It seems like the current debian/rules file attempts to enable some hardening
flags... but it's not working at all.

root@neutron:/tmp/ev2# dpkg -l evolution
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
ii  evolution      3.2.2-1        groupware suite with mail client and organiz

$hardening-check /usr/bin/evolution
/usr/bin/evolution:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: no, not found!
 Immediate binding: no not found!

I have attached a patch (working for me) which would fix the above and #484369
For some reason stack canaries are still not enabled though.

$hardening-check /usr/bin/evolution
/usr/bin/evolution:
 Position Independent Executable: yes
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: yes

More information can be found at:
http://wiki.debian.org/Hardening



-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages evolution depends on:
ii  dbus                      1.4.18-1
ii  debconf [debconf-2.0]     1.5.41
ii  evolution-common          3.2.2-1
ii  evolution-data-server     3.2.2-1
ii  gconf-service             3.2.3-3
ii  gconf2                    3.2.3-3
ii  gnome-icon-theme          3.2.1.2-1
ii  libatk1.0-0               2.2.0-2
ii  libc6                     2.13-27
ii  libcairo-gobject2         1.10.2-7
ii  libcairo2                 1.10.2-7
ii  libcamel-1.2-29           3.2.2-1
ii  libcanberra-gtk3-0        0.28-3
ii  libcanberra0              0.28-3
ii  libclutter-1.0-0          1.8.4-1
ii  libclutter-gtk-1.0-0      1.0.4-1
ii  libcogl-pango0            1.8.2-1
ii  libcogl5                  1.8.2-1
ii  libdrm2                   2.4.30-1
ii  libebackend-1.2-1         3.2.2-1
ii  libebook-1.2-12           3.2.2-1
ii  libecal-1.2-10            3.2.2-1
ii  libedataserver-1.2-15     3.2.2-1
ii  libedataserverui-3.0-1    3.2.2-1
ii  libenchant1c2a            1.6.0-7
ii  libevolution              3.2.2-1
ii  libfontconfig1            2.8.0-3.1
ii  libfreetype6              2.4.8-1
ii  libgail-3-0               3.2.3-1
ii  libgconf-2-4              3.2.3-3
ii  libgdata13                0.10.1-2
ii  libgdk-pixbuf2.0-0        2.24.1-1
ii  libgl1-mesa-glx [libgl1]  7.11.2-1
ii  libglib2.0-0              2.30.2-6
ii  libgnome-desktop-3-2      3.2.1-3
ii  libgtk-3-0                3.2.3-1
ii  libgtkhtml-4.0-0          4.2.2-1
ii  libgtkhtml-editor-4.0-0   4.2.2-1
ii  libgweather-3-0           3.2.1-1
ii  libical0                  0.44-3
ii  libjson-glib-1.0-0        0.14.2-1
ii  libmx-1.0-2               1.4.2-1
ii  libnotify4                0.7.4-1
ii  libnspr4-0d               4.9-1
ii  libnss3-1d                3.13.3-1
ii  libpango1.0-0             1.29.4-2
ii  libsoup-gnome2.4-1        2.36.1-1
ii  libsoup2.4-1              2.36.1-1
ii  libsqlite3-0              3.7.10-1
ii  libx11-6                  2:1.4.4-4
ii  libxcomposite1            1:0.4.3-2
ii  libxdamage1               1:1.1.3-2
ii  libxext6                  2:1.3.0-3
ii  libxfixes3                1:5.0-4
ii  libxi6                    2:1.4.5-1
ii  libxml2                   2.7.8.dfsg-7
ii  psmisc                    22.16-1

Versions of packages evolution recommends:
ii  bogofilter         1.2.2+dfsg1-1
ii  evolution-plugins  3.2.2-1
ii  evolution-webcal   2.32.0-2
ii  yelp               3.2.1+dfsg-1+b1

Versions of packages evolution suggests:
ii  evolution-dbg                   <none>
ii  evolution-exchange              3.2.1-2
ii  evolution-plugins-experimental  <none>
ii  gnupg                           1.4.12-3
ii  network-manager                 0.9.2.0-2

-- debconf information excluded

--- evolution-3.2.2-old/debian/rules	2011-11-24 19:13:27.000000000 +0000
+++ evolution-3.2.2/debian/rules	2012-03-07 18:34:23.156893611 +0000
@@ -8,7 +8,6 @@
 include /usr/share/cdbs/1/rules/utils.mk
 include /usr/share/gnome-pkg-tools/1/rules/gnome-get-source.mk
 include /usr/share/gnome-pkg-tools/1/rules/gnome-version.mk
-include /usr/share/hardening-includes/hardening.make
 
 ELIBDIR := usr/lib/evolution/3.2
 
@@ -17,8 +16,9 @@
 DEB_DH_MAKESHLIBS_ARGS_evolution += -V
 DEB_DH_MAKESHLIBS_ARGS_ALL += --noscripts -X $(ELIBDIR)/plugins
 
-export DEB_LDFLAGS_MAINT_APPEND=-Wl,-z,defs -Wl,--as-needed -Wl,-O1
-export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,+bindnow
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
 
 DEB_REVISION := $(shell echo $(DEB_VERSION) | awk -F- '{ print $$NF }')

Bug#662981: evolution: Please enable hardened build flags properly

Reply via email to