Package: fltk1.1 Version: 1.1.10-12 Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Dear Maintainer, The LDFLAGS hardening flags are missing because the build system partially ignores them. For more hardening information please have a look at [1], [2] and [3]. The attached patch fixes the issue. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/lib/x86_64-linux-gnu/libfltk_images.so.1.1 /usr/lib/x86_64-linux-gnu/libfltk_gl.so.1.1 ... /usr/lib/x86_64-linux-gnu/libfltk_images.so.1.1: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/lib/x86_64-linux-gnu/libfltk_gl.so.1.1: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPWqaQAAoJEJL+/bfkTDL5J50QAIg+ftQ6pTSkkZqHnD44XIlQ d4bpU9+hK/uNjxfJUTykpP6qWFKGW40U+e0cVvlwqJCI1r1Y6P5HsSdThEamnFJe SdGEEOX0uo62VWhHW1iqf/usv9qDx+byF8BWlW04PyfH7F8lAQKlNIF8ytw/z4dF VdRIZZT1oRlX+Lol+ddu3zyjZmDZQWAP139Tn8GXAytR4v1MIhopKYeumJEomat+ SFdhpYVv2+Zf90hADzvHAhHkCG60uIKXHUGdVAqi0JkzWmFw0Z8a6/WI7OtNv3N3 Xvg1Hu4Cmx+c+AWveTTkH/ciMvGsm9sc4F/GDl34yX6WK74wJhvjwcphP3D8agTk 8U3vVVMMnRainrEYLhcgbx9x4zMSKRLT4D+C0el2c3Bqtz1KEOAJJoYai1SWvu69 Gc9EZ1gRMyA5rNPPAUYP3phU7m+/cYBHciXDj8XU/IWDyUxvhmYMVMFa9GnGYddj CYa47yr6TPBz7STMROuZmWscx3gJFMtmAuTCURbWFt7uucgZka5AJXWp2/8qJvwp JRhiagzY3cJ5+wCSoo6NDLjopZZ24k8/QHc+IVSLH5grhHzrP6BMXR9BrMx9noRh qxpKQaQswQNXUXqPHDqQl9Rrj/KKalRZUiyR/KB/RSDR4Hht/r3EPQZgWCUoCao+ bvBI9SxaKOw4wgs185no =f6H8 -----END PGP SIGNATURE-----
diff -Nru fltk1.1-1.1.10/debian/patches/debian-changes fltk1.1-1.1.10/debian/patches/debian-changes --- fltk1.1-1.1.10/debian/patches/debian-changes 2012-03-08 00:43:20.000000000 +0100 +++ fltk1.1-1.1.10/debian/patches/debian-changes 2012-03-10 01:46:00.000000000 +0100 @@ -9,7 +9,7 @@ - if test "x$libdir" != "x/usr/lib"; then - DSOLINK="-Wl,-rpath,$libdir" - fi -+ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o" ++ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) \$(LDFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o" +# if test "x$libdir" != "x/usr/lib"; then +# DSOLINK="-Wl,-rpath,$libdir" +# fi @@ -197,7 +197,7 @@ - if test "x$libdir" != "x/usr/lib"; then - DSOLINK="-Wl,-rpath,$libdir" - fi -+ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o" ++ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) \$(LDFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o" +# if test "x$libdir" != "x/usr/lib"; then +# DSOLINK="-Wl,-rpath,$libdir" +# fi @@ -535,7 +535,7 @@ threads$(EXEEXT): threads.o + echo Linking $@... -+ $(CXX) -I.. $(CXXFLAGS) threads.o -o $@ $(LINKFLTK) -lpthread ++ $(CXX) -I.. $(LDFLAGS) threads.o -o $@ $(LINKFLTK) -lpthread + $(POSTBUILD) $@ ../FL/mac.r # This ensures that we have this dependency even if threads are not # enabled in the current tree...