Package: fltk1.1
Version: 1.1.10-12
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The LDFLAGS hardening flags are missing because the build system
partially ignores them. For more hardening information please
have a look at [1], [2] and [3].
The attached patch fixes the issue.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/x86_64-linux-gnu/libfltk_images.so.1.1
/usr/lib/x86_64-linux-gnu/libfltk_gl.so.1.1 ...
/usr/lib/x86_64-linux-gnu/libfltk_images.so.1.1:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/x86_64-linux-gnu/libfltk_gl.so.1.1:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPWqaQAAoJEJL+/bfkTDL5J50QAIg+ftQ6pTSkkZqHnD44XIlQ
d4bpU9+hK/uNjxfJUTykpP6qWFKGW40U+e0cVvlwqJCI1r1Y6P5HsSdThEamnFJe
SdGEEOX0uo62VWhHW1iqf/usv9qDx+byF8BWlW04PyfH7F8lAQKlNIF8ytw/z4dF
VdRIZZT1oRlX+Lol+ddu3zyjZmDZQWAP139Tn8GXAytR4v1MIhopKYeumJEomat+
SFdhpYVv2+Zf90hADzvHAhHkCG60uIKXHUGdVAqi0JkzWmFw0Z8a6/WI7OtNv3N3
Xvg1Hu4Cmx+c+AWveTTkH/ciMvGsm9sc4F/GDl34yX6WK74wJhvjwcphP3D8agTk
8U3vVVMMnRainrEYLhcgbx9x4zMSKRLT4D+C0el2c3Bqtz1KEOAJJoYai1SWvu69
Gc9EZ1gRMyA5rNPPAUYP3phU7m+/cYBHciXDj8XU/IWDyUxvhmYMVMFa9GnGYddj
CYa47yr6TPBz7STMROuZmWscx3gJFMtmAuTCURbWFt7uucgZka5AJXWp2/8qJvwp
JRhiagzY3cJ5+wCSoo6NDLjopZZ24k8/QHc+IVSLH5grhHzrP6BMXR9BrMx9noRh
qxpKQaQswQNXUXqPHDqQl9Rrj/KKalRZUiyR/KB/RSDR4Hht/r3EPQZgWCUoCao+
bvBI9SxaKOw4wgs185no
=f6H8
-----END PGP SIGNATURE-----
diff -Nru fltk1.1-1.1.10/debian/patches/debian-changes fltk1.1-1.1.10/debian/patches/debian-changes
--- fltk1.1-1.1.10/debian/patches/debian-changes 2012-03-08 00:43:20.000000000 +0100
+++ fltk1.1-1.1.10/debian/patches/debian-changes 2012-03-10 01:46:00.000000000 +0100
@@ -9,7 +9,7 @@
- if test "x$libdir" != "x/usr/lib"; then
- DSOLINK="-Wl,-rpath,$libdir"
- fi
-+ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o"
++ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) \$(LDFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o"
+# if test "x$libdir" != "x/usr/lib"; then
+# DSOLINK="-Wl,-rpath,$libdir"
+# fi
@@ -197,7 +197,7 @@
- if test "x$libdir" != "x/usr/lib"; then
- DSOLINK="-Wl,-rpath,$libdir"
- fi
-+ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o"
++ DSOCOMMAND="\$(CXX) \$(DSOFLAGS) \$(LDFLAGS) -Wl,-soname,\$@ -shared -fPIC $DEBUGFLAG -o"
+# if test "x$libdir" != "x/usr/lib"; then
+# DSOLINK="-Wl,-rpath,$libdir"
+# fi
@@ -535,7 +535,7 @@
threads$(EXEEXT): threads.o
+ echo Linking $@...
-+ $(CXX) -I.. $(CXXFLAGS) threads.o -o $@ $(LINKFLTK) -lpthread
++ $(CXX) -I.. $(LDFLAGS) threads.o -o $@ $(LINKFLTK) -lpthread
+ $(POSTBUILD) $@ ../FL/mac.r
# This ensures that we have this dependency even if threads are not
# enabled in the current tree...
