Package: picolisp
Version: 3.0.9.4-1
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
The attached patch updates the build system to respect the
hardening flags, necessary for CFLAGS and LDFLAGS. If possible
this patch should be sent to upstream.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/picolisp /usr/lib/picolisp/lib/ht
/usr/lib/picolisp/lib/ext
/usr/bin/picolisp:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
/usr/lib/picolisp/lib/ht:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: yes
/usr/lib/picolisp/lib/ext:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: yes
(Position Independent Executable is not enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
picolisp, ht and ext have an executable stack which might cause
security problems. But I'm not sure if this is required by the
program - if it's not adding -Wl,-z,noexecstack to LDFLAGS fixes
that.
I haven't tested picolisp with these new flags, please test it
before uploading a new package with these changes. Normally
everything works fine, but picolisp uses assembly which might
cause problems.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPW31LAAoJEJL+/bfkTDL5TXwQAIV8ZWFAQ+zgjJDpH//Nr41X
1gM/VB4zxC6V8aDVdshNLQhtkZZOCH4cd3+Cx2bUNSzBofRXgQu6LENgR8r9M1gT
uYMCxozCN5TJmCl1k+TSHYYUSwLvFVpWF+IWiQH5LmGD+ZS4WspXAApDsKY+FeFB
FgS7nmA1w+LcM/jrsyLCJOw44dWyHRmUeV9lJRquc16vWkjqwzEkNw+Nlu86Fagq
RabIpKenLFcMFp2M4rt/BMYppjAR5JSM0KnEGtjGqzTYqMD9QuaRaOKAAxfG2C1Z
ZwNBx9mv6ojKPqmAyp4GbdUlX2isZtLq74shVCEfZBN+wYRGnSR9qHW/s2xl7elQ
66hNtSoiXotU4PY8viUmXQhbIz7FvnzwSe2yRdMNmi4XrL2xnrrv/w9ntlzRywUH
yKRy6evT66hD+B66hOpufQ/tDoucIB/zWVDAqP+hYbVsmZW2Qnzlaex3dEPNJ+fq
ejVP7MwAM3rntwyyS+O2jiN2HVscKy8yLm3kbN69Qru7OPMmjkCx4il1CYjGzOYm
HXLrd/erUKrK3G4Hy3eE7ZjQUaZvNvG1SLLcPvldUTiKh8K8YViGLmOr7aD5JKoH
ssn/MuGs/FwSkpXKDN9WAZ/04/ACPtHPAIw9yZQz/uq43vF0a2VF14bq+KhWkcXU
QadvlQsQqDN1JouGwYVD
=Xe0P
-----END PGP SIGNATURE-----
Description: Always use $CFLAGS and $LDFLAGS.
Necessary for hardening flags and noopt support.
Author: Simon Ruderich <[email protected].
Last-Update: 2012-03-06
Index: picolisp-3.0.9.4/src64/Makefile
===================================================================
--- picolisp-3.0.9.4.orig/src64/Makefile 2012-03-06 16:47:29.000000000 +0100
+++ picolisp-3.0.9.4/src64/Makefile 2012-03-06 16:47:29.000000000 +0100
@@ -34,7 +34,7 @@
MKASM-LIB = -fpic
AS = as
LD-MAIN = -m64 -rdynamic -lc -lm -ldl $(LDFLAGS)
- LD-SHARED = -m64 -shared -export-dynamic
+ LD-SHARED = -m64 -shared -export-dynamic $(LDFLAGS)
STRIP = :
else
ifeq (solaris,$(OS))
@@ -44,7 +44,7 @@
MKASM-LIB = -fpic
AS = as
LD-MAIN = -m64 -lc -lm -ldl -lsocket -lnsl $(LDFLAGS)
- LD-SHARED = -m64 -shared
+ LD-SHARED = -m64 -shared $(LDFLAGS)
STRIP = strip
else
ifeq (kopensolaris,$(OS))
@@ -54,7 +54,7 @@
MKASM-LIB = -fpic
AS = as
LD-MAIN = -m64 -rdynamic -lc -lm $(LDFLAGS)
- LD-SHARED = -m64 -shared
+ LD-SHARED = -m64 -shared $(LDFLAGS)
STRIP = strip
endif
endif
@@ -78,8 +78,8 @@
AS = as -mppc64 -a64
endif
endif
- LD-MAIN = -m64 -rdynamic -lc -lm -ldl
- LD-SHARED = -m64 -shared -export-dynamic
+ LD-MAIN = -m64 -rdynamic -lc -lm -ldl $(LDFLAGS)
+ LD-SHARED = -m64 -shared -export-dynamic $(LDFLAGS)
STRIP = strip
else
ifeq ($(UNAME), SunOS)
@@ -89,8 +89,8 @@
MKASM-BASE =
MKASM-LIB = -fpic
AS = gas --64
- LD-MAIN = -m64 -lc -lm -ldl -lsocket -lnsl
- LD-SHARED = -m64 -shared
+ LD-MAIN = -m64 -lc -lm -ldl -lsocket -lnsl $(LDFLAGS)
+ LD-SHARED = -m64 -shared $(LDFLAGS)
STRIP = strip
endif
endif
Index: picolisp-3.0.9.4/src/Makefile
===================================================================
--- picolisp-3.0.9.4.orig/src/Makefile 2012-03-06 16:47:29.000000000 +0100
+++ picolisp-3.0.9.4/src/Makefile 2012-03-10 16:45:23.228809000 +0100
@@ -19,7 +19,7 @@
LDFLAGS ?=
PICOLISP-FLAGS = -rdynamic
LIB-FLAGS = -lc -lm -ldl $(LDFLAGS)
-DYNAMIC-LIB-FLAGS = -shared -export-dynamic
+DYNAMIC-LIB-FLAGS = -shared -export-dynamic $(LDFLAGS)
STRIP = :
ifeq (amd64,$(CPU))
@@ -33,36 +33,36 @@
ifeq ($(shell uname), Linux)
OS = Linux
PICOLISP-FLAGS = -m32 -rdynamic
- LIB-FLAGS = -lc -lm -ldl
- DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic
+ LIB-FLAGS = -lc -lm -ldl $(LDFLAGS)
+ DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic $(LDFLAGS)
STRIP = strip
else
ifeq ($(shell uname), OpenBSD)
OS = OpenBSD
PICOLISP-FLAGS = -m32 -rdynamic -Wl,-E
- LIB-FLAGS = -lc -lm
- DYNAMIC-LIB-FLAGS = -Wl,-E -Wl,-shared
+ LIB-FLAGS = -lc -lm $(LDFLAGS)
+ DYNAMIC-LIB-FLAGS = -Wl,-E -Wl,-shared $(LDFLAGS)
STRIP = strip
else
ifeq ($(shell uname), FreeBSD)
OS = FreeBSD
PICOLISP-FLAGS = -m32 -rdynamic
- LIB-FLAGS = -lc -lm
- DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic
+ LIB-FLAGS = -lc -lm $(LDFLAGS)
+ DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic $(LDFLAGS)
STRIP = strip
else
ifeq ($(shell uname), NetBSD)
OS = NetBSD
PICOLISP-FLAGS = -m32 -rdynamic
- LIB-FLAGS = -lc -lm
- DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic
+ LIB-FLAGS = -lc -lm $(LDFLAGS)
+ DYNAMIC-LIB-FLAGS = -m32 -shared -export-dynamic $(LDFLAGS)
STRIP = strip
else
ifeq ($(shell uname), Darwin)
OS = Darwin
PICOLISP-FLAGS = -m32
- LIB-FLAGS = -lc -lm -ldl
- DYNAMIC-LIB-FLAGS = -m32 -dynamiclib -undefined dynamic_lookup
+ LIB-FLAGS = -lc -lm -ldl $(LDFLAGS)
+ DYNAMIC-LIB-FLAGS = -m32 -dynamiclib -undefined dynamic_lookup $(LDFLAGS)
STRIP = :
else
ifeq ($(shell uname -o), Cygwin)
@@ -134,27 +134,27 @@
$(bin)/lat1: lat1.c
- gcc -o $(bin)/lat1$(exe) lat1.c
+ gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/lat1$(exe) lat1.c
$(STRIP) $(bin)/lat1$(exe)
$(bin)/utf2: utf2.c
- gcc -o $(bin)/utf2$(exe) utf2.c
+ gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/utf2$(exe) utf2.c
$(STRIP) $(bin)/utf2$(exe)
$(bin)/balance: balance.c
- gcc -o $(bin)/balance$(exe) balance.c
+ gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/balance$(exe) balance.c
$(STRIP) $(bin)/balance$(exe)
$(bin)/ssl: ssl.c
- gcc -o $(bin)/ssl$(exe) ssl.c -lssl -lcrypto
+ gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/ssl$(exe) ssl.c -lssl -lcrypto
$(STRIP) $(bin)/ssl$(exe)
$(bin)/httpGate: httpGate.c
- gcc -o $(bin)/httpGate$(exe) httpGate.c -lssl -lcrypto
+ gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/httpGate$(exe) httpGate.c -lssl -lcrypto
$(STRIP) $(bin)/httpGate$(exe)
$(bin)/z3dClient: z3dClient.c
- gcc -o $(bin)/z3dClient$(exe) z3dClient.c -L/usr/X11R6/lib -lXext -lX11
+ gcc $(CFLAGS) $(LDFLAGS) -o $(bin)/z3dClient$(exe) z3dClient.c -L/usr/X11R6/lib -lXext -lX11
$(STRIP) $(bin)/z3dClient$(exe)
