Package: ncompress
Version: 4.2.4.4
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The CPPFLAGS and LDFLAGS hardening flags are missing because
debian/rules doesn't set them.
The following patch fixes the issue.
diff -Nru ncompress-4.2.4.4/debian/rules ncompress-4.2.4.4/debian/rules
--- ncompress-4.2.4.4/debian/rules 2011-09-27 02:14:10.000000000 +0200
+++ ncompress-4.2.4.4/debian/rules 2012-03-12 15:12:25.000000000 +0100
@@ -38,7 +38,7 @@
build-indep: build-stamp
build-stamp:
dh_testdir
- gcc $(CFLAGS) -o compress -DNOFUNCDEF -DCOMPILE_DATE="\"`date`\""
compress42.c
+ gcc $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o compress -DNOFUNCDEF
-DCOMPILE_DATE="\"`date`\"" compress42.c
touch build-stamp
configure:
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/compress
/usr/bin/compress:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPXgWKAAoJEJL+/bfkTDL59scQALYC2hkh/iYdrshSJlUv9QqP
yHgzMc/GY3Unc2UaZ/xAwBZJSHT1nNXCYd+C04Q9Sp7MT8MqZ/M/MY//2obOhciL
P/LgHaIrIrGSQ32E5a1iStZ+WRoqMuYD4dJkHJSmZdzMh4Z4P35+PKw9uJJssKA9
q8Rxs+gpk0CMnXTteltK1OtW38IVLwtnwLrBnMxOaDqJegIViI78As96JDSf2pAK
DZ05EZm6yPqwCcJDjY4bOfbShSDtGRWxQNsXtjBm5dJe3PUb0hm+FEqOcnadwoFK
dxvUXaGjCuyttd0y8SFnOfZWziiDE+3VwQ+k5Wo57z0TgTHh9NCzvoqnOzJYCX7x
rfzWYj2tPZ62ijsPkQGsGGVITOSPMZ5bJUM0k+PVAn/w+aXljEtovOpQJ39s2ZAB
LZjv7E8kVMSuE8HqDOQvVoHdrHSwsfKw7SI1zyXPpIyUfWYhqYjhS+9jrupWHTf8
GH3kqYC7wa7donAxTgTb5WsX2EzS8cyzQvctUL6Z0E+6+3Yh1qxxw4pCvJ7ostvN
E7FAXv+vMg1mTZbn0A/pffKqrbSJsN4706AOJS56Zf46h2gPWX4TaeczRRSX0mMK
gtG0ovjThdwjAjBNIXE5G0zPUGDjVVhSUIpdRQkZ2cCYLJMkPQTqePsJdFwIuklW
9IBSXzR1Mn/6843mjJ2v
=jAZ3
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
