Package: mailman
Version: 1:2.1.14-3
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The CPPFLAGS and LDFLAGS hardening flags are missing because the
build system ignores them.
For more hardening information please have a look at [1], [2] and
[3].
The attached patch fixes the issue. If possible it should be sent
to upstream.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/mailman/mail/mailman
/usr/lib/cgi-bin/mailman/subscribe /usr/lib/cgi-bin/mailman/roster ...
/usr/lib/mailman/mail/mailman:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/cgi-bin/mailman/subscribe:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/cgi-bin/mailman/roster:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPXg0YAAoJEJL+/bfkTDL5tlMP/05bCesEq5OBPLT3DKqSRWgP
YiAGGNr93rUlnnzy3CgDaYt3/C/ZmXdM9ZbaykAdQkLMHFM0jSTmnGyBtIXgyfU4
vanA4b2S/2jHlJERGMDvopRabTefYGlLoWCrUt/glatsjd+QF79rclPor+MIFh3L
AGTxA9wxlR6e0UfbeeA88u41DkrSfC0qyJv8JMZI62hQor5/x/WWFTGVwBYmNcKp
iTyQdISFvtsaY1kC/jpqHfe2Xd3+QucnTLFK+jJzinqY2455YxfE97xxGobDRGDT
0THQJ5Z9oZtoKl9L9VhZTgiLaDQC3QErmUyaEVloRvyEMA0rm3Mc582S5TdpKkTt
pjOEyAUkidfjk/86hMUtLdJY4oJdxvS5h1L2xZV8/2VV1nMvtFyo/mu4JCJl1d/3
YFh3vQ1X82Nag9ZMVwSEFmZ5vhmUGQoW112B5PBXyPeDbjM7SBIO+r3SE9GiQbGQ
gNb4AKzkgu0ezmmmwrAXqzxAWkcLXN/FTZsN+9j5YeOFDOjJ9TBNhmkGzCJyrJcQ
fDa5B8KHQf/XLOpf5UpJC9VlQJoFYAhjQt5c4cZM5FmqGXr24CTKgy2nJN7OGOWW
d4J8tIV/kWVvY2+i8KLeZ26SXN0eXPsuIn7DELYF0raLWAZjLU9d+7GxBa1oZo63
pOu9ofKaC5w45zRpbvkw
=aYw1
-----END PGP SIGNATURE-----
Description: Use CPPFLAGS/LDFLAGS from environment (dpkg-buildflags).
Necessary for hardening flags.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-03-12
--- mailman-2.1.14.orig/src/Makefile.in
+++ mailman-2.1.14/src/Makefile.in
@@ -43,6 +43,8 @@ MAILMAN_USER= @MAILMAN_USER@
# Customizable but not set by configure
OPT= @OPT@
CFLAGS= @CFLAGS@ $(OPT) $(DEFS) $(LIBS)
+CPPFLAGS= @CPPFLAGS@
+LDFLAGS= @LDFLAGS@
CGIDIR= $(exec_prefix)/cgi-bin
CGIEXT= @CGIEXT@
MAILDIR= $(exec_prefix)/mail
@@ -91,19 +93,19 @@ PROGRAMS= $(CGI_PROGS) $(MAIL_PROGS) $(A
all: $(PROGRAMS)
mailman: $(srcdir)/mail-wrapper.c $(COMMONOBJS)
- $(CC) -I. $(MAIL_FLAGS) $(CFLAGS) $(COMMONOBJS) -o $@ $(srcdir)/mail-wrapper.c
+ $(CC) -I. $(MAIL_FLAGS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(COMMONOBJS) -o $@ $(srcdir)/mail-wrapper.c
#addaliases: $(srcdir)/alias-wrapper.c $(COMMONOBJS)
-# $(CC) -I. $(ALIAS_FLAGS) $(CFLAGS) -o $@ $(srcdir)/alias-wrapper.c
+# $(CC) -I. $(ALIAS_FLAGS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $(srcdir)/alias-wrapper.c
$(CGI_PROGS): $(srcdir)/cgi-wrapper.c $(COMMONOBJS)
- $(CC) -DSCRIPT="\"$@\"" -I. $(CGI_FLAGS) $(CFLAGS) $(COMMONOBJS) -o $@ $(srcdir)/cgi-wrapper.c
+ $(CC) -DSCRIPT="\"$@\"" -I. $(CGI_FLAGS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $(COMMONOBJS) -o $@ $(srcdir)/cgi-wrapper.c
common.o: $(srcdir)/common.c $(srcdir)/common.h Makefile
- $(CC) -c -I. $(COMMON_FLAGS) $(CFLAGS) $(srcdir)/common.c
+ $(CC) -c -I. $(COMMON_FLAGS) $(CFLAGS) $(CPPFLAGS) $(srcdir)/common.c
vsnprintf.o: $(srcdir)/vsnprintf.c Makefile
- $(CC) -c -I. $(COMMON_FLAGS) $(CFLAGS) $(srcdir)/vsnprintf.c
+ $(CC) -c -I. $(COMMON_FLAGS) $(CFLAGS) $(CPPFLAGS) $(srcdir)/vsnprintf.c
install: all
for f in $(CGI_PROGS); \
