Source: vim Version: 2:7.3.429-2 Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Dear Maintainer, The LDFLAGS hardening flags are missing for xxd because the Makefile doesn't use them. The attached patch fixes the issue. If possible it should be sent to upstream. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/bin/xxg /usr/bin/xxd: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPXigDAAoJEJL+/bfkTDL5J5gP/2TvT/J35eNwzSU/118Huq+J Nv6J75eXONYgy2+nIt4/2pbEVZfmXaDhDnIp4vHEIacEH4HQdQQjT1MuORKEt8S2 BCg6lxlcVMF9FKf7NFYC6mueFo9H20eIz/cA8YLR15dY4I+gg7pT+eNea8WWyd0k Owk1+xNetiJ9GoIjKzTLrK0yuuQ6JfppKMNeR6pRWfYeu7FrJxoPn4EVnL1YIXEk mRaVswyXki317HvL4z8hLrEtJwKO3qCsslJIh+kO2sElDSh/En8Z7GIC6Rha6H95 oX1nmaN6fEPW3o/PppP3T6Unroa+mpqiKjfUKS2xMg3OeONJPzo4PwkuB5+w3OVv ae0ykAVvJCyNNYHiztC9PlyeXserIY+NvCVQKd8J5HYb8XA5ltZS6FhQqtojBzDd df6s74sgXDBZ5G4WvQ4T+X8S9Rx0zuNXb/kx78QmTgAMNtfC1LLCLThk7k/91/I0 GsIpno9WMSojMbK75rdV4RNcWRBZ8+FEfYs61EYL5hkZI8V1f81I08OyXbOHS0xr qR0ApMFLnO1TVa19f0FiT0ZmI8M+dt7c7LX8xquL/SObKU/NO01tplkU9Ml0pNsg nY1ImMZ3HGxtmaCUNYy70t/h9T4eDLYOazCx2esmCiWwMkXX8p/JtBCe127W52Oa THues9M/EoHSP8722Yak =ijFp -----END PGP SIGNATURE-----
Description: Use LDFLAGS when building xxd. Necessary to pass all hardening flags when building xxd. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2011-12-27 --- vim-7.3.363.orig/src/Makefile +++ vim-7.3.363/src/Makefile @@ -1714,7 +1714,7 @@ $(VIMTARGET): auto/config.mk objects $(O sh $(srcdir)/link.sh xxd/xxd$(EXEEXT): xxd/xxd.c - cd xxd; CC="$(CC)" CFLAGS="$(CPPFLAGS) $(CFLAGS)" \ + cd xxd; CC="$(CC)" CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ $(MAKE) -f Makefile # Build the language specific files if they were unpacked.