Bug#655417: Hardening flags partially missing

[Simon Ruderich]

Dear Maintainer,

The hardening flags are partially missing because the build
system ignores them in a few places.

The attached patch fixes the issue, if possible it should be sent
upstream.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/bin/sudoreplay /usr/bin/sudo /usr/bin/sudoedit ...
    /usr/bin/sudoreplay:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/sudo:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/sudoedit:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Use build flags from environment (dpkg-buildflags).
 Necessary for hardening flags.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-03-13

Index: sudo-1.8.3p2/src/Makefile.in
===================================================================
--- sudo-1.8.3p2.orig/src/Makefile.in	2012-03-13 17:46:43.069036559 +0100
+++ sudo-1.8.3p2/src/Makefile.in	2012-03-13 17:47:12.949037698 +0100
@@ -101,7 +101,7 @@
 	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
 
 sesh: sesh.o
-	$(CC) -o $@ sesh.o
+	$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ sesh.o
 
 pre-install:
 
Index: sudo-1.8.3p2/compat/Makefile.in
===================================================================
--- sudo-1.8.3p2.orig/compat/Makefile.in	2012-03-13 17:46:43.069036559 +0100
+++ sudo-1.8.3p2/compat/Makefile.in	2012-03-13 17:47:12.949037698 +0100
@@ -35,6 +35,9 @@
 # Usually -O and/or -g
 CFLAGS = @CFLAGS@
 
+# Linker flags
+LDFLAGS = @LDFLAGS@
+
 # OS dependent defines
 DEFS = @OSDEFS@
 
@@ -62,19 +65,19 @@
 	$(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
 
 libreplace.la: $(LTLIBOBJS)
-	$(LIBTOOL) --mode=link $(CC) -o $@ $(LTLIBOBJS) -no-install
+	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LTLIBOBJS) -no-install
 
 siglist.c: mksiglist
 	./mksiglist > $@
 
 mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(incdir)/missing.h $(top_builddir)/config.h
-	$(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@
 
 fnm_test: fnm_test.o libreplace.la
-	$(LIBTOOL) --mode=link $(CC) -o $@ fnm_test.o libreplace.la
+	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ fnm_test.o libreplace.la
 
 globtest: globtest.o libreplace.la
-	$(LIBTOOL) --mode=link $(CC) -o $@ globtest.o libreplace.la
+	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ globtest.o libreplace.la
 
 @DEV@$(srcdir)/mksiglist.h: $(srcdir)/siglist.in
 @DEV@	awk 'BEGIN {print "/* public domain */\n"} /^    [A-Z]/ {printf("#ifdef SIG%s\n    if (my_sys_siglist[SIG%s] == NULL)\n\tmy_sys_siglist[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, substr($$0, 13))}' < $(srcdir)/siglist.in > $@
Index: sudo-1.8.3p2/common/Makefile.in
===================================================================
--- sudo-1.8.3p2.orig/common/Makefile.in	2012-03-13 17:46:43.013036558 +0100
+++ sudo-1.8.3p2/common/Makefile.in	2012-03-13 17:47:12.949037698 +0100
@@ -35,6 +35,9 @@
 # Usually -O and/or -g
 CFLAGS = @CFLAGS@
 
+# Linker flags
+LDFLAGS = @LDFLAGS@
+
 # OS dependent defines
 DEFS = @OSDEFS@
 
@@ -56,7 +59,7 @@
 	$(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
 
 libcommon.la: $(LTOBJS)
-	$(LIBTOOL) --mode=link $(CC) -o $@ $(LTOBJS) -no-install
+	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LTOBJS) -no-install
 
 pre-install:
 
Index: sudo-1.8.3p2/plugins/sudoers/Makefile.in
===================================================================
--- sudo-1.8.3p2.orig/plugins/sudoers/Makefile.in	2012-03-13 17:46:42.985036557 +0100
+++ sudo-1.8.3p2/plugins/sudoers/Makefile.in	2012-03-13 17:47:12.949037698 +0100
@@ -159,7 +159,7 @@
 	(cd $(top_builddir) && ./config.status --file plugins/sudoers/Makefile)
 
 libparsesudoers.la: $(LIBPARSESUDOERS_OBJS)
-	$(LIBTOOL) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install
+	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install
 
 sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la
 	$(LIBTOOL) @LT_STATIC@ --mode=link $(CC) $(SUDOERS_LDFLAGS) $(LTLDFLAGS) -o $@ $(SUDOERS_OBJS) libparsesudoers.la $(SUDOERS_LIBS) -module -export-symbols $(srcdir)/sudoers.sym -avoid-version -rpath $(plugindir)

pgpoAxrTmJvbc.pgp
Description: PGP signature