On Thu, Mar 15, 2012 at 11:54:29AM +0400, Konstantin Khomoutov wrote: > Are you positive there really is an issue to fix?
Yes. > To my knowledge, ejabberd contains no C++ code, and CPPFLAGS variable > is supposed to be processed by C++ compilers; C compilers process > the CFLAGS variable, and it appears to contain the correct hardening > flags after we've fixed [1] (well, at least I saw them being passed to > gcc during builds on my sandbox). CPPFLAGS is for preprocessor flags (e.g. -Dsomething), CXXFLAGS is for C++ flags. The default CFLAGS and CXXFLAGS from dpkg-buildflags contain the same flags, but CPPFLAGS contains -D_FORTIFY_SOURCE=2 which enables fortification [1]. `hardening-check` (package hardening includes) can be used to detect missing flags (not perfect though, checking the build log is better). Without the patch "Fortify Source functions" is always no, with the patch it's enabled where possible. Regards, Simon [1]: https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_FORTIFY_.28gcc.2BAC8-g.2B-.2B-_-D_FORTIFY_SOURCE.3D2.29 -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
pgpws8wWrDnXJ.pgp
Description: PGP signature
