Bug#664168: canorus: CPPFLAGS hardening flags missing

Thu, 15 Mar 2012 17:36:17 -0700 

Package: canorus
Version: 0.7+dfsg+svn1256-1
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because CMake ignores
them by default.

The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].

It also enables verbose builds to make it easy to (automatically)
spot missing hardening flags.

To use -D_FORTIFY_SOURCE=2 (see [3]) it's necessary to compile
with optimizations. The attached patch handles this - enabling
the release build should also fix this, but I don't know CMake
well enough.

diff -Nru canorus-0.7+dfsg+svn1256/debian/rules 
canorus-0.7+dfsg+svn1256/debian/rules
--- canorus-0.7+dfsg+svn1256/debian/rules       2012-03-14 21:58:12.000000000 
+0100
+++ canorus-0.7+dfsg+svn1256/debian/rules       2012-03-16 01:16:40.000000000 
+0100
@@ -1,8 +1,15 @@
 #!/usr/bin/make -f
 
+export VERBOSE=1
+
 # Use all hardening features
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND   = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
 %:
        dh $@
 

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/bin/canorus
    /usr/bin/canorus:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes

(Position Independent Executable and Immediate binding is not
enabled by default.)

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Compile with -O2.
 Necessary for -D_FORTFY_SOURCE=2 and generally recommened (policy 10.1).
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-16

--- canorus-0.7+dfsg+svn1256.orig/src/CMakeLists.txt
+++ canorus-0.7+dfsg+svn1256/src/CMakeLists.txt
@@ -13,7 +13,7 @@ IF(NOT CMAKE_BUILD_TYPE)
 	SET(CMAKE_BUILD_TYPE Debug)
 ENDIF(NOT CMAKE_BUILD_TYPE)
 
-SET(CMAKE_C_FLAGS_DEBUG "-O0 -g")
+SET(CMAKE_C_FLAGS_DEBUG "-O2 -g")
 SET(CMAKE_C_FLAGS_RELEASE "-O2")
 
 SET(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG}")

Attachment: signature.asc
Description: Digital signature

Reply via email to