Your message dated Sun, 03 Jun 2012 10:09:50 +0000 with message-id <e1sb7ks-0002zf...@franck.debian.org> and subject line Bug#672465: fixed in shapelib 1.2.10-7 has caused the Debian Bug report #672465, regarding shapelib: Hardening flags missing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 672465: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672465 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: shapelib Version: 1.2.10-6 Severity: normal Tags: patch Dear Maintainer, The hardening flags are missing because they are ignored by the build system. For more hardening information please have a look at [1], [2] and [3]. The attached patches which are revised versions of existing patches in debian/rules/patches fix the issue. CPPFLAGS, CFLAGS and LDFLAGS were missing in a few places. The flag fixes (CPPFLAGS, CFLAGS for compiler commands; CFLAGS, LDFLAGS for linker commands) should be sent to upstream if possible. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/bin/shptest /usr/bin/shprewind /usr/bin/shpdump ... /usr/bin/shptest: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes Read-only relocations: yes Immediate binding: no not found! /usr/bin/shprewind: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes Read-only relocations: yes Immediate binding: no not found! /usr/bin/shpdump: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9From: Riku Voipio <riku.voi...@iki.fi> Date: Tue, 4 Nov 2008 14:46:56 +0200 Subject: [PATCH] Properly use libtool The problem is that shapelib throws away a seemingly good libtool linked library and replaces it with something hacks in together almost right. Bug-Debian: http://bugs.debian.org/497160 --- Makefile | 32 +++++--------------------------- 1 files changed, 5 insertions(+), 27 deletions(-) Index: shapelib-1.2.10/Makefile =================================================================== --- shapelib-1.2.10.orig/Makefile 2012-05-11 11:23:01.000000000 +0200 +++ shapelib-1.2.10/Makefile 2012-05-11 11:23:05.000000000 +0200 @@ -99,37 +99,15 @@ LIBSHP_VERSION=1.0.1 # still once to be changed manually (see for 1:1:0), sorry lib: - /bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shpopen.c - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c -fPIC -DPIC shpopen.c -o .libs/shpopen.lo - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shpopen.c -o shpopen.o >/dev/null 2>&1 - mv -f .libs/shpopen.lo shpopen.lo - /bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shptree.c - rm -f .libs/shptree.lo - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c -fPIC -DPIC shptree.c -o .libs/shptree.lo - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shptree.c -o shptree.o >/dev/null 2>&1 - mv -f .libs/shptree.lo shptree.lo - /bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c dbfopen.c - rm -f .libs/dbfopen.lo - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c -fPIC -DPIC dbfopen.c -o .libs/dbfopen.lo - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c dbfopen.c -o dbfopen.o >/dev/null 2>&1 - mv -f .libs/dbfopen.lo dbfopen.lo - /bin/sh ./libtool --mode=link gcc -g -O2 -o libshp.la -rpath /usr/local/lib -version-info 1:1:0 shpopen.lo shptree.lo dbfopen.lo - rm -fr .libs/libshp.la .libs/libshp.* .libs/libshp.* - rm -fr .libs/libshp.lax - mkdir .libs/libshp.lax - /usr/bin/ld -G -h libshp.so.1 -o .libs/libshp.so.$(LIBSHP_VERSION) shpopen.lo shptree.lo dbfopen.lo -lc - - (cd .libs && rm -f libshp.so.1 && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so.1) - (cd .libs && rm -f libshp.so && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so) - ar cru .libs/libshp.a shpopen.o shptree.o dbfopen.o - ranlib .libs/libshp.a - rm -fr .libs/libshp.lax - (cd .libs && rm -f libshp.la && ln -s ../libshp.la libshp.la) + libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shpopen.c + libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shptree.c + libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c dbfopen.c + libtool --mode=link gcc $(CFLAGS) $(LDFLAGS) -o libshp.la -rpath /usr/lib -version-info 1:1:0 shpopen.lo shptree.lo dbfopen.lo lib_install: cp .libs/libshp.la .libs/libshp.lai /bin/sh ./mkinstalldirs /usr/local/lib - /bin/sh ./libtool --mode=install /usr/bin/install -c libshp.la /usr/local/lib/libshp.la + libtool --mode=install /usr/bin/install -c libshp.la /usr/local/lib/libshp.la /usr/bin/install -c .libs/libshp.so.$(LIBSHP_VERSION) /usr/local/lib/libshp.so.$(LIBSHP_VERSION) (cd /usr/local/lib && rm -f libshp.so.1 && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so.1) (cd /usr/local/lib && rm -f libshp.so && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so)From: Arto Jantunen <vi...@debian.org> Date: Tue, 8 May 2012 14:19:20 +0300 Subject: [PATCH] Dynamically link the shp* binaries to libshp Also use CPPFLAGS and LDFLAGS, necessary for hardening flags. --- Makefile | 55 ++++++++++++++++++++++++------------------------------- 1 files changed, 24 insertions(+), 31 deletions(-) Index: shapelib-1.2.10/Makefile =================================================================== --- shapelib-1.2.10.orig/Makefile 2012-05-11 11:23:05.000000000 +0200 +++ shapelib-1.2.10/Makefile 2012-05-11 11:23:09.000000000 +0200 @@ -6,45 +6,36 @@ all: shpcreate shpadd shpdump shprewind dbfcreate dbfadd dbfdump shptest -shpopen.o: shpopen.c shapefil.h - $(CC) $(CFLAGS) -c shpopen.c +shpcreate: shpcreate.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpcreate.c $(LINKOPT) -o shpcreate .libs/libshp.so -shptree.o: shptree.c shapefil.h - $(CC) $(CFLAGS) -c shptree.c +shpadd: shpadd.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpadd.c $(LINKOPT) -o shpadd .libs/libshp.so -dbfopen.o: dbfopen.c shapefil.h - $(CC) $(CFLAGS) -c dbfopen.c +shpdump: shpdump.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpdump.c $(LINKOPT) -o shpdump .libs/libshp.so -shpcreate: shpcreate.c shpopen.o - $(CC) $(CFLAGS) shpcreate.c shpopen.o $(LINKOPT) -o shpcreate +shprewind: shprewind.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shprewind.c $(LINKOPT) -o shprewind .libs/libshp.so -shpadd: shpadd.c shpopen.o - $(CC) $(CFLAGS) shpadd.c shpopen.o $(LINKOPT) -o shpadd +dbfcreate: dbfcreate.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfcreate.c $(LINKOPT) -o dbfcreate .libs/libshp.so -shpdump: shpdump.c shpopen.o - $(CC) $(CFLAGS) shpdump.c shpopen.o $(LINKOPT) -o shpdump +dbfadd: dbfadd.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfadd.c $(LINKOPT) -o dbfadd .libs/libshp.so -shprewind: shprewind.c shpopen.o - $(CC) $(CFLAGS) shprewind.c shpopen.o $(LINKOPT) -o shprewind +dbfdump: dbfdump.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfdump.c $(LINKOPT) -o dbfdump .libs/libshp.so -dbfcreate: dbfcreate.c dbfopen.o - $(CC) $(CFLAGS) dbfcreate.c dbfopen.o $(LINKOPT) -o dbfcreate +shptest: shptest.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shptest.c $(LINKOPT) -o shptest .libs/libshp.so -dbfadd: dbfadd.c dbfopen.o - $(CC) $(CFLAGS) dbfadd.c dbfopen.o $(LINKOPT) -o dbfadd +shputils: shputils.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shputils.c $(LINKOPT) -o shputils .libs/libshp.so -dbfdump: dbfdump.c dbfopen.o - $(CC) $(CFLAGS) dbfdump.c dbfopen.o $(LINKOPT) -o dbfdump - -shptest: shptest.c shpopen.o - $(CC) $(CFLAGS) shptest.c shpopen.o $(LINKOPT) -o shptest - -shputils: shputils.c shpopen.o dbfopen.o - $(CC) $(CFLAGS) shputils.c shpopen.o dbfopen.o $(LINKOPT) -o shputils - -shptreedump: shptreedump.c shptree.o shpopen.o - $(CC) $(CFLAGS) shptreedump.c shptree.o shpopen.o $(LINKOPT) \ - -o shptreedump +shptreedump: shptreedump.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shptreedump.c $(LINKOPT) \ + -o shptreedump .libs/libshp.so clean: rm -f *.o dbfdump dbfcreate dbfadd shpdump shpcreate shpadd shputils @@ -98,7 +89,9 @@ SHPLIB_VERSION=1.2.9 LIBSHP_VERSION=1.0.1 # still once to be changed manually (see for 1:1:0), sorry -lib: +lib: .libs/libshp.so + +.libs/libshp.so: libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shpopen.c libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shptree.c libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c dbfopen.csignature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: shapelib Source-Version: 1.2.10-7 We believe that the bug you reported is fixed in the latest version of shapelib, which is due to be installed in the Debian FTP archive: libshp-dev_1.2.10-7_amd64.deb to main/s/shapelib/libshp-dev_1.2.10-7_amd64.deb libshp1_1.2.10-7_amd64.deb to main/s/shapelib/libshp1_1.2.10-7_amd64.deb shapelib_1.2.10-7.debian.tar.gz to main/s/shapelib/shapelib_1.2.10-7.debian.tar.gz shapelib_1.2.10-7.dsc to main/s/shapelib/shapelib_1.2.10-7.dsc shapelib_1.2.10-7_amd64.deb to main/s/shapelib/shapelib_1.2.10-7_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 672...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Arto Jantunen <vi...@debian.org> (supplier of updated shapelib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 03 Jun 2012 12:01:04 +0300 Source: shapelib Binary: shapelib libshp-dev libshp1 Architecture: source amd64 Version: 1.2.10-7 Distribution: unstable Urgency: low Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org> Changed-By: Arto Jantunen <vi...@debian.org> Description: libshp-dev - Library for reading and writing ArcView Shapefiles - development libshp1 - Library for reading and writing ArcView Shapefiles shapelib - Library for reading and writing ArcView Shapefiles - tools Closes: 672465 Changes: shapelib (1.2.10-7) unstable; urgency=low . * Team Upload * Remove patch 0001 (Disable proj_api.h include), this was never used * Apply patch from Simon Ruderich to use all hardening flags (Closes: #672465) Checksums-Sha1: 654ae38917bd134621bc10a437b9dd855fa613d2 1378 shapelib_1.2.10-7.dsc 58798d27deb7cab65a9cdd71d1d70a6e5d816877 12737 shapelib_1.2.10-7.debian.tar.gz d1da05434bc8d60feb2f800ce422ae90d4f39706 41316 shapelib_1.2.10-7_amd64.deb 4d6324f70b0377c956423c932876b2a1127081f7 27798 libshp-dev_1.2.10-7_amd64.deb a22424d07c75e9a1120ce46ae1169b472d8a9ad1 24194 libshp1_1.2.10-7_amd64.deb Checksums-Sha256: 90b41d87666b02cf5e41b428ce703870e9c48400e33abf2a09268ab54738ff3b 1378 shapelib_1.2.10-7.dsc 1505b557adfee6d355e3f499c0eda06a17a5616d61662cec2628a2bd99df6f01 12737 shapelib_1.2.10-7.debian.tar.gz f39cab8321d2e47da6db46af7f1917cc9e02689e72b0d1f6fb5746543b1aed11 41316 shapelib_1.2.10-7_amd64.deb c550bf424432b4da756679b367940daa37d46eea1240a3ecc35ed97f81411a53 27798 libshp-dev_1.2.10-7_amd64.deb 0bbc0849f1ed1e2a1a395f107db096a94002ec0cf4e1bf5aa52d44fc5d5d1292 24194 libshp1_1.2.10-7_amd64.deb Files: 62af194a3a009b3f5df9982898c66c25 1378 libs optional shapelib_1.2.10-7.dsc 92c4add1a229fa3e50a8389788f6b637 12737 libs optional shapelib_1.2.10-7.debian.tar.gz 26daecc7504cbf20458c811851a7fc99 41316 graphics optional shapelib_1.2.10-7_amd64.deb f3a85ef7b458b5967fc6487ec229c6a2 27798 libdevel optional libshp-dev_1.2.10-7_amd64.deb b62c57e44880842cfa670c9ca8b93871 24194 libs optional libshp1_1.2.10-7_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk/LL0QACgkQQ9/iJIjcFnqXVQCfcSGmz3kdpVlVvI46X8P7SjEP ys8AoMJAmqEprlcGwQKrQKPmo+JpUJBe =CTjI -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel