Your message dated Sun, 03 Jun 2012 10:09:50 +0000
with message-id <e1sb7ks-0002zf...@franck.debian.org>
and subject line Bug#672465: fixed in shapelib 1.2.10-7
has caused the Debian Bug report #672465,
regarding shapelib: Hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
672465: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672465
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: shapelib
Version: 1.2.10-6
Severity: normal
Tags: patch
Dear Maintainer,
The hardening flags are missing because they are ignored by the
build system. For more hardening information please have a look
at [1], [2] and [3].
The attached patches which are revised versions of existing
patches in debian/rules/patches fix the issue.
CPPFLAGS, CFLAGS and LDFLAGS were missing in a few places. The
flag fixes (CPPFLAGS, CFLAGS for compiler commands; CFLAGS,
LDFLAGS for linker commands) should be sent to upstream if
possible.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):
$ hardening-check /usr/bin/shptest /usr/bin/shprewind /usr/bin/shpdump ...
/usr/bin/shptest:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/shprewind:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/shpdump:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
From: Riku Voipio <riku.voi...@iki.fi>
Date: Tue, 4 Nov 2008 14:46:56 +0200
Subject: [PATCH] Properly use libtool
The problem is that shapelib throws away a seemingly good libtool linked
library and replaces it with something hacks in together almost right.
Bug-Debian: http://bugs.debian.org/497160
---
Makefile | 32 +++++---------------------------
1 files changed, 5 insertions(+), 27 deletions(-)
Index: shapelib-1.2.10/Makefile
===================================================================
--- shapelib-1.2.10.orig/Makefile 2012-05-11 11:23:01.000000000 +0200
+++ shapelib-1.2.10/Makefile 2012-05-11 11:23:05.000000000 +0200
@@ -99,37 +99,15 @@
LIBSHP_VERSION=1.0.1 # still once to be changed manually (see for 1:1:0), sorry
lib:
- /bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shpopen.c
- gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c -fPIC -DPIC shpopen.c -o .libs/shpopen.lo
- gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shpopen.c -o shpopen.o >/dev/null 2>&1
- mv -f .libs/shpopen.lo shpopen.lo
- /bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shptree.c
- rm -f .libs/shptree.lo
- gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c -fPIC -DPIC shptree.c -o .libs/shptree.lo
- gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shptree.c -o shptree.o >/dev/null 2>&1
- mv -f .libs/shptree.lo shptree.lo
- /bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c dbfopen.c
- rm -f .libs/dbfopen.lo
- gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c -fPIC -DPIC dbfopen.c -o .libs/dbfopen.lo
- gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c dbfopen.c -o dbfopen.o >/dev/null 2>&1
- mv -f .libs/dbfopen.lo dbfopen.lo
- /bin/sh ./libtool --mode=link gcc -g -O2 -o libshp.la -rpath /usr/local/lib -version-info 1:1:0 shpopen.lo shptree.lo dbfopen.lo
- rm -fr .libs/libshp.la .libs/libshp.* .libs/libshp.*
- rm -fr .libs/libshp.lax
- mkdir .libs/libshp.lax
- /usr/bin/ld -G -h libshp.so.1 -o .libs/libshp.so.$(LIBSHP_VERSION) shpopen.lo shptree.lo dbfopen.lo -lc
-
- (cd .libs && rm -f libshp.so.1 && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so.1)
- (cd .libs && rm -f libshp.so && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so)
- ar cru .libs/libshp.a shpopen.o shptree.o dbfopen.o
- ranlib .libs/libshp.a
- rm -fr .libs/libshp.lax
- (cd .libs && rm -f libshp.la && ln -s ../libshp.la libshp.la)
+ libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shpopen.c
+ libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shptree.c
+ libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c dbfopen.c
+ libtool --mode=link gcc $(CFLAGS) $(LDFLAGS) -o libshp.la -rpath /usr/lib -version-info 1:1:0 shpopen.lo shptree.lo dbfopen.lo
lib_install:
cp .libs/libshp.la .libs/libshp.lai
/bin/sh ./mkinstalldirs /usr/local/lib
- /bin/sh ./libtool --mode=install /usr/bin/install -c libshp.la /usr/local/lib/libshp.la
+ libtool --mode=install /usr/bin/install -c libshp.la /usr/local/lib/libshp.la
/usr/bin/install -c .libs/libshp.so.$(LIBSHP_VERSION) /usr/local/lib/libshp.so.$(LIBSHP_VERSION)
(cd /usr/local/lib && rm -f libshp.so.1 && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so.1)
(cd /usr/local/lib && rm -f libshp.so && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so)
From: Arto Jantunen <vi...@debian.org>
Date: Tue, 8 May 2012 14:19:20 +0300
Subject: [PATCH] Dynamically link the shp* binaries to libshp
Also use CPPFLAGS and LDFLAGS, necessary for hardening flags.
---
Makefile | 55 ++++++++++++++++++++++++-------------------------------
1 files changed, 24 insertions(+), 31 deletions(-)
Index: shapelib-1.2.10/Makefile
===================================================================
--- shapelib-1.2.10.orig/Makefile 2012-05-11 11:23:05.000000000 +0200
+++ shapelib-1.2.10/Makefile 2012-05-11 11:23:09.000000000 +0200
@@ -6,45 +6,36 @@
all: shpcreate shpadd shpdump shprewind dbfcreate dbfadd dbfdump shptest
-shpopen.o: shpopen.c shapefil.h
- $(CC) $(CFLAGS) -c shpopen.c
+shpcreate: shpcreate.c .libs/libshp.so
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpcreate.c $(LINKOPT) -o shpcreate .libs/libshp.so
-shptree.o: shptree.c shapefil.h
- $(CC) $(CFLAGS) -c shptree.c
+shpadd: shpadd.c .libs/libshp.so
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpadd.c $(LINKOPT) -o shpadd .libs/libshp.so
-dbfopen.o: dbfopen.c shapefil.h
- $(CC) $(CFLAGS) -c dbfopen.c
+shpdump: shpdump.c .libs/libshp.so
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpdump.c $(LINKOPT) -o shpdump .libs/libshp.so
-shpcreate: shpcreate.c shpopen.o
- $(CC) $(CFLAGS) shpcreate.c shpopen.o $(LINKOPT) -o shpcreate
+shprewind: shprewind.c .libs/libshp.so
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shprewind.c $(LINKOPT) -o shprewind .libs/libshp.so
-shpadd: shpadd.c shpopen.o
- $(CC) $(CFLAGS) shpadd.c shpopen.o $(LINKOPT) -o shpadd
+dbfcreate: dbfcreate.c .libs/libshp.so
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfcreate.c $(LINKOPT) -o dbfcreate .libs/libshp.so
-shpdump: shpdump.c shpopen.o
- $(CC) $(CFLAGS) shpdump.c shpopen.o $(LINKOPT) -o shpdump
+dbfadd: dbfadd.c .libs/libshp.so
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfadd.c $(LINKOPT) -o dbfadd .libs/libshp.so
-shprewind: shprewind.c shpopen.o
- $(CC) $(CFLAGS) shprewind.c shpopen.o $(LINKOPT) -o shprewind
+dbfdump: dbfdump.c .libs/libshp.so
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfdump.c $(LINKOPT) -o dbfdump .libs/libshp.so
-dbfcreate: dbfcreate.c dbfopen.o
- $(CC) $(CFLAGS) dbfcreate.c dbfopen.o $(LINKOPT) -o dbfcreate
+shptest: shptest.c .libs/libshp.so
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shptest.c $(LINKOPT) -o shptest .libs/libshp.so
-dbfadd: dbfadd.c dbfopen.o
- $(CC) $(CFLAGS) dbfadd.c dbfopen.o $(LINKOPT) -o dbfadd
+shputils: shputils.c .libs/libshp.so
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shputils.c $(LINKOPT) -o shputils .libs/libshp.so
-dbfdump: dbfdump.c dbfopen.o
- $(CC) $(CFLAGS) dbfdump.c dbfopen.o $(LINKOPT) -o dbfdump
-
-shptest: shptest.c shpopen.o
- $(CC) $(CFLAGS) shptest.c shpopen.o $(LINKOPT) -o shptest
-
-shputils: shputils.c shpopen.o dbfopen.o
- $(CC) $(CFLAGS) shputils.c shpopen.o dbfopen.o $(LINKOPT) -o shputils
-
-shptreedump: shptreedump.c shptree.o shpopen.o
- $(CC) $(CFLAGS) shptreedump.c shptree.o shpopen.o $(LINKOPT) \
- -o shptreedump
+shptreedump: shptreedump.c .libs/libshp.so
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shptreedump.c $(LINKOPT) \
+ -o shptreedump .libs/libshp.so
clean:
rm -f *.o dbfdump dbfcreate dbfadd shpdump shpcreate shpadd shputils
@@ -98,7 +89,9 @@
SHPLIB_VERSION=1.2.9
LIBSHP_VERSION=1.0.1 # still once to be changed manually (see for 1:1:0), sorry
-lib:
+lib: .libs/libshp.so
+
+.libs/libshp.so:
libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shpopen.c
libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shptree.c
libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c dbfopen.c
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: shapelib
Source-Version: 1.2.10-7
We believe that the bug you reported is fixed in the latest version of
shapelib, which is due to be installed in the Debian FTP archive:
libshp-dev_1.2.10-7_amd64.deb
to main/s/shapelib/libshp-dev_1.2.10-7_amd64.deb
libshp1_1.2.10-7_amd64.deb
to main/s/shapelib/libshp1_1.2.10-7_amd64.deb
shapelib_1.2.10-7.debian.tar.gz
to main/s/shapelib/shapelib_1.2.10-7.debian.tar.gz
shapelib_1.2.10-7.dsc
to main/s/shapelib/shapelib_1.2.10-7.dsc
shapelib_1.2.10-7_amd64.deb
to main/s/shapelib/shapelib_1.2.10-7_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 672...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arto Jantunen <vi...@debian.org> (supplier of updated shapelib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 03 Jun 2012 12:01:04 +0300
Source: shapelib
Binary: shapelib libshp-dev libshp1
Architecture: source amd64
Version: 1.2.10-7
Distribution: unstable
Urgency: low
Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
Changed-By: Arto Jantunen <vi...@debian.org>
Description:
libshp-dev - Library for reading and writing ArcView Shapefiles - development
libshp1 - Library for reading and writing ArcView Shapefiles
shapelib - Library for reading and writing ArcView Shapefiles - tools
Closes: 672465
Changes:
shapelib (1.2.10-7) unstable; urgency=low
.
* Team Upload
* Remove patch 0001 (Disable proj_api.h include), this was never used
* Apply patch from Simon Ruderich to use all hardening flags
(Closes: #672465)
Checksums-Sha1:
654ae38917bd134621bc10a437b9dd855fa613d2 1378 shapelib_1.2.10-7.dsc
58798d27deb7cab65a9cdd71d1d70a6e5d816877 12737 shapelib_1.2.10-7.debian.tar.gz
d1da05434bc8d60feb2f800ce422ae90d4f39706 41316 shapelib_1.2.10-7_amd64.deb
4d6324f70b0377c956423c932876b2a1127081f7 27798 libshp-dev_1.2.10-7_amd64.deb
a22424d07c75e9a1120ce46ae1169b472d8a9ad1 24194 libshp1_1.2.10-7_amd64.deb
Checksums-Sha256:
90b41d87666b02cf5e41b428ce703870e9c48400e33abf2a09268ab54738ff3b 1378
shapelib_1.2.10-7.dsc
1505b557adfee6d355e3f499c0eda06a17a5616d61662cec2628a2bd99df6f01 12737
shapelib_1.2.10-7.debian.tar.gz
f39cab8321d2e47da6db46af7f1917cc9e02689e72b0d1f6fb5746543b1aed11 41316
shapelib_1.2.10-7_amd64.deb
c550bf424432b4da756679b367940daa37d46eea1240a3ecc35ed97f81411a53 27798
libshp-dev_1.2.10-7_amd64.deb
0bbc0849f1ed1e2a1a395f107db096a94002ec0cf4e1bf5aa52d44fc5d5d1292 24194
libshp1_1.2.10-7_amd64.deb
Files:
62af194a3a009b3f5df9982898c66c25 1378 libs optional shapelib_1.2.10-7.dsc
92c4add1a229fa3e50a8389788f6b637 12737 libs optional
shapelib_1.2.10-7.debian.tar.gz
26daecc7504cbf20458c811851a7fc99 41316 graphics optional
shapelib_1.2.10-7_amd64.deb
f3a85ef7b458b5967fc6487ec229c6a2 27798 libdevel optional
libshp-dev_1.2.10-7_amd64.deb
b62c57e44880842cfa670c9ca8b93871 24194 libs optional libshp1_1.2.10-7_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/LL0QACgkQQ9/iJIjcFnqXVQCfcSGmz3kdpVlVvI46X8P7SjEP
ys8AoMJAmqEprlcGwQKrQKPmo+JpUJBe
=CTjI
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
