Your message dated Sat, 19 May 2012 15:27:55 +0200 with message-id <201205191528.31688.panfa...@gmail.com> and subject line Closing some hardening flags bugs has caused the Debian Bug report #663524, regarding ktorrent: CPPFLAGS hardening flags missing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 663524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663524 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ktorrent Version: 4.2.0-1 Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear Maintainer, The CPPFLAGS hardening flags are missing because CMake ignores them by default. The following patch fixes the issue by adding them to CFLAGS/CXXFLAGS. For more hardening information please have a look at [1], [2] and [3]. diff -Nru ktorrent-4.2.0/debian/rules ktorrent-4.2.0/debian/rules --- ktorrent-4.2.0/debian/rules 2012-03-10 22:04:39.000000000 +0100 +++ ktorrent-4.2.0/debian/rules 2012-03-12 00:36:29.000000000 +0100 @@ -1,5 +1,10 @@ #!/usr/bin/make -f +# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the +# missing (hardening) flags. +export DEB_CFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS) +export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS) + #DEB_KDE_LINK_WITH_AS_NEEDED := yes override_dh_auto_configure: To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/bin/ktupnptest /usr/bin/ktorrent /usr/bin/ktmagnetdownloader ... /usr/bin/ktupnptest: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/ktorrent: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/ktmagnetdownloader: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPXTeIAAoJEJL+/bfkTDL58U4P/jy8Unvmsn3OivuICxI5H6P1 2z6llYfn3NsG9Jsd4IA574rzlced6/XU6RURJwXv+diXyZBnPNoW1aMj9P6tkO/V mp7KfZxkWaY9S/KklR+Lw/smP+VlaxK14VBNJQoas7LucxAHQHT2OHFk+zHPQu3Y NFB3/qJ6EoauQiaEqTbNXJi2luFTXeqFeWV7WB9r7kFawUA4kT+pcf+HlKFZZ4WG QXekKzNsoEEf3IhBd+EOC0Q4JZmASvAhqtasoZmw71KnVypP50m+9/cbKNIloP+Y 4IdGXsuqaMEnLKaLM0+UIsZoKLklO6awEvmDpgefzoI/ttHO2iKiwp4ns9XaZwt5 01gFQCsXM+iXgC4wjMQ7JkY/ZfMDDxYuS4q21AoPp0+La9ow690KKQmL3EV3yyUI HyFHKVIaUfSRl59LgP4w88mSwZMmjY5DAYc1LT0g9hxJlmzQVOtXttaP05zEFKIx JVuOcM6fdewwGkss361pyRa1ox9VUS6Sy7x3yej3d3E02j181xz0A3fJq2wIcnRi wOtkr4E6NslQqTFyTE9QNFSTBHgfvTHkWmXYriJnryGDctolxSKBFhbCE2iglxM/ BIwbBgoAMBIGWCsalSw6LDsenDS11FA/tWN6qhUTg4xzryWm1C5tzSxh8pYNuVOC WOohdkjSf4IYK6vo/cnt =cbfg -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---I'm closing these bugs because the involved packages are using the dh sequencer addon for kde. While cmake still doesn't respect CPPFLAGS, a workaround was added to the mentioned addon, so if you build any of the packages involved it will include the hardening flags. At least one of the involved packages (amarok) was built before the workaround mentioned above was done. Therefore if you think it's really important to get any of them built with the hardening flags feel free to request a binNMU.signature.asc
Description: This is a digitally signed message part.
--- End Message ---
_______________________________________________ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras