[Python-modules-team] Bug#666679: marked as done (pyside: CPPFLAGS hardening flags missing)

[Debian Bug Tracking System]

Your message dated Sun, 01 Apr 2012 15:37:56 +0000
with message-id <e1semqq-0004id...@franck.debian.org>
and subject line Bug#666679: fixed in pyside 1.1.0-2
has caused the Debian Bug report #666679,
regarding pyside: CPPFLAGS hardening flags missing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
666679: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666679
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: pyside
Version: 1.1.0-1
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because CMake ignores
them by default.

The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].

diff -Nru pyside-1.1.0/debian/rules pyside-1.1.0/debian/rules
--- pyside-1.1.0/debian/rules   2012-01-04 10:48:07.000000000 +0100
+++ pyside-1.1.0/debian/rules   2012-03-29 20:48:50.000000000 +0200
@@ -1,5 +1,13 @@
 #!/usr/bin/make -f
 
+# Enable verbose build to detect missing (hardening) flags.
+export VERBOSE=1
+
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND   = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
 %:
        dh $@ --with python2 --with python3 --buildsystem=cmake --parallel
 

It also enables verbose builds to make it easy to (automatically)
spot missing hardening flags.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything).

However at the moment fortification (which is set by CPPFLAGS) is
not yet used because there are no protectable functions. Still
passing CPPFLAGS is important to automatically protect new
functions in the future.

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: pyside
Source-Version: 1.1.0-2

We believe that the bug you reported is fixed in the latest version of
pyside, which is due to be installed in the Debian FTP archive:

pyside_1.1.0-2.debian.tar.gz
  to main/p/pyside/pyside_1.1.0-2.debian.tar.gz
pyside_1.1.0-2.dsc
  to main/p/pyside/pyside_1.1.0-2.dsc
python-pyside_1.1.0-2_all.deb
  to main/p/pyside/python-pyside_1.1.0-2_all.deb
python3-pyside_1.1.0-2_all.deb
  to main/p/pyside/python3-pyside_1.1.0-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 666...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <o...@debian.org> (supplier of updated pyside package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 01 Apr 2012 16:55:55 +0200
Source: pyside
Binary: python-pyside python3-pyside libpyside1.1 libpyside-py3-1.1 
libpyside-dev python-pyside.qtcore python3-pyside.qtcore 
python-pyside.qtdeclarative python3-pyside.qtdeclarative python-pyside.qtgui 
python3-pyside.qtgui python-pyside.qthelp python3-pyside.qthelp 
python-pyside.qtnetwork python3-pyside.qtnetwork python-pyside.qtopengl 
python3-pyside.qtopengl python-pyside.phonon python3-pyside.phonon 
python-pyside.qtscript python3-pyside.qtscript python-pyside.qtsql 
python3-pyside.qtsql python-pyside.qtsvg python3-pyside.qtsvg 
python-pyside.qttest python3-pyside.qttest python-pyside.qtuitools 
python3-pyside.qtuitools python-pyside.qtwebkit python3-pyside.qtwebkit 
python-pyside.qtxml python3-pyside.qtxml
Architecture: source all
Version: 1.1.0-2
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team 
<python-modules-team@lists.alioth.debian.org>
Changed-By: Didier Raboud <o...@debian.org>
Description: 
 libpyside-dev - Python bindings for Qt 4 (development files)
 libpyside-py3-1.1 - Python3 bindings for Qt 4 (base files)
 libpyside1.1 - Python bindings for Qt 4 (base files)
 python-pyside - Python bindings for Qt4 (big metapackage)
 python-pyside.phonon - Qt 4 Phonon module - Python bindings
 python-pyside.qtcore - Qt 4 core module - Python bindings
 python-pyside.qtdeclarative - Qt 4 Declarative module - Python bindings
 python-pyside.qtgui - Qt 4 GUI module - Python bindings
 python-pyside.qthelp - Qt 4 help module - Python bindings
 python-pyside.qtnetwork - Qt 4 network module - Python bindings
 python-pyside.qtopengl - Qt 4 OpenGL module - Python bindings
 python-pyside.qtscript - Qt 4 script module - Python bindings
 python-pyside.qtsql - Qt 4 SQL module - Python bindings
 python-pyside.qtsvg - Qt 4 SVG module - Python bindings
 python-pyside.qttest - Qt 4 test module - Python bindings
 python-pyside.qtuitools - Qt 4 UI tools module - Python bindings
 python-pyside.qtwebkit - Qt 4 WebKit module - Python bindings
 python-pyside.qtxml - Qt 4 XML module - Python bindings
 python3-pyside - Python3 bindings for Qt4 (big metapackage)
 python3-pyside.phonon - Qt 4 Phonon module - Python3 bindings
 python3-pyside.qtcore - Qt 4 core module - Python3 bindings
 python3-pyside.qtdeclarative - Qt 4 Declarative module - Python3 bindings
 python3-pyside.qtgui - Qt 4 GUI module - Python3 bindings
 python3-pyside.qthelp - Qt 4 help module - Python3 bindings
 python3-pyside.qtnetwork - Qt 4 network module - Python3 bindings
 python3-pyside.qtopengl - Qt 4 OpenGL module - Python3 bindings
 python3-pyside.qtscript - Qt 4 script module - Python3 bindings
 python3-pyside.qtsql - Qt 4 SQL module - Python3 bindings
 python3-pyside.qtsvg - Qt 4 SVG module - Python3 bindings
 python3-pyside.qttest - Qt 4 test module - Python3 bindings
 python3-pyside.qtuitools - Qt 4 UI tools module - Python3 bindings
 python3-pyside.qtwebkit - Qt 4 WebKit module - Python3 bindings
 python3-pyside.qtxml - Qt 4 XML module - Python3 bindings
Closes: 666679
Changes: 
 pyside (1.1.0-2) unstable; urgency=low
 .
   [ Simon Ruderich ]
   * Pass hardening CPPFLAGS trough CFLAGS/CXXFLAGS. (Closes: #666679)
 .
   [ Didier Raboud ]
   * Bump Standards-Version to 3.9.3 without changes needed.
Checksums-Sha1: 
 8aa33ef8443c362d9790731a103daa72a2980452 4233 pyside_1.1.0-2.dsc
 5064a3ac6f01efb6b3d8ffad20456a3bd485f086 19397 pyside_1.1.0-2.debian.tar.gz
 24b8432d271058224045c2acba34817febb5971d 109758 python-pyside_1.1.0-2_all.deb
 165656a2cc3f19d27d7fae3e9df4c9253565fb22 109572 python3-pyside_1.1.0-2_all.deb
Checksums-Sha256: 
 6add36aff5c4449831a9b3de80d690afa89f2a69fe907e9b687101a73cf3c357 4233 
pyside_1.1.0-2.dsc
 30c859eae12662edecad674880a8046c826e48bd15558ede3abd7a214c953c81 19397 
pyside_1.1.0-2.debian.tar.gz
 d7be0211d109f7f75f9afbaf5eda8f36e5aa744073caff7641e6847da00fb509 109758 
python-pyside_1.1.0-2_all.deb
 75f57b125ca5444c14e772643128e98d9f48de2ee7efd30c346daa5685c194a3 109572 
python3-pyside_1.1.0-2_all.deb
Files: 
 4c04596eb9261ebec055b27dc7244394 4233 python optional pyside_1.1.0-2.dsc
 fe3b3791b8225abbbf7ca0a300d2d4e4 19397 python optional 
pyside_1.1.0-2.debian.tar.gz
 f2c53cc6da675d96b3a8f1a9d20ba6dc 109758 python optional 
python-pyside_1.1.0-2_all.deb
 3208cc504cfe226c111c8eced158008d 109572 python optional 
python3-pyside_1.1.0-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQGcBAEBCAAGBQJPeG5VAAoJEIvPpx7KFjRVW64L/2tseRcEJGXY2ibvic7Ui68M
lWijgCc7uWXVlwTTn1tOkWGpW+BpM/Zglhc8vIoVgfoSCeRtmok2T15dEYIj6eIn
AxO3U6jIHwNPMLtbpnAnW3caitMkozTwujk3iWSR1rJNcl3pHLjNbP/lbCCDFm9U
mu/UMSbSYZ0VSamJiB0sMOvkBJ50HBkROwq9XFqg3sVplalueRng9Pk3zW2en8zc
Vqh3usBmOkQZf4pMD/qtYW6rsGDFVaz4Tc5EagD9iuvK0WkV+J+xYysDmBMYBaQN
elTBCJdKipkJW3WedYsm4Zlwz00U5HfUSo5DifOqxXdtm8nAqwi59lTcrjSyabHZ
N2GYsqKSocgfr0xoDghgAfYMozDJKMmxqV4KuQT+uhEyO4X59XqKqqz3RkB8bBJI
EN61/67n7/Nj3dgspY37s0BHYZu9emeNsuBlW7zuu2kCPKANUIPCR68kKegf/KVL
MVTbAMJMMaK+73D2TqBbLWdwxuqcNg3JDFkveXW5qw==
=mAPb
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team