Bug#655130: Please enabled hardened build flags

[Simon Ruderich]

Package: openvpn
Version: 2.2.1-5
Followup-For: Bug #655130

reopen 655130
thanks

Dear Maintainer,

The hardening flags are missing for the plugins because the build
system ignores them.

The following and the attached patch fix the issue. If possible
it should be sent upstream.

diff -Nru openvpn-2.2.1/debian/rules openvpn-2.2.1/debian/rules
--- openvpn-2.2.1/debian/rules  2012-02-24 12:21:39.0 +0100
+++ openvpn-2.2.1/debian/rules  2012-03-16 01:50:15.0 +0100
@@ -21,8 +21,8 @@
# The one shipped in the tarball gets rebuild (chaging /bin/sh in some 
cases)
sed -i -e '1s%.*%#!/bin/sh%' t_client.sh
# make plugins
-   $(MAKE) -C plugin/auth-pam/
-   $(MAKE) -C plugin/down-root/
+   $(MAKE) -C plugin/auth-pam/ $(shell dpkg-buildflags --export=configure)
+   $(MAKE) -C plugin/down-root/ $(shell dpkg-buildflags --export=configure)
 
 # we may not want to run dh_auto_test
 #override_dh_auto_test:

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

$ hardening-check /usr/sbin/openvpn /usr/lib/openvpn/openvpn-down-root.so 
/usr/lib/openvpn/openvpn-auth-pam.so
/usr/sbin/openvpn:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!
/usr/lib/openvpn/openvpn-down-root.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!
/usr/lib/openvpn/openvpn-auth-pam.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment for plugins (dpkg-buildflags).
 Necessary for hardening flags.
Author: Simon Ruderich si...@ruderich.org
Last-Update: 2012-03-16

--- openvpn-2.2.1.orig/plugin/auth-pam/Makefile
+++ openvpn-2.2.1/plugin/auth-pam/Makefile
@@ -18,13 +18,13 @@ INCLUDE=-I../..
 CC_FLAGS=-O2 -Wall -DDLOPEN_PAM=$(DLOPEN_PAM)
 
 openvpn-auth-pam.so : auth-pam.o pamdl.o
-	gcc ${CC_FLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)
+	gcc ${CFLAGS} ${CC_FLAGS} ${LDFLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)
 
 auth-pam.o : auth-pam.c pamdl.h
-	gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} auth-pam.c
+	gcc ${CFLAGS} ${CC_FLAGS} ${CPPFLAGS} -fPIC -c ${INCLUDE} auth-pam.c
 
 pamdl.o : pamdl.c pamdl.h
-	gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} pamdl.c
+	gcc ${CFLAGS} ${CC_FLAGS} ${CPPFLAGS} -fPIC -c ${INCLUDE} pamdl.c
 
 clean :
 	rm -f *.o *.so
--- openvpn-2.2.1.orig/plugin/down-root/Makefile
+++ openvpn-2.2.1/plugin/down-root/Makefile
@@ -8,10 +8,10 @@ INCLUDE=-I../..
 CC_FLAGS=-O2 -Wall
 
 down-root.so : down-root.o
-	gcc ${CC_FLAGS} -fPIC -shared -Wl,-soname,openvpn-down-root.so -o openvpn-down-root.so down-root.o -lc
+	gcc ${CFLAGS} ${CC_FLAGS} ${LDFLAGS} -fPIC -shared -Wl,-soname,openvpn-down-root.so -o openvpn-down-root.so down-root.o -lc
 
 down-root.o : down-root.c
-	gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} down-root.c
+	gcc ${CFLAGS} ${CC_FLAGS} ${CPPFLAGS} -fPIC -c ${INCLUDE} down-root.c
 
 clean :
 	rm -f *.o *.so


signature.asc
Description: Digital signature

Bug#655130: Please enabled hardened build flags

[Moritz Muehlenhoff]

Package: openvpn
Version: 2.2.1-3
Severity: important
Tags: patch

Please enabled hardened build flags through dpkg-buildflags.

Patch attached. (dpkg-buildflags abides noopt from DEB_BUILD_OPTIONS)

Cheers,
Moritz
diff -aur openvpn-2.2.1.orig/debian/rules openvpn-2.2.1/debian/rules
--- openvpn-2.2.1.orig/debian/rules	2011-12-20 13:05:57.0 +0100
+++ openvpn-2.2.1/debian/rules	2012-01-08 19:04:12.0 +0100
@@ -14,13 +14,6 @@
 DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 DEB_BUILD_ARCH_OS   ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH_OS)
 
-CFLAGS:=-g
-
-ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
-	CFLAGS += -O0
-else
-	CFLAGS += -O2
-endif
 ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
 	NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
 	MAKEFLAGS += -j$(NUMJOBS)
@@ -39,7 +32,7 @@
 config.status: $(QUILT_STAMPFN)
 	dh_testdir
 	# Add here commands to configure the package.
-	./configure --enable-pthread --enable-password-save --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=$(ROUTE_PATH) CFLAGS='$(CFLAGS)'
+	./configure $(shell dpkg-buildflags --export=configure) --enable-pthread --enable-password-save --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=$(ROUTE_PATH)
 
 build: build-stamp
 
Nur in openvpn-2.2.1/debian: rules~.