Package: openvpn
Version: 2.2.1-5
Followup-For: Bug #655130
reopen 655130
thanks
Dear Maintainer,
The hardening flags are missing for the plugins because the build
system ignores them.
The following and the attached patch fix the issue. If possible
it should be sent upstream.
diff -Nru openvpn-2.2.1/debian/rules openvpn-2.2.1/debian/rules
--- openvpn-2.2.1/debian/rules 2012-02-24 12:21:39.0 +0100
+++ openvpn-2.2.1/debian/rules 2012-03-16 01:50:15.0 +0100
@@ -21,8 +21,8 @@
# The one shipped in the tarball gets rebuild (chaging /bin/sh in some
cases)
sed -i -e '1s%.*%#!/bin/sh%' t_client.sh
# make plugins
- $(MAKE) -C plugin/auth-pam/
- $(MAKE) -C plugin/down-root/
+ $(MAKE) -C plugin/auth-pam/ $(shell dpkg-buildflags --export=configure)
+ $(MAKE) -C plugin/down-root/ $(shell dpkg-buildflags --export=configure)
# we may not want to run dh_auto_test
#override_dh_auto_test:
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/sbin/openvpn /usr/lib/openvpn/openvpn-down-root.so
/usr/lib/openvpn/openvpn-auth-pam.so
/usr/sbin/openvpn:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/openvpn/openvpn-down-root.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/openvpn/openvpn-auth-pam.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment for plugins (dpkg-buildflags).
Necessary for hardening flags.
Author: Simon Ruderich si...@ruderich.org
Last-Update: 2012-03-16
--- openvpn-2.2.1.orig/plugin/auth-pam/Makefile
+++ openvpn-2.2.1/plugin/auth-pam/Makefile
@@ -18,13 +18,13 @@ INCLUDE=-I../..
CC_FLAGS=-O2 -Wall -DDLOPEN_PAM=$(DLOPEN_PAM)
openvpn-auth-pam.so : auth-pam.o pamdl.o
- gcc ${CC_FLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)
+ gcc ${CFLAGS} ${CC_FLAGS} ${LDFLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)
auth-pam.o : auth-pam.c pamdl.h
- gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} auth-pam.c
+ gcc ${CFLAGS} ${CC_FLAGS} ${CPPFLAGS} -fPIC -c ${INCLUDE} auth-pam.c
pamdl.o : pamdl.c pamdl.h
- gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} pamdl.c
+ gcc ${CFLAGS} ${CC_FLAGS} ${CPPFLAGS} -fPIC -c ${INCLUDE} pamdl.c
clean :
rm -f *.o *.so
--- openvpn-2.2.1.orig/plugin/down-root/Makefile
+++ openvpn-2.2.1/plugin/down-root/Makefile
@@ -8,10 +8,10 @@ INCLUDE=-I../..
CC_FLAGS=-O2 -Wall
down-root.so : down-root.o
- gcc ${CC_FLAGS} -fPIC -shared -Wl,-soname,openvpn-down-root.so -o openvpn-down-root.so down-root.o -lc
+ gcc ${CFLAGS} ${CC_FLAGS} ${LDFLAGS} -fPIC -shared -Wl,-soname,openvpn-down-root.so -o openvpn-down-root.so down-root.o -lc
down-root.o : down-root.c
- gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} down-root.c
+ gcc ${CFLAGS} ${CC_FLAGS} ${CPPFLAGS} -fPIC -c ${INCLUDE} down-root.c
clean :
rm -f *.o *.so
signature.asc
Description: Digital signature