Bug#662721: dash: Please enable hardening flags
control: tag -1 pending
Hi, I've uploaded an nmu to delayed/5 enabling build-harding. Please
see attached patch.
Best wishes,
Mike
diff -u dash-0.5.7/debian/changelog dash-0.5.7/debian/changelog
--- dash-0.5.7/debian/changelog
+++ dash-0.5.7/debian/changelog
@@ -1,3 +1,10 @@
+dash (0.5.7-3+nmu1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Enable build-hardening flags (closes: #662721).
+
+ -- Michael Gilbert mgilb...@debian.org Wed, 25 Dec 2013 13:46:03 -0500
+
dash (0.5.7-3) unstable; urgency=low
[ Christian Perrier ]
diff -u dash-0.5.7/debian/control dash-0.5.7/debian/control
--- dash-0.5.7/debian/control
+++ dash-0.5.7/debian/control
@@ -2,7 +2,7 @@
Section: shells
Priority: optional
Maintainer: Gerrit Pape p...@smarden.org
-Build-Depends: po-debconf
+Build-Depends: po-debconf, dpkg-dev (= 1.16.1),
Standards-Version: 3.9.3.0
Homepage: http://gondor.apana.org.au/~herbert/dash/
Vcs-Git: http://smarden.org/git/dash.git/
diff -u dash-0.5.7/debian/rules dash-0.5.7/debian/rules
--- dash-0.5.7/debian/rules
+++ dash-0.5.7/debian/rules
@@ -1,9 +1,13 @@
#!/usr/bin/make -f
CC =gcc
-CFLAGS =-g -O2 -Wall
STRIP =strip
+OPTIONS=hardening=+all
+CFLAGS=$(shell DEB_BUILD_MAINT_OPTIONS=$(OPTIONS) dpkg-buildflags --get CFLAGS)
+LDFLAGS=$(shell DEB_BUILD_MAINT_OPTIONS=$(OPTIONS) dpkg-buildflags --get LDFLAGS)
+CPPFLAGS=$(shell DEB_BUILD_MAINT_OPTIONS=$(OPTIONS) dpkg-buildflags --get CPPFLAGS)
+
DEB_HOST_GNU_TYPE =$(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_GNU_TYPE =$(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE))
@@ -12,7 +16,7 @@
ifneq (,$(findstring diet,$(DEB_BUILD_OPTIONS)))
CC =diet -v -Os gcc
- CFLAGS =-nostdinc -Wall
+ CFLAGS +=-nostdinc
endif
ifneq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
STRIP =: strip
@@ -32,14 +36,14 @@
configure-stamp: patch-stamp
mkdir -p build-tmp
touch configure
- (cd build-tmp CC='$(CC)' CFLAGS='$(CFLAGS)' \
+ (cd build-tmp CC='$(CC)' CFLAGS='$(CFLAGS)' CPPFLAGS='$(CPPFLAGS)' LDFLAGS='$(LDFLAGS)' \
exec ../configure --host='$(DEB_HOST_GNU_TYPE)')
touch configure-stamp
build: deb-checkdir build-stamp
build-stamp: configure-stamp
-$(CC) -v
- (cd build-tmp exec $(MAKE) CFLAGS='$(CFLAGS)') || \
+ (cd build-tmp exec $(MAKE) CFLAGS='$(CFLAGS)' CPPFLAGS='$(CPPFLAGS)' LDFLAGS='$(LDFLAGS)') || \
(cat build-tmp/config.log; exit 1) || exit 1
touch build-stamp
only in patch2:
unchanged:
--- dash-0.5.7.orig/debian/diff/0006-SECURITY-hardening.diff
+++ dash-0.5.7/debian/diff/0006-SECURITY-hardening.diff
@@ -0,0 +1,14 @@
+description: address format-security build error
+author: Simon Ruderich si...@ruderich.org
+
+--- a/src/jobs.c 2013-12-25 14:20:37.932958436 -0500
b/src/jobs.c 2013-12-25 14:20:47.944958520 -0500
+@@ -427,7 +427,7 @@
+ goto out;
+ #endif
+ }
+- col = fmtstr(s, 32, strsignal(st));
++ col = fmtstr(s, 32, %s, strsignal(st));
+ #ifdef WCOREDUMP
+ if (WCOREDUMP(status)) {
+ col += fmtstr(s + col, 16, (core dumped));
Bug#662721: dash: Please enable hardening flags
Package: dash
Version: 0.5.7-3
Severity: important
Tags: patch
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
The attached patch enables the hardening flags and fixes a format
string vulnerability detected by -Wformat-security. -g and -O2 is
automatically set by dpkg-buildflags (noopt is respected). I've
been using the patched version for some time now and it works
fine for me.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /bin/dash
/bin/dash:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dash depends on:
ii debianutils 4.2.1
ii dpkg 1.16.1.2
ii libc62.13-27
dash recommends no packages.
dash suggests no packages.
- -- debconf information excluded
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVVVTAAoJEJL+/bfkTDL5GjQP/0RVCtUjx0QmqLtiLlAbYG8f
uX1t/SEBZ6VbpaUzJtoac3AN3h3x0ByE3T+tZlmC+CAdpP1EnSOskhtOCZF2qsNn
7HtaNSu6Mdi4etrbbKa4C9W/dJwA+sKwWDCyHuL+A8D8Pv1ObkQBnToRhQcCkB0m
yngp66vfQC739SiQjl5TyMAlrlvlxZDNiYI0Dc3rIHYFyjTLp35zckwidbB64gco
zdlfhp7RSwKhY6f1iSVr7TSZMSU7yMYjJET+Hzv9uPfGwih9G76/WZ4MjHv4QOcb
NAVYiv+TGGE737bSZG8+Zi9c+PR+OlQz0dXntscKn6U9GYzhdJBDK5FMv09E5abV
/+NS4uBrzCF5r+qcKxVQWoT2LET7pTkM5Bi+bojFOcAqi9jRXhik4rFuW6r/B6S+
aGvOvE78aZhhi3W7TkBQpTYYGHoZCn5BZsm0tdQMyxco8sljxTcDOQGtAeItWXb3
X61ICbSkHfzmMEcOqp0xG0fWoGrZg1HD9CSp5zOFw9pM5QLcLJav8QqPCcZ0iymK
CqSpYH0Y4q9Qw1c4DxEa76TKeVi8hX93DM39CI4Xx221AbJcMl1gkrtoPTC/pR/C
pVtg9LcPvw+LB8pvNXvQDGum48LBaad5Hh1UADcPZE8DS2wzvYwY1GOtgY1i3OJg
AjHQFW1H6IxB+15CtsPf
=tzaV
-END PGP SIGNATURE-
diff -u dash-0.5.7/debian/control dash-0.5.7/debian/control
--- dash-0.5.7/debian/control
+++ dash-0.5.7/debian/control
@@ -2,7 +2,7 @@
Section: shells
Priority: optional
Maintainer: Gerrit Pape p...@smarden.org
-Build-Depends: po-debconf
+Build-Depends: po-debconf, dpkg-dev (= 1.16.1)
Standards-Version: 3.9.3.0
Homepage: http://gondor.apana.org.au/~herbert/dash/
Vcs-Git: http://smarden.org/git/dash.git/
diff -u dash-0.5.7/debian/rules dash-0.5.7/debian/rules
--- dash-0.5.7/debian/rules
+++ dash-0.5.7/debian/rules
@@ -1,7 +1,10 @@
#!/usr/bin/make -f
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
CC =gcc
-CFLAGS =-g -O2 -Wall
+CFLAGS +=-Wall
STRIP =strip
DEB_HOST_GNU_TYPE =$(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
only in patch2:
unchanged:
--- dash-0.5.7.orig/src/jobs.c
+++ dash-0.5.7/src/jobs.c
@@ -427,7 +427,7 @@
goto out;
#endif
}
- col = fmtstr(s, 32, strsignal(st));
+ col = fmtstr(s, 32, %s, strsignal(st));
#ifdef WCOREDUMP
if (WCOREDUMP(status)) {
col += fmtstr(s + col, 16, (core dumped));
