Bug#672461: downtimed: CPPFLAGS hardening flags missing

Fri, 11 May 2012 02:03:25 -0700 

Package: downtimed
Version: 0.5-2
Severity: normal
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because there is a typo
in debian/rules. For more hardening information please have a
look at [1], [2] and [3].

The following patch fixes the issue.

diff -Nru downtimed-0.5/debian/rules downtimed-0.5/debian/rules
--- downtimed-0.5/debian/rules  2012-04-03 01:32:29.000000000 +0200
+++ downtimed-0.5/debian/rules  2012-05-11 10:57:48.000000000 +0200
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-CPPLAGS = $(shell dpkg-buildflags --get CPPFLAGS)
+CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS)
 CFLAGS  = $(shell dpkg-buildflags --get CFLAGS)
 LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
 export CPPFLAGS CFLAGS LDFLAGS

Instead of setting the flags manually you could also update
compat level to 9 which automatically injects the hardening
flags. This makes the lines above in the rules file unnecessary.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/bin/downtimes /usr/sbin/downtimed
    /usr/bin/downtimes:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/sbin/downtimed:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature

Reply via email to