Package: downtimed Version: 0.5-2 Severity: normal Tags: patch Dear Maintainer,
The CPPFLAGS hardening flags are missing because there is a typo in debian/rules. For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue. diff -Nru downtimed-0.5/debian/rules downtimed-0.5/debian/rules --- downtimed-0.5/debian/rules 2012-04-03 01:32:29.000000000 +0200 +++ downtimed-0.5/debian/rules 2012-05-11 10:57:48.000000000 +0200 @@ -1,6 +1,6 @@ #!/usr/bin/make -f -CPPLAGS = $(shell dpkg-buildflags --get CPPFLAGS) +CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) CFLAGS = $(shell dpkg-buildflags --get CFLAGS) LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) export CPPFLAGS CFLAGS LDFLAGS Instead of setting the flags manually you could also update compat level to 9 which automatically injects the hardening flags. This makes the lines above in the rules file unnecessary. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/bin/downtimes /usr/sbin/downtimed /usr/bin/downtimes: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/sbin/downtimed: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature