Package: src:hardening-wrapper
Version: 2.5+nmu1
A few months ago dpkg-buildflags switched its default SSP hardening flag
to -fstack-protector-strong, see:
https://lists.debian.org/debian-devel/2014/06/msg00453.html
It would be great if hardening-wrapper could follow suit and use the new
flag as well; some high-profile packages still use it. I'm attaching a
patch against the latest NMU (which is not in bzr) with the minimal set
of changes to make the switch.
Let me know if you want me to upload this, or if you want to use another
approach.
Thanks for your consideration,
--
Romain Francoise <rfranco...@debian.org>
http://people.debian.org/~rfrancoise/
diffstat for hardening-wrapper-2.5+nmu1 hardening-wrapper-2.5+nmu2
debian/README.Debian | 2 +-
debian/changelog | 8 ++++++++
hardened-cc | 2 +-
hardening.make | 2 +-
tests/Makefile.common | 1 -
5 files changed, 11 insertions(+), 4 deletions(-)
diff -Nru hardening-wrapper-2.5+nmu1/debian/changelog hardening-wrapper-2.5+nmu2/debian/changelog
--- hardening-wrapper-2.5+nmu1/debian/changelog 2014-08-21 13:54:44.000000000 +0200
+++ hardening-wrapper-2.5+nmu2/debian/changelog 2014-09-24 10:22:21.000000000 +0200
@@ -1,3 +1,11 @@
+hardening-wrapper (2.5+nmu2) UNRELEASED; urgency=medium
+
+ * hardened-cc, hardening.make: switch SSP flag to -fstack-protector-strong.
+ * tests/Makefile.common: disable ssp-buffer-size-skip test since all
+ buffer sizes are protected now.
+
+ -- Romain Francoise <rfranco...@debian.org> Wed, 24 Sep 2014 10:22:21 +0200
+
hardening-wrapper (2.5+nmu1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru hardening-wrapper-2.5+nmu1/debian/README.Debian hardening-wrapper-2.5+nmu2/debian/README.Debian
--- hardening-wrapper-2.5+nmu1/debian/README.Debian 2012-12-16 23:58:02.000000000 +0100
+++ hardening-wrapper-2.5+nmu2/debian/README.Debian 2014-09-24 10:20:24.000000000 +0200
@@ -23,7 +23,7 @@
Features
--------
--fstack-protector --param ssp-buffer-size=4 (DEB_BUILD_HARDENING_STACKPROTECTOR)
+-fstack-protector-strong (DEB_BUILD_HARDENING_STACKPROTECTOR)
This is a mainline GCC feature, which adds safety checks against stack
overwrites. This renders many potential code injection attacks into
diff -Nru hardening-wrapper-2.5+nmu1/hardened-cc hardening-wrapper-2.5+nmu2/hardened-cc
--- hardening-wrapper-2.5+nmu1/hardened-cc 2013-09-13 22:31:30.000000000 +0200
+++ hardening-wrapper-2.5+nmu2/hardened-cc 2014-09-24 10:20:45.000000000 +0200
@@ -104,7 +104,7 @@
# Enable SSP by default
if ($force_stack) {
- push(@args,'-fstack-protector','--param=ssp-buffer-size=4');
+ push(@args,'-fstack-protector-strong');
}
# Enable -fPIE by default
diff -Nru hardening-wrapper-2.5+nmu1/hardening.make hardening-wrapper-2.5+nmu2/hardening.make
--- hardening-wrapper-2.5+nmu1/hardening.make 2013-12-17 19:08:41.000000000 +0100
+++ hardening-wrapper-2.5+nmu2/hardening.make 2014-09-24 10:20:35.000000000 +0200
@@ -73,7 +73,7 @@
_HARDENED_PIE_CFLAGS := -fPIE
_HARDENED_PIE_LDFLAGS := -fPIE -pie
-_HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector --param ssp-buffer-size=4
+_HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector-strong
# Fortify Source requires that -O1 or higher is used, but that should be
# handled outside of this include file.
diff -Nru hardening-wrapper-2.5+nmu1/tests/Makefile.common hardening-wrapper-2.5+nmu2/tests/Makefile.common
--- hardening-wrapper-2.5+nmu1/tests/Makefile.common 2012-04-01 01:44:21.000000000 +0200
+++ hardening-wrapper-2.5+nmu2/tests/Makefile.common 2014-09-24 10:20:52.000000000 +0200
@@ -26,7 +26,6 @@
$(BUILD_TREE)/$(NAME)-test-fPIC \
$(BUILD_TREE)/$(NAME)-test-format-security \
$(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-protect \
- $(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-skip \
$(BUILD_TREE)/$(NAME)-test-all.o \
$(BUILD_TREE)/$(NAME)-test-all.a \
$(BUILD_TREE)/$(NAME)-test-none.o \
