Package: src:hardening-wrapper Version: 2.5+nmu1 A few months ago dpkg-buildflags switched its default SSP hardening flag to -fstack-protector-strong, see:
https://lists.debian.org/debian-devel/2014/06/msg00453.html It would be great if hardening-wrapper could follow suit and use the new flag as well; some high-profile packages still use it. I'm attaching a patch against the latest NMU (which is not in bzr) with the minimal set of changes to make the switch. Let me know if you want me to upload this, or if you want to use another approach. Thanks for your consideration, -- Romain Francoise <rfranco...@debian.org> http://people.debian.org/~rfrancoise/
diffstat for hardening-wrapper-2.5+nmu1 hardening-wrapper-2.5+nmu2 debian/README.Debian | 2 +- debian/changelog | 8 ++++++++ hardened-cc | 2 +- hardening.make | 2 +- tests/Makefile.common | 1 - 5 files changed, 11 insertions(+), 4 deletions(-) diff -Nru hardening-wrapper-2.5+nmu1/debian/changelog hardening-wrapper-2.5+nmu2/debian/changelog --- hardening-wrapper-2.5+nmu1/debian/changelog 2014-08-21 13:54:44.000000000 +0200 +++ hardening-wrapper-2.5+nmu2/debian/changelog 2014-09-24 10:22:21.000000000 +0200 @@ -1,3 +1,11 @@ +hardening-wrapper (2.5+nmu2) UNRELEASED; urgency=medium + + * hardened-cc, hardening.make: switch SSP flag to -fstack-protector-strong. + * tests/Makefile.common: disable ssp-buffer-size-skip test since all + buffer sizes are protected now. + + -- Romain Francoise <rfranco...@debian.org> Wed, 24 Sep 2014 10:22:21 +0200 + hardening-wrapper (2.5+nmu1) unstable; urgency=medium * Non-maintainer upload. diff -Nru hardening-wrapper-2.5+nmu1/debian/README.Debian hardening-wrapper-2.5+nmu2/debian/README.Debian --- hardening-wrapper-2.5+nmu1/debian/README.Debian 2012-12-16 23:58:02.000000000 +0100 +++ hardening-wrapper-2.5+nmu2/debian/README.Debian 2014-09-24 10:20:24.000000000 +0200 @@ -23,7 +23,7 @@ Features -------- --fstack-protector --param ssp-buffer-size=4 (DEB_BUILD_HARDENING_STACKPROTECTOR) +-fstack-protector-strong (DEB_BUILD_HARDENING_STACKPROTECTOR) This is a mainline GCC feature, which adds safety checks against stack overwrites. This renders many potential code injection attacks into diff -Nru hardening-wrapper-2.5+nmu1/hardened-cc hardening-wrapper-2.5+nmu2/hardened-cc --- hardening-wrapper-2.5+nmu1/hardened-cc 2013-09-13 22:31:30.000000000 +0200 +++ hardening-wrapper-2.5+nmu2/hardened-cc 2014-09-24 10:20:45.000000000 +0200 @@ -104,7 +104,7 @@ # Enable SSP by default if ($force_stack) { - push(@args,'-fstack-protector','--param=ssp-buffer-size=4'); + push(@args,'-fstack-protector-strong'); } # Enable -fPIE by default diff -Nru hardening-wrapper-2.5+nmu1/hardening.make hardening-wrapper-2.5+nmu2/hardening.make --- hardening-wrapper-2.5+nmu1/hardening.make 2013-12-17 19:08:41.000000000 +0100 +++ hardening-wrapper-2.5+nmu2/hardening.make 2014-09-24 10:20:35.000000000 +0200 @@ -73,7 +73,7 @@ _HARDENED_PIE_CFLAGS := -fPIE _HARDENED_PIE_LDFLAGS := -fPIE -pie -_HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector --param ssp-buffer-size=4 +_HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector-strong # Fortify Source requires that -O1 or higher is used, but that should be # handled outside of this include file. diff -Nru hardening-wrapper-2.5+nmu1/tests/Makefile.common hardening-wrapper-2.5+nmu2/tests/Makefile.common --- hardening-wrapper-2.5+nmu1/tests/Makefile.common 2012-04-01 01:44:21.000000000 +0200 +++ hardening-wrapper-2.5+nmu2/tests/Makefile.common 2014-09-24 10:20:52.000000000 +0200 @@ -26,7 +26,6 @@ $(BUILD_TREE)/$(NAME)-test-fPIC \ $(BUILD_TREE)/$(NAME)-test-format-security \ $(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-protect \ - $(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-skip \ $(BUILD_TREE)/$(NAME)-test-all.o \ $(BUILD_TREE)/$(NAME)-test-all.a \ $(BUILD_TREE)/$(NAME)-test-none.o \