Bug#656862: Please enabled hardened build flags
reopen 656862 j...@inutil.org tags 656862 - patch thanks Hi Moritz I know this was a long time ago but your suggested patch actually caused a serious crash described in #827031. I have reverted this correction now. Do you happen to remember if you tested the build after the test build? Thanks // Ola On Fri, Apr 6, 2012 at 9:14 PM, Moritz Mühlenhoffwrote: > On Wed, Jan 25, 2012 at 09:02:15PM +0100, Ola Lundqvist wrote: >> Thanks a lot! That you made a test compile is much appriciated. >> Not all people who submit patches actually do so. :-) > > What's the status? Do you plan an upload in the next weeks or > shall I upload a NMU? I'd like to get this fixed for Wheezy. > > Cheers, >Moritz > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Bug#656862: Please enabled hardened build flags
Hi Moritz I'm sorry for not replying on this one. I had missed this mail. If you want to do an NMU you are welcome to do so. // Ola On Fri, Apr 06, 2012 at 09:14:13PM +0200, Moritz Mühlenhoff wrote: On Wed, Jan 25, 2012 at 09:02:15PM +0100, Ola Lundqvist wrote: Thanks a lot! That you made a test compile is much appriciated. Not all people who submit patches actually do so. :-) What's the status? Do you plan an upload in the next weeks or shall I upload a NMU? I'd like to get this fixed for Wheezy. Cheers, Moritz -- - Ola Lundqvist --- / o...@debian.org Annebergsslingan 37 \ | o...@inguza.com 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656862: Please enabled hardened build flags
On Wed, Jan 25, 2012 at 09:02:15PM +0100, Ola Lundqvist wrote: Thanks a lot! That you made a test compile is much appriciated. Not all people who submit patches actually do so. :-) What's the status? Do you plan an upload in the next weeks or shall I upload a NMU? I'd like to get this fixed for Wheezy. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656862: Please enabled hardened build flags
Thanks a lot! That you made a test compile is much appriciated. Not all people who submit patches actually do so. :-) // Ola On Tue, Jan 24, 2012 at 08:05:46PM +0100, Moritz Muehlenhoff wrote: On Tue, Jan 24, 2012 at 07:14:45AM +0100, Ola Lundqvist wrote: Thanks a lot for the information. Just a question about the patch. Do you know that the package builds after this? Yes. I made a test-compile of course. You can check, whether the hardening options have been properly applied using the hardening-check tool from the hardening-includes binary package. Cheers, Moritz -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comAnnebergsslingan 37\ | o...@debian.org 654 65 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656862: Please enabled hardened build flags
On Tue, Jan 24, 2012 at 07:14:45AM +0100, Ola Lundqvist wrote: Thanks a lot for the information. Just a question about the patch. Do you know that the package builds after this? Yes. I made a test-compile of course. You can check, whether the hardening options have been properly applied using the hardening-check tool from the hardening-includes binary package. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656862: Please enabled hardened build flags
On Mon, Jan 23, 2012 at 08:28:10AM +0100, Ola Lundqvist wrote: Hi Moritz Thanks for the report and patch. Just to check, what is the purpose of this? I have not followed recent discussions so I may need a pointer. :-) dpkg-buildflags is a new approach to configure a uniform set of default compiler/preprocessor/linker flags: http://lists.debian.org/debian-devel-announce/2011/09/msg1.html The default flags also enable security hardening features in the toolchain. This is important as it spots security issues and mitigates /nullifies the impact of security vulnerabilities. More information can be found in the wiki: http://wiki.debian.org/Hardening If you have additional questions, please get back to me. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656862: Please enabled hardened build flags
Thanks a lot for the information. Just a question about the patch. Do you know that the package builds after this? // Ola On Mon, Jan 23, 2012 at 06:18:51PM +0100, Moritz Muehlenhoff wrote: On Mon, Jan 23, 2012 at 08:28:10AM +0100, Ola Lundqvist wrote: Hi Moritz Thanks for the report and patch. Just to check, what is the purpose of this? I have not followed recent discussions so I may need a pointer. :-) dpkg-buildflags is a new approach to configure a uniform set of default compiler/preprocessor/linker flags: http://lists.debian.org/debian-devel-announce/2011/09/msg1.html The default flags also enable security hardening features in the toolchain. This is important as it spots security issues and mitigates /nullifies the impact of security vulnerabilities. More information can be found in the wiki: http://wiki.debian.org/Hardening If you have additional questions, please get back to me. Cheers, Moritz -- - Ola Lundqvist --- / o...@debian.org Annebergsslingan 37 \ | o...@inguza.com 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656862: Please enabled hardened build flags
Source: vnc4 Severity: important Tags: patch Please enabled hardened build flags through dpkg-buildflags. Patch attached. (dpkg-buildflags abides noopt from DEB_BUILD_OPTIONS) Cheers, Moritz diff -aur vnc4-4.1.1+X4.3.0.harden/debian/rules vnc4-4.1.1+X4.3.0/debian/rules --- vnc4-4.1.1+X4.3.0.harden/debian/rules 2012-01-21 18:54:33.0 +0100 +++ vnc4-4.1.1+X4.3.0/debian/rules 2012-01-21 18:56:29.0 +0100 @@ -16,24 +16,19 @@ # This has to be exported to make some magic below work. export DH_OPTIONS - - -CFLAGS = -Wall -g -CXXFLAGS = -Wall -g - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 - CXXFLAGS += -O0 -else - CFLAGS += -O2 -endif +CFLAGS = `dpkg-buildflags --get CFLAGS` +CFLAGS += -Wall +CXXFLAGS = `dpkg-buildflags --get CXXFLAGS` +CXXFLAGS += -Wall +LDFLAGS = `dpkg-buildflags --get LDFLAGS` +CPPFLAGS = `dpkg-buildflags --get CPPFLAGS` configure: configure-unix-stamp configure-common-stamp configure-common-stamp: dh_testdir # Add here commands to configure the package. - (cd common; CFLAGS=$(CFLAGS) CXXFLAGS=$(CXXFLAGS) ./configure \ + (cd common; CFLAGS=$(CFLAGS) CXXFLAGS=$(CXXFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) ./configure \ --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ --prefix=/usr --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ @@ -43,7 +38,7 @@ configure-unix-stamp: dh_testdir # Add here commands to configure the package. - (cd unix; CFLAGS=$(CFLAGS) CXXFLAGS=$(CXXFLAGS) ./configure \ + (cd unix; CFLAGS=$(CFLAGS) CXXFLAGS=$(CXXFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) ./configure \ --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ --prefix=/usr --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ Nur in vnc4-4.1.1+X4.3.0/debian: rules~.
Bug#656862: Please enabled hardened build flags
Hi Moritz Thanks for the report and patch. Just to check, what is the purpose of this? I have not followed recent discussions so I may need a pointer. :-) // Ola On Sun, Jan 22, 2012 at 03:13:26PM +0100, Moritz Muehlenhoff wrote: Source: vnc4 Severity: important Tags: patch Please enabled hardened build flags through dpkg-buildflags. Patch attached. (dpkg-buildflags abides noopt from DEB_BUILD_OPTIONS) Cheers, Moritz diff -aur vnc4-4.1.1+X4.3.0.harden/debian/rules vnc4-4.1.1+X4.3.0/debian/rules --- vnc4-4.1.1+X4.3.0.harden/debian/rules 2012-01-21 18:54:33.0 +0100 +++ vnc4-4.1.1+X4.3.0/debian/rules2012-01-21 18:56:29.0 +0100 @@ -16,24 +16,19 @@ # This has to be exported to make some magic below work. export DH_OPTIONS - - -CFLAGS = -Wall -g -CXXFLAGS = -Wall -g - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 - CXXFLAGS += -O0 -else - CFLAGS += -O2 -endif +CFLAGS = `dpkg-buildflags --get CFLAGS` +CFLAGS += -Wall +CXXFLAGS = `dpkg-buildflags --get CXXFLAGS` +CXXFLAGS += -Wall +LDFLAGS = `dpkg-buildflags --get LDFLAGS` +CPPFLAGS = `dpkg-buildflags --get CPPFLAGS` configure: configure-unix-stamp configure-common-stamp configure-common-stamp: dh_testdir # Add here commands to configure the package. - (cd common; CFLAGS=$(CFLAGS) CXXFLAGS=$(CXXFLAGS) ./configure \ + (cd common; CFLAGS=$(CFLAGS) CXXFLAGS=$(CXXFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) ./configure \ --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ --prefix=/usr --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ @@ -43,7 +38,7 @@ configure-unix-stamp: dh_testdir # Add here commands to configure the package. - (cd unix; CFLAGS=$(CFLAGS) CXXFLAGS=$(CXXFLAGS) ./configure \ + (cd unix; CFLAGS=$(CFLAGS) CXXFLAGS=$(CXXFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) ./configure \ --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ --prefix=/usr --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ Nur in vnc4-4.1.1+X4.3.0/debian: rules~. -- - Ola Lundqvist --- / o...@debian.org Annebergsslingan 37 \ | o...@inguza.com 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org