Bug#672465: shapelib: Hardening flags missing

Fri, 11 May 2012 02:36:42 -0700 

Package: shapelib
Version: 1.2.10-6
Severity: normal
Tags: patch

Dear Maintainer,

The hardening flags are missing because they are ignored by the
build system. For more hardening information please have a look
at [1], [2] and [3].

The attached patches which are revised versions of existing
patches in debian/rules/patches fix the issue.

CPPFLAGS, CFLAGS and LDFLAGS were missing in a few places. The
flag fixes (CPPFLAGS, CFLAGS for compiler commands; CFLAGS,
LDFLAGS for linker commands) should be sent to upstream if
possible.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/bin/shptest /usr/bin/shprewind /usr/bin/shpdump ...
    /usr/bin/shptest:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/shprewind:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/shpdump:
     Position Independent Executable: no, normal executable!
     Stack protected: no, not found!
     Fortify Source functions: yes
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

From: Riku Voipio <riku.voi...@iki.fi>
Date: Tue, 4 Nov 2008 14:46:56 +0200
Subject: [PATCH] Properly use libtool

The problem is that shapelib throws away a seemingly good libtool linked
library and replaces it with something hacks in together almost right.

Bug-Debian: http://bugs.debian.org/497160
---
 Makefile |   32 +++++---------------------------
 1 files changed, 5 insertions(+), 27 deletions(-)

Index: shapelib-1.2.10/Makefile
===================================================================
--- shapelib-1.2.10.orig/Makefile	2012-05-11 11:23:01.000000000 +0200
+++ shapelib-1.2.10/Makefile	2012-05-11 11:23:05.000000000 +0200
@@ -99,37 +99,15 @@
 LIBSHP_VERSION=1.0.1 # still once to be changed manually (see for 1:1:0), sorry
 
 lib:
-	/bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1  -I. -I. -I/usr/local/include    -g -O2 -c shpopen.c
-	gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c  -fPIC -DPIC shpopen.c -o .libs/shpopen.lo
-	gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shpopen.c -o shpopen.o >/dev/null 2>&1
-	mv -f .libs/shpopen.lo shpopen.lo
-	/bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1  -I. -I. -I/usr/local/include    -g -O2 -c shptree.c
-	rm -f .libs/shptree.lo
-	gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c  -fPIC -DPIC shptree.c -o .libs/shptree.lo
-	gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shptree.c -o shptree.o >/dev/null 2>&1
-	mv -f .libs/shptree.lo shptree.lo
-	/bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1  -I. -I. -I/usr/local/include    -g -O2 -c dbfopen.c
-	rm -f .libs/dbfopen.lo
-	gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c  -fPIC -DPIC dbfopen.c -o .libs/dbfopen.lo
-	gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c dbfopen.c -o dbfopen.o >/dev/null 2>&1
-	mv -f .libs/dbfopen.lo dbfopen.lo
-	/bin/sh ./libtool --mode=link gcc  -g -O2  -o libshp.la -rpath /usr/local/lib -version-info 1:1:0 shpopen.lo shptree.lo dbfopen.lo  
-	rm -fr .libs/libshp.la .libs/libshp.* .libs/libshp.*
-	rm -fr .libs/libshp.lax
-	mkdir .libs/libshp.lax
-	/usr/bin/ld -G -h libshp.so.1 -o .libs/libshp.so.$(LIBSHP_VERSION)  shpopen.lo shptree.lo dbfopen.lo  -lc
-
-	(cd .libs && rm -f libshp.so.1 && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so.1)
-	(cd .libs && rm -f libshp.so && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so)
-	ar cru .libs/libshp.a  shpopen.o shptree.o dbfopen.o 
-	ranlib .libs/libshp.a
-	rm -fr .libs/libshp.lax
-	(cd .libs && rm -f libshp.la && ln -s ../libshp.la libshp.la)
+	libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1  -I. $(CPPFLAGS) $(CFLAGS) -c shpopen.c
+	libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1  -I. $(CPPFLAGS) $(CFLAGS) -c shptree.c
+	libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1  -I. $(CPPFLAGS) $(CFLAGS) -c dbfopen.c
+	libtool --mode=link gcc $(CFLAGS) $(LDFLAGS) -o libshp.la -rpath /usr/lib -version-info 1:1:0 shpopen.lo shptree.lo dbfopen.lo
 
 lib_install:
 	cp .libs/libshp.la .libs/libshp.lai
 	/bin/sh ./mkinstalldirs /usr/local/lib
-	/bin/sh ./libtool  --mode=install /usr/bin/install -c libshp.la /usr/local/lib/libshp.la
+	libtool  --mode=install /usr/bin/install -c libshp.la /usr/local/lib/libshp.la
 	/usr/bin/install -c .libs/libshp.so.$(LIBSHP_VERSION) /usr/local/lib/libshp.so.$(LIBSHP_VERSION)
 	(cd /usr/local/lib && rm -f libshp.so.1 && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so.1)
 	(cd /usr/local/lib && rm -f libshp.so && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so)

From: Arto Jantunen <vi...@debian.org>
Date: Tue, 8 May 2012 14:19:20 +0300
Subject: [PATCH] Dynamically link the shp* binaries to libshp

Also use CPPFLAGS and LDFLAGS, necessary for hardening flags.

---
 Makefile |   55 ++++++++++++++++++++++++-------------------------------
 1 files changed, 24 insertions(+), 31 deletions(-)

Index: shapelib-1.2.10/Makefile
===================================================================
--- shapelib-1.2.10.orig/Makefile	2012-05-11 11:23:05.000000000 +0200
+++ shapelib-1.2.10/Makefile	2012-05-11 11:23:09.000000000 +0200
@@ -6,45 +6,36 @@
 
 all:	shpcreate shpadd shpdump shprewind dbfcreate dbfadd dbfdump shptest
 
-shpopen.o:	shpopen.c shapefil.h
-	$(CC) $(CFLAGS) -c shpopen.c
+shpcreate:	shpcreate.c .libs/libshp.so
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpcreate.c $(LINKOPT) -o shpcreate .libs/libshp.so
 
-shptree.o:	shptree.c shapefil.h
-	$(CC) $(CFLAGS) -c shptree.c
+shpadd:		shpadd.c .libs/libshp.so
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpadd.c $(LINKOPT) -o shpadd .libs/libshp.so
 
-dbfopen.o:	dbfopen.c shapefil.h
-	$(CC) $(CFLAGS) -c dbfopen.c
+shpdump:	shpdump.c .libs/libshp.so
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpdump.c $(LINKOPT) -o shpdump .libs/libshp.so
 
-shpcreate:	shpcreate.c shpopen.o
-	$(CC) $(CFLAGS) shpcreate.c shpopen.o $(LINKOPT) -o shpcreate
+shprewind:	shprewind.c .libs/libshp.so
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shprewind.c $(LINKOPT) -o shprewind .libs/libshp.so
 
-shpadd:		shpadd.c shpopen.o
-	$(CC) $(CFLAGS) shpadd.c shpopen.o $(LINKOPT) -o shpadd
+dbfcreate:	dbfcreate.c .libs/libshp.so
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfcreate.c $(LINKOPT) -o dbfcreate .libs/libshp.so
 
-shpdump:	shpdump.c shpopen.o
-	$(CC) $(CFLAGS) shpdump.c shpopen.o $(LINKOPT) -o shpdump
+dbfadd:		dbfadd.c .libs/libshp.so
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfadd.c $(LINKOPT) -o dbfadd .libs/libshp.so
 
-shprewind:	shprewind.c shpopen.o
-	$(CC) $(CFLAGS) shprewind.c shpopen.o $(LINKOPT) -o shprewind
+dbfdump:	dbfdump.c .libs/libshp.so
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfdump.c $(LINKOPT) -o dbfdump .libs/libshp.so
 
-dbfcreate:	dbfcreate.c dbfopen.o
-	$(CC) $(CFLAGS) dbfcreate.c dbfopen.o $(LINKOPT) -o dbfcreate
+shptest:	shptest.c .libs/libshp.so
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shptest.c $(LINKOPT) -o shptest .libs/libshp.so
 
-dbfadd:		dbfadd.c dbfopen.o
-	$(CC) $(CFLAGS) dbfadd.c dbfopen.o $(LINKOPT) -o dbfadd
+shputils:	shputils.c .libs/libshp.so
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shputils.c $(LINKOPT) -o shputils .libs/libshp.so
 
-dbfdump:	dbfdump.c dbfopen.o
-	$(CC) $(CFLAGS) dbfdump.c dbfopen.o $(LINKOPT) -o dbfdump
-
-shptest:	shptest.c shpopen.o
-	$(CC) $(CFLAGS) shptest.c shpopen.o $(LINKOPT) -o shptest
-
-shputils:	shputils.c shpopen.o dbfopen.o
-	$(CC) $(CFLAGS) shputils.c shpopen.o dbfopen.o $(LINKOPT) -o shputils
-
-shptreedump:	shptreedump.c shptree.o shpopen.o
-	$(CC) $(CFLAGS) shptreedump.c shptree.o shpopen.o $(LINKOPT) \
-		-o shptreedump
+shptreedump:	shptreedump.c .libs/libshp.so
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shptreedump.c $(LINKOPT) \
+		-o shptreedump .libs/libshp.so
 
 clean:
 	rm -f *.o dbfdump dbfcreate dbfadd shpdump shpcreate shpadd shputils
@@ -98,7 +89,9 @@
 SHPLIB_VERSION=1.2.9
 LIBSHP_VERSION=1.0.1 # still once to be changed manually (see for 1:1:0), sorry
 
-lib:
+lib: .libs/libshp.so
+
+.libs/libshp.so:
 	libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1  -I. $(CPPFLAGS) $(CFLAGS) -c shpopen.c
 	libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1  -I. $(CPPFLAGS) $(CFLAGS) -c shptree.c
 	libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1  -I. $(CPPFLAGS) $(CFLAGS) -c dbfopen.c

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel

Reply via email to