Package: shapelib Version: 1.2.10-6 Severity: normal Tags: patch Dear Maintainer,
The hardening flags are missing because they are ignored by the build system. For more hardening information please have a look at [1], [2] and [3]. The attached patches which are revised versions of existing patches in debian/rules/patches fix the issue. CPPFLAGS, CFLAGS and LDFLAGS were missing in a few places. The flag fixes (CPPFLAGS, CFLAGS for compiler commands; CFLAGS, LDFLAGS for linker commands) should be sent to upstream if possible. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/bin/shptest /usr/bin/shprewind /usr/bin/shpdump ... /usr/bin/shptest: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes Read-only relocations: yes Immediate binding: no not found! /usr/bin/shprewind: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes Read-only relocations: yes Immediate binding: no not found! /usr/bin/shpdump: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
From: Riku Voipio <riku.voi...@iki.fi> Date: Tue, 4 Nov 2008 14:46:56 +0200 Subject: [PATCH] Properly use libtool The problem is that shapelib throws away a seemingly good libtool linked library and replaces it with something hacks in together almost right. Bug-Debian: http://bugs.debian.org/497160 --- Makefile | 32 +++++--------------------------- 1 files changed, 5 insertions(+), 27 deletions(-) Index: shapelib-1.2.10/Makefile =================================================================== --- shapelib-1.2.10.orig/Makefile 2012-05-11 11:23:01.000000000 +0200 +++ shapelib-1.2.10/Makefile 2012-05-11 11:23:05.000000000 +0200 @@ -99,37 +99,15 @@ LIBSHP_VERSION=1.0.1 # still once to be changed manually (see for 1:1:0), sorry lib: - /bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shpopen.c - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c -fPIC -DPIC shpopen.c -o .libs/shpopen.lo - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shpopen.c -o shpopen.o >/dev/null 2>&1 - mv -f .libs/shpopen.lo shpopen.lo - /bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shptree.c - rm -f .libs/shptree.lo - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c -fPIC -DPIC shptree.c -o .libs/shptree.lo - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c shptree.c -o shptree.o >/dev/null 2>&1 - mv -f .libs/shptree.lo shptree.lo - /bin/sh ./libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c dbfopen.c - rm -f .libs/dbfopen.lo - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c -fPIC -DPIC dbfopen.c -o .libs/dbfopen.lo - gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. -I. -I/usr/local/include -g -O2 -c dbfopen.c -o dbfopen.o >/dev/null 2>&1 - mv -f .libs/dbfopen.lo dbfopen.lo - /bin/sh ./libtool --mode=link gcc -g -O2 -o libshp.la -rpath /usr/local/lib -version-info 1:1:0 shpopen.lo shptree.lo dbfopen.lo - rm -fr .libs/libshp.la .libs/libshp.* .libs/libshp.* - rm -fr .libs/libshp.lax - mkdir .libs/libshp.lax - /usr/bin/ld -G -h libshp.so.1 -o .libs/libshp.so.$(LIBSHP_VERSION) shpopen.lo shptree.lo dbfopen.lo -lc - - (cd .libs && rm -f libshp.so.1 && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so.1) - (cd .libs && rm -f libshp.so && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so) - ar cru .libs/libshp.a shpopen.o shptree.o dbfopen.o - ranlib .libs/libshp.a - rm -fr .libs/libshp.lax - (cd .libs && rm -f libshp.la && ln -s ../libshp.la libshp.la) + libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shpopen.c + libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shptree.c + libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c dbfopen.c + libtool --mode=link gcc $(CFLAGS) $(LDFLAGS) -o libshp.la -rpath /usr/lib -version-info 1:1:0 shpopen.lo shptree.lo dbfopen.lo lib_install: cp .libs/libshp.la .libs/libshp.lai /bin/sh ./mkinstalldirs /usr/local/lib - /bin/sh ./libtool --mode=install /usr/bin/install -c libshp.la /usr/local/lib/libshp.la + libtool --mode=install /usr/bin/install -c libshp.la /usr/local/lib/libshp.la /usr/bin/install -c .libs/libshp.so.$(LIBSHP_VERSION) /usr/local/lib/libshp.so.$(LIBSHP_VERSION) (cd /usr/local/lib && rm -f libshp.so.1 && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so.1) (cd /usr/local/lib && rm -f libshp.so && ln -s libshp.so.$(LIBSHP_VERSION) libshp.so)
From: Arto Jantunen <vi...@debian.org> Date: Tue, 8 May 2012 14:19:20 +0300 Subject: [PATCH] Dynamically link the shp* binaries to libshp Also use CPPFLAGS and LDFLAGS, necessary for hardening flags. --- Makefile | 55 ++++++++++++++++++++++++------------------------------- 1 files changed, 24 insertions(+), 31 deletions(-) Index: shapelib-1.2.10/Makefile =================================================================== --- shapelib-1.2.10.orig/Makefile 2012-05-11 11:23:05.000000000 +0200 +++ shapelib-1.2.10/Makefile 2012-05-11 11:23:09.000000000 +0200 @@ -6,45 +6,36 @@ all: shpcreate shpadd shpdump shprewind dbfcreate dbfadd dbfdump shptest -shpopen.o: shpopen.c shapefil.h - $(CC) $(CFLAGS) -c shpopen.c +shpcreate: shpcreate.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpcreate.c $(LINKOPT) -o shpcreate .libs/libshp.so -shptree.o: shptree.c shapefil.h - $(CC) $(CFLAGS) -c shptree.c +shpadd: shpadd.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpadd.c $(LINKOPT) -o shpadd .libs/libshp.so -dbfopen.o: dbfopen.c shapefil.h - $(CC) $(CFLAGS) -c dbfopen.c +shpdump: shpdump.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shpdump.c $(LINKOPT) -o shpdump .libs/libshp.so -shpcreate: shpcreate.c shpopen.o - $(CC) $(CFLAGS) shpcreate.c shpopen.o $(LINKOPT) -o shpcreate +shprewind: shprewind.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shprewind.c $(LINKOPT) -o shprewind .libs/libshp.so -shpadd: shpadd.c shpopen.o - $(CC) $(CFLAGS) shpadd.c shpopen.o $(LINKOPT) -o shpadd +dbfcreate: dbfcreate.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfcreate.c $(LINKOPT) -o dbfcreate .libs/libshp.so -shpdump: shpdump.c shpopen.o - $(CC) $(CFLAGS) shpdump.c shpopen.o $(LINKOPT) -o shpdump +dbfadd: dbfadd.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfadd.c $(LINKOPT) -o dbfadd .libs/libshp.so -shprewind: shprewind.c shpopen.o - $(CC) $(CFLAGS) shprewind.c shpopen.o $(LINKOPT) -o shprewind +dbfdump: dbfdump.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) dbfdump.c $(LINKOPT) -o dbfdump .libs/libshp.so -dbfcreate: dbfcreate.c dbfopen.o - $(CC) $(CFLAGS) dbfcreate.c dbfopen.o $(LINKOPT) -o dbfcreate +shptest: shptest.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shptest.c $(LINKOPT) -o shptest .libs/libshp.so -dbfadd: dbfadd.c dbfopen.o - $(CC) $(CFLAGS) dbfadd.c dbfopen.o $(LINKOPT) -o dbfadd +shputils: shputils.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shputils.c $(LINKOPT) -o shputils .libs/libshp.so -dbfdump: dbfdump.c dbfopen.o - $(CC) $(CFLAGS) dbfdump.c dbfopen.o $(LINKOPT) -o dbfdump - -shptest: shptest.c shpopen.o - $(CC) $(CFLAGS) shptest.c shpopen.o $(LINKOPT) -o shptest - -shputils: shputils.c shpopen.o dbfopen.o - $(CC) $(CFLAGS) shputils.c shpopen.o dbfopen.o $(LINKOPT) -o shputils - -shptreedump: shptreedump.c shptree.o shpopen.o - $(CC) $(CFLAGS) shptreedump.c shptree.o shpopen.o $(LINKOPT) \ - -o shptreedump +shptreedump: shptreedump.c .libs/libshp.so + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) shptreedump.c $(LINKOPT) \ + -o shptreedump .libs/libshp.so clean: rm -f *.o dbfdump dbfcreate dbfadd shpdump shpcreate shpadd shputils @@ -98,7 +89,9 @@ SHPLIB_VERSION=1.2.9 LIBSHP_VERSION=1.0.1 # still once to be changed manually (see for 1:1:0), sorry -lib: +lib: .libs/libshp.so + +.libs/libshp.so: libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shpopen.c libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c shptree.c libtool --mode=compile gcc -DPACKAGE=\"libshp\" -DVERSION=\"$(SHPLIB_VERSION)\" -DSTDC_HEADERS=1 -I. $(CPPFLAGS) $(CFLAGS) -c dbfopen.c
signature.asc
Description: Digital signature
_______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel