Your message dated Sat, 19 May 2012 15:27:55 +0200
with message-id <201205191528.31688.panfa...@gmail.com>
and subject line Closing some hardening flags bugs
has caused the Debian Bug report #663523,
regarding libktorrent: CPPFLAGS hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
663523: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663523
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libktorrent
Version: 1.2.0-1
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The CPPFLAGS hardening flags are missing because CMake ignores
them by default.
The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].
diff -Nru libktorrent-1.2.0/debian/rules libktorrent-1.2.0/debian/rules
--- libktorrent-1.2.0/debian/rules 2011-05-02 23:12:44.000000000 +0200
+++ libktorrent-1.2.0/debian/rules 2012-03-11 23:44:10.000000000 +0100
@@ -1,5 +1,10 @@
#!/usr/bin/make -f
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
override_dh_auto_configure:
dh_auto_configure -Skde -- -DCMAKE_USE_RELATIVE_PATHS=ON
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/libktorrent.so.4.0.0
/usr/lib/libktorrent.so.4.0.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPXTaQAAoJEJL+/bfkTDL5d5IP/09N2Ibo/lrPwj0QQEfy8hlC
X1SkqxazAYVBzyG8i4cWPvGZPEJZ1b5V6FwITODyZv8J2/bPbCIaR9LRBmGpAhCm
oLxtu0l8jacTkjGvIjsl/2UBFXNt91Mx1qK3nCfAbTala+RCJWQ2mBM92hff79mj
OmSWT+zzeAJljJx9EvqmxENe+vg+dYJIaowMb2K8+JGcn59a4TzuLmchx2bXkD13
SD9k9igwGuVDgXzKU4K/3qIo05FJbZxTuSntXErL+/jW3M3z1Ghq22HeyJRe3Oc9
SyqcPxvzIMJ7lOYJd0ziqb7DYcXNV1WOj5V6MROlh2q4+MV2S9lbuoSfcNYEESxh
b1PZjNSXQpBqPHJV+1hBgOix7vuK8SZiq2NYDcKWub6iY5GfB6OJjT2ocruBKVY+
C0+9wb6DvlktQjpbHLSdFtzSYlNPM+sVkii9/pcXuc//dtZkalBfwOihqhzLZiut
xJn6108wzBAHNOBKMljsjQTLKhIMCvz56s9gf7yqSIcM1hsHXtt3Ldk9BvMNxgci
HbCDeYm+KblaqXKsMig2neA/qLZO2WuT7aro2vpsjpaR8v/QJ7XV25+nAARD/dpo
siL65IZWP8LQNatQPddGJGm2CHtza48aOxed2KYCPTQEiRpW30XVATJNlCgunRWK
amte7huJVGp/e53igW2u
=kH2u
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
I'm closing these bugs because the involved packages are using the dh
sequencer addon for kde. While cmake still doesn't respect CPPFLAGS, a
workaround was added to the mentioned addon, so if you build any of the
packages involved it will include the hardening flags.
At least one of the involved packages (amarok) was built before the workaround
mentioned above was done. Therefore if you think it's really important to get
any of them built with the hardening flags feel free to request a binNMU.
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
_______________________________________________
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras
