Your message dated Sat, 19 May 2012 15:27:55 +0200 with message-id <201205191528.31688.panfa...@gmail.com> and subject line Closing some hardening flags bugs has caused the Debian Bug report #663523, regarding libktorrent: CPPFLAGS hardening flags missing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 663523: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663523 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libktorrent Version: 1.2.0-1 Severity: important Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear Maintainer, The CPPFLAGS hardening flags are missing because CMake ignores them by default. The following patch fixes the issue by adding them to CFLAGS/CXXFLAGS. For more hardening information please have a look at [1], [2] and [3]. diff -Nru libktorrent-1.2.0/debian/rules libktorrent-1.2.0/debian/rules --- libktorrent-1.2.0/debian/rules 2011-05-02 23:12:44.000000000 +0200 +++ libktorrent-1.2.0/debian/rules 2012-03-11 23:44:10.000000000 +0100 @@ -1,5 +1,10 @@ #!/usr/bin/make -f +# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the +# missing (hardening) flags. +export DEB_CFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS) +export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS) + override_dh_auto_configure: dh_auto_configure -Skde -- -DCMAKE_USE_RELATIVE_PATHS=ON To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/lib/libktorrent.so.4.0.0 /usr/lib/libktorrent.so.4.0.0: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPXTaQAAoJEJL+/bfkTDL5d5IP/09N2Ibo/lrPwj0QQEfy8hlC X1SkqxazAYVBzyG8i4cWPvGZPEJZ1b5V6FwITODyZv8J2/bPbCIaR9LRBmGpAhCm oLxtu0l8jacTkjGvIjsl/2UBFXNt91Mx1qK3nCfAbTala+RCJWQ2mBM92hff79mj OmSWT+zzeAJljJx9EvqmxENe+vg+dYJIaowMb2K8+JGcn59a4TzuLmchx2bXkD13 SD9k9igwGuVDgXzKU4K/3qIo05FJbZxTuSntXErL+/jW3M3z1Ghq22HeyJRe3Oc9 SyqcPxvzIMJ7lOYJd0ziqb7DYcXNV1WOj5V6MROlh2q4+MV2S9lbuoSfcNYEESxh b1PZjNSXQpBqPHJV+1hBgOix7vuK8SZiq2NYDcKWub6iY5GfB6OJjT2ocruBKVY+ C0+9wb6DvlktQjpbHLSdFtzSYlNPM+sVkii9/pcXuc//dtZkalBfwOihqhzLZiut xJn6108wzBAHNOBKMljsjQTLKhIMCvz56s9gf7yqSIcM1hsHXtt3Ldk9BvMNxgci HbCDeYm+KblaqXKsMig2neA/qLZO2WuT7aro2vpsjpaR8v/QJ7XV25+nAARD/dpo siL65IZWP8LQNatQPddGJGm2CHtza48aOxed2KYCPTQEiRpW30XVATJNlCgunRWK amte7huJVGp/e53igW2u =kH2u -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---I'm closing these bugs because the involved packages are using the dh sequencer addon for kde. While cmake still doesn't respect CPPFLAGS, a workaround was added to the mentioned addon, so if you build any of the packages involved it will include the hardening flags. At least one of the involved packages (amarok) was built before the workaround mentioned above was done. Therefore if you think it's really important to get any of them built with the hardening flags feel free to request a binNMU.signature.asc
Description: This is a digitally signed message part.
--- End Message ---
_______________________________________________ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras