[Pkg-kde-extras] Bug#663524: marked as done (ktorrent: CPPFLAGS hardening flags missing)
Your message dated Tue, 05 Nov 2013 21:19:45 +
with message-id e1vdo2l-0005km...@franck.debian.org
and subject line Bug#663524: fixed in ktorrent 4.3.1-2
has caused the Debian Bug report #663524,
regarding ktorrent: CPPFLAGS hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
663524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: ktorrent
Version: 4.2.0-1
Severity: important
Tags: patch
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Dear Maintainer,
The CPPFLAGS hardening flags are missing because CMake ignores
them by default.
The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].
diff -Nru ktorrent-4.2.0/debian/rules ktorrent-4.2.0/debian/rules
--- ktorrent-4.2.0/debian/rules 2012-03-10 22:04:39.0 +0100
+++ ktorrent-4.2.0/debian/rules 2012-03-12 00:36:29.0 +0100
@@ -1,5 +1,10 @@
#!/usr/bin/make -f
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
#DEB_KDE_LINK_WITH_AS_NEEDED := yes
override_dh_auto_configure:
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/ktupnptest /usr/bin/ktorrent
/usr/bin/ktmagnetdownloader ...
/usr/bin/ktupnptest:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/ktorrent:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/ktmagnetdownloader:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPXTeIAAoJEJL+/bfkTDL58U4P/jy8Unvmsn3OivuICxI5H6P1
2z6llYfn3NsG9Jsd4IA574rzlced6/XU6RURJwXv+diXyZBnPNoW1aMj9P6tkO/V
mp7KfZxkWaY9S/KklR+Lw/smP+VlaxK14VBNJQoas7LucxAHQHT2OHFk+zHPQu3Y
NFB3/qJ6EoauQiaEqTbNXJi2luFTXeqFeWV7WB9r7kFawUA4kT+pcf+HlKFZZ4WG
QXekKzNsoEEf3IhBd+EOC0Q4JZmASvAhqtasoZmw71KnVypP50m+9/cbKNIloP+Y
4IdGXsuqaMEnLKaLM0+UIsZoKLklO6awEvmDpgefzoI/ttHO2iKiwp4ns9XaZwt5
01gFQCsXM+iXgC4wjMQ7JkY/ZfMDDxYuS4q21AoPp0+La9ow690KKQmL3EV3yyUI
HyFHKVIaUfSRl59LgP4w88mSwZMmjY5DAYc1LT0g9hxJlmzQVOtXttaP05zEFKIx
JVuOcM6fdewwGkss361pyRa1ox9VUS6Sy7x3yej3d3E02j181xz0A3fJq2wIcnRi
wOtkr4E6NslQqTFyTE9QNFSTBHgfvTHkWmXYriJnryGDctolxSKBFhbCE2iglxM/
BIwbBgoAMBIGWCsalSw6LDsenDS11FA/tWN6qhUTg4xzryWm1C5tzSxh8pYNuVOC
WOohdkjSf4IYK6vo/cnt
=cbfg
-END PGP SIGNATURE-
---End Message---
---BeginMessage---
Source: ktorrent
Source-Version: 4.3.1-2
We believe that the bug you reported is fixed in the latest version of
ktorrent, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 663...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Modestas Vainius mo...@debian.org (supplier of updated ktorrent package)
(This
[Pkg-kde-extras] Bug#663524: marked as done (ktorrent: CPPFLAGS hardening flags missing)
Your message dated Sat, 19 May 2012 15:27:55 +0200
with message-id 201205191528.31688.panfa...@gmail.com
and subject line Closing some hardening flags bugs
has caused the Debian Bug report #663524,
regarding ktorrent: CPPFLAGS hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
663524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: ktorrent
Version: 4.2.0-1
Severity: important
Tags: patch
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Dear Maintainer,
The CPPFLAGS hardening flags are missing because CMake ignores
them by default.
The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].
diff -Nru ktorrent-4.2.0/debian/rules ktorrent-4.2.0/debian/rules
--- ktorrent-4.2.0/debian/rules 2012-03-10 22:04:39.0 +0100
+++ ktorrent-4.2.0/debian/rules 2012-03-12 00:36:29.0 +0100
@@ -1,5 +1,10 @@
#!/usr/bin/make -f
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
#DEB_KDE_LINK_WITH_AS_NEEDED := yes
override_dh_auto_configure:
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/bin/ktupnptest /usr/bin/ktorrent
/usr/bin/ktmagnetdownloader ...
/usr/bin/ktupnptest:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/ktorrent:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/bin/ktmagnetdownloader:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPXTeIAAoJEJL+/bfkTDL58U4P/jy8Unvmsn3OivuICxI5H6P1
2z6llYfn3NsG9Jsd4IA574rzlced6/XU6RURJwXv+diXyZBnPNoW1aMj9P6tkO/V
mp7KfZxkWaY9S/KklR+Lw/smP+VlaxK14VBNJQoas7LucxAHQHT2OHFk+zHPQu3Y
NFB3/qJ6EoauQiaEqTbNXJi2luFTXeqFeWV7WB9r7kFawUA4kT+pcf+HlKFZZ4WG
QXekKzNsoEEf3IhBd+EOC0Q4JZmASvAhqtasoZmw71KnVypP50m+9/cbKNIloP+Y
4IdGXsuqaMEnLKaLM0+UIsZoKLklO6awEvmDpgefzoI/ttHO2iKiwp4ns9XaZwt5
01gFQCsXM+iXgC4wjMQ7JkY/ZfMDDxYuS4q21AoPp0+La9ow690KKQmL3EV3yyUI
HyFHKVIaUfSRl59LgP4w88mSwZMmjY5DAYc1LT0g9hxJlmzQVOtXttaP05zEFKIx
JVuOcM6fdewwGkss361pyRa1ox9VUS6Sy7x3yej3d3E02j181xz0A3fJq2wIcnRi
wOtkr4E6NslQqTFyTE9QNFSTBHgfvTHkWmXYriJnryGDctolxSKBFhbCE2iglxM/
BIwbBgoAMBIGWCsalSw6LDsenDS11FA/tWN6qhUTg4xzryWm1C5tzSxh8pYNuVOC
WOohdkjSf4IYK6vo/cnt
=cbfg
-END PGP SIGNATURE-
---End Message---
---BeginMessage---
I'm closing these bugs because the involved packages are using the dh
sequencer addon for kde. While cmake still doesn't respect CPPFLAGS, a
workaround was added to the mentioned addon, so if you build any of the
packages involved it will include the hardening flags.
At least one of the involved packages (amarok) was built before the workaround
mentioned above was done. Therefore if you think it's really important to get
any of them built with the hardening flags feel free to request a binNMU.
signature.asc
Description: This is a digitally signed message part.
---End
