hi, it looks like this patch is applicable to upstream unbound. i'm planning on applying the attached patch to our 1.4.17 package.
----- Forwarded message from Simon Ruderich <[email protected]> ----- Date: Tue, 24 Apr 2012 12:01:19 +0200 From: Simon Ruderich <[email protected]> To: Debian Bug Tracking System <[email protected]> Cc: [email protected] Subject: Bug#658021: Please enable hardened build flags Reply-To: Simon Ruderich <[email protected]>, [email protected] reopen 658021 thanks Dear Maintainer, The CPPFLAGS hardening flags were not enabled because the build system overwrites them in the configure phase. For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue, if possible it should be sent to upstream to fix their build system. --- unbound-1.4.16.orig/acx_python.m4 +++ unbound-1.4.16/acx_python.m4 @@ -164,8 +164,11 @@ $ac_distutils_result]) AC_MSG_CHECKING([consistency of all components of python development environment]) AC_LANG_PUSH([C]) # save current global flags - LIBS="$ac_save_LIBS $PYTHON_LDFLAGS" - CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS" + ac_save_LIBS="$LIBS" + ac_save_CPPFLAGS="$CPPFLAGS" + + LIBS="$PYTHON_LDFLAGS" + CPPFLAGS="$PYTHON_CPPFLAGS" AC_TRY_LINK([ #include <Python.h> ],[ To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/sbin/unbound-checkconf /usr/sbin/unbound-control /usr/sbin/unbound ... /usr/sbin/unbound-checkconf: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/sbin/unbound-control: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/sbin/unbound: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 ----- End forwarded message ----- -- Robert Edmonds [email protected]
>From 1209b494bd529e4cfa494dc47af3200756da7123 Mon Sep 17 00:00:00 2001 From: "Robert S. Edmonds" <[email protected]> Date: Thu, 24 May 2012 13:51:09 -0400 Subject: [PATCH] acx_python.m4: fix LIBS, CPPFLAGS overwrite issue --- acx_python.m4 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/acx_python.m4 b/acx_python.m4 index 6fa925a..cb908da 100644 --- a/acx_python.m4 +++ b/acx_python.m4 @@ -164,8 +164,11 @@ $ac_distutils_result]) AC_MSG_CHECKING([consistency of all components of python development environment]) AC_LANG_PUSH([C]) # save current global flags - LIBS="$ac_save_LIBS $PYTHON_LDFLAGS" - CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS" + ac_save_LIBS="$LIBS" + ac_save_CPPFLAGS="$CPPFLAGS" + + LIBS="$PYTHON_LDFLAGS" + CPPFLAGS="$PYTHON_CPPFLAGS" AC_TRY_LINK([ #include <Python.h> ],[ -- 1.7.10
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
