-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robert,
On 05/27/2012 10:20 PM, Robert Edmonds wrote: > hi, > > it looks like this patch is applicable to upstream unbound. i'm > planning on applying the attached patch to our 1.4.17 package. Thanks for the patch, applied to svn trunk for the next unbound release. Be aware, I changed the patch because I think it has to read: LIBS="$LIBS $PYTHON_LDFLAGS" CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS" On the LIBS= and CPPFLAGS= lines. Because as the patch is now it removes the normal buildflags for the python compilecheck, which would fail on platforms where compilation will not succeed without those flags, and that would fail the python compilecheck. Best regards, Wouter > ----- Forwarded message from Simon Ruderich <[email protected]> > ----- > > Date: Tue, 24 Apr 2012 12:01:19 +0200 From: Simon Ruderich > <[email protected]> To: Debian Bug Tracking System > <[email protected]> Cc: [email protected] Subject: > Bug#658021: Please enable hardened build flags Reply-To: Simon > Ruderich <[email protected]>, [email protected] > > reopen 658021 thanks > > Dear Maintainer, > > The CPPFLAGS hardening flags were not enabled because the build > system overwrites them in the configure phase. For more hardening > information please have a look at [1], [2] and [3]. > > The following patch fixes the issue, if possible it should be sent > to upstream to fix their build system. > > --- unbound-1.4.16.orig/acx_python.m4 +++ > unbound-1.4.16/acx_python.m4 @@ -164,8 +164,11 @@ > $ac_distutils_result]) AC_MSG_CHECKING([consistency of all > components of python development environment]) AC_LANG_PUSH([C]) # > save current global flags - LIBS="$ac_save_LIBS > $PYTHON_LDFLAGS" - CPPFLAGS="$ac_save_CPPFLAGS > $PYTHON_CPPFLAGS" + ac_save_LIBS="$LIBS" + > ac_save_CPPFLAGS="$CPPFLAGS" + + LIBS="$PYTHON_LDFLAGS" + > CPPFLAGS="$PYTHON_CPPFLAGS" AC_TRY_LINK([ #include <Python.h> ],[ > > To check if all flags were correctly enabled you can use > `hardening-check` from the hardening-includes package and check the > build log (for example with blhc [4]) (hardening-check doesn't > catch everything): > > $ hardening-check /usr/sbin/unbound-checkconf > /usr/sbin/unbound-control /usr/sbin/unbound ... > /usr/sbin/unbound-checkconf: Position Independent Executable: no, > normal executable! Stack protected: yes Fortify Source functions: > yes (some protected functions found) Read-only relocations: yes > Immediate binding: no not found! /usr/sbin/unbound-control: > Position Independent Executable: no, normal executable! Stack > protected: yes Fortify Source functions: yes (some protected > functions found) Read-only relocations: yes Immediate binding: no > not found! /usr/sbin/unbound: Position Independent Executable: no, > normal executable! Stack protected: yes Fortify Source functions: > yes (some protected functions found) Read-only relocations: yes > Immediate binding: no not found! ... > > (Position Independent Executable and Immediate binding is not > enabled by default.) > > Use find -type f \( -executable -o -name \*.so\* \) -exec > hardening-check {} + on the build result to check all files. > > Regards, Simon > > [1]: > https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags > [2]: https://wiki.debian.org/HardeningWalkthrough [3]: > https://wiki.debian.org/Hardening [4]: > http://ruderich.org/simon/blhc/ > > > > _______________________________________________ Unbound-users > mailing list [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPwpPRAAoJEJ9vHC1+BF+Ng9UP/3Q3BRxPfbwu3j7wIw9tVI9s 804u8913YjnlQh6kRVn2kQYOMFGnmezx6ePHWDAoUf2O5RAV+x3Mf2Wd+TTAF2hR DU9N1Iq2Cp82z19U0Zoj+NRogQ/tCt/6XLuYRx6NFvg+bd51kGtWvpaI18eUgc7Y lMxJ4vI1p2vzUOUXpUNxaQHcujoRkft33/T90gJO+xVO+ggbgmf6QBoebf9lMPDg nh2DvkjcrQv3TstAFRpNnoZSTZCVrkvd0jjAgFi+wdt7qEYoPIaCn3nMVLFWRXyX uWxbq9KOtxEZFiZcYxeFv0ecM79W9vQn0GCy8eKYBp/7hg/xwaI8znoChxAkKKMu +hjAhsOYqc40kkQ6V3QW3cd9e1LJLoZSBzhJPCPXiffdKPvY96ZzYVudNZDCaqZr lMRr1TOgjHZSkd7g4GVgFqYfaXgrpzeSgHqw7RVe+/e01isXhFb9etAQwkemTzQE JJb5tYWpoy62yPM4dCLeLu+8CX3+OXdOhVGNfbRny1nTUR/YCiAXef66ijxb372Q LECZwkqHVjp9Tp3CxhH9DeaxqYFAx7xoBlT+OusgfJO9yvTN9gE4ijMzcm2ktJKi AFgsjMrcag76VRf2xRhO6izl26kmt5btfamJMeYN5gFpTrArVPJz075PB0QQHx49 +Z1h/YJs3a1TDcuAZtaq =O44u -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
