[Pkg-allegro-maintainers] Bug#658965: Please enable hardened build flags
Simon Ruderich
simon at ruderich.org
Sun Apr 8 23:31:08 UTC 2012
reopen 658965
thanks
Dear Maintainer,
The LDFLAGS hardening flags are missing because they are not set
in debian/rules.
The following patch fixes the issue.
diff -u libdumb-0.9.3/debian/rules libdumb-0.9.3/debian/rules
--- libdumb-0.9.3/debian/rules
+++ libdumb-0.9.3/debian/rules
@@ -4,6 +4,9 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
+CFLAGS := $(shell dpkg-buildflags --get CFLAGS)
+LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS)
+
# Compilation options
export CONFIG_FLAGS="--prefix=/usr"
@@ -36,9 +39,9 @@
$(MAKE) lib/unix/libdumb.a CFLAGS_EXTRA=-fPIC
$(MAKE) lib/unix/libaldmb.a CFLAGS_EXTRA=-fPIC
- $(CC) -Wl,-soname,libdumb.so.1 -shared `sed -ne '/^CORE_MODULES :=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o debian/libdumb1/usr/lib/libdumb.so.1.0.0 -lm -lc
+ $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-soname,libdumb.so.1 -shared `sed -ne '/^CORE_MODULES :=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o debian/libdumb1/usr/lib/libdumb.so.1.0.0 -lm -lc
ln -s libdumb.so.1.0.0 debian/libdumb1/usr/lib/libdumb.so
- $(CC) -Wl,-soname,libaldmb.so.1 -shared `sed -ne '/^ALLEGRO_MODULES :=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o debian/libaldmb1/usr/lib/libaldmb.so.1.0.0 -Ldebian/libdumb1/usr/lib/ -ldumb `allegro-config --libs` -lm -lc
+ $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-soname,libaldmb.so.1 -shared `sed -ne '/^ALLEGRO_MODULES :=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o debian/libaldmb1/usr/lib/libaldmb.so.1.0.0 -Ldebian/libdumb1/usr/lib/ -ldumb `allegro-config --libs` -lm -lc
rm -f debian/libdumb1/usr/lib/libdumb.so
touch build-stamp
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/lib/libdumb.so.1.0.0 /usr/lib/libaldmb.so.1.0.0
/usr/lib/libdumb.so.1.0.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/libaldmb.so.1.0.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no not found!
Regards,
Simon
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-allegro-maintainers/attachments/20120409/cbe42193/attachment.pgp>
More information about the Pkg-allegro-maintainers
mailing list