[Pkg-allegro-maintainers] Bug#658965: Please enable hardened build flags

Simon Ruderich simon at ruderich.org
Sun Apr 8 23:31:08 UTC 2012 

reopen 658965
thanks

Dear Maintainer,

The LDFLAGS hardening flags are missing because they are not set
in debian/rules.

The following patch fixes the issue.

diff -u libdumb-0.9.3/debian/rules libdumb-0.9.3/debian/rules
--- libdumb-0.9.3/debian/rules
+++ libdumb-0.9.3/debian/rules
@@ -4,6 +4,9 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
+CFLAGS  := $(shell dpkg-buildflags --get CFLAGS)
+LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS)
+
 # Compilation options
 export CONFIG_FLAGS="--prefix=/usr"
 
@@ -36,9 +39,9 @@
 	$(MAKE) lib/unix/libdumb.a CFLAGS_EXTRA=-fPIC
 	$(MAKE) lib/unix/libaldmb.a CFLAGS_EXTRA=-fPIC
 
-	$(CC) -Wl,-soname,libdumb.so.1 -shared `sed -ne '/^CORE_MODULES :=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o debian/libdumb1/usr/lib/libdumb.so.1.0.0 -lm -lc
+	$(CC) $(CFLAGS) $(LDFLAGS) -Wl,-soname,libdumb.so.1 -shared `sed -ne '/^CORE_MODULES :=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o debian/libdumb1/usr/lib/libdumb.so.1.0.0 -lm -lc
 	ln -s libdumb.so.1.0.0 debian/libdumb1/usr/lib/libdumb.so
-	$(CC) -Wl,-soname,libaldmb.so.1 -shared `sed -ne '/^ALLEGRO_MODULES :=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o debian/libaldmb1/usr/lib/libaldmb.so.1.0.0 -Ldebian/libdumb1/usr/lib/ -ldumb `allegro-config --libs` -lm -lc
+	$(CC) $(CFLAGS) $(LDFLAGS) -Wl,-soname,libaldmb.so.1 -shared `sed -ne '/^ALLEGRO_MODULES :=/,/c$$/p' < Makefile | sed -e 's,\\\\,,' -e 's,.*/\\(.*\\)\\.c,obj/unix/release/\\1.o,' | tail -n +2` -o debian/libaldmb1/usr/lib/libaldmb.so.1.0.0 -Ldebian/libdumb1/usr/lib/ -ldumb `allegro-config --libs` -lm -lc
 	rm -f debian/libdumb1/usr/lib/libdumb.so
 
 	touch build-stamp

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/lib/libdumb.so.1.0.0 /usr/lib/libaldmb.so.1.0.0
    /usr/lib/libdumb.so.1.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/lib/libaldmb.so.1.0.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: no, not found!
     Fortify Source functions: unknown, no protectable libc functions used
     Read-only relocations: yes
     Immediate binding: no not found!

Regards,
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-allegro-maintainers/attachments/20120409/cbe42193/attachment.pgp>

More information about the Pkg-allegro-maintainers mailing list