[pkg-firebird-general] Bug#654793: Hardening flags not fully enabled
Moritz Muehlenhoff
jmm at debian.org
Thu Jan 5 20:46:12 UTC 2012
Source: firebird2.5
Severity: important
Hi,
I'm currently checking all packages, which had a DSA in the last
year to enable hardened build flags. firebird2.5 has already been
updated to use dpkg-buildflags, but I noticed that not all flags
are fully in effect. You can use the hardening-check scripts from
the package hardening includes:
Out of the three hardening features from the Wheezy default set
(protected stack, fortified source and relro) not all are fully
applied, e.g.
root at pisco:~# hardening-check /usr/sbin/fb_inet_server
/usr/sbin/fb_inet_server:
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
root at pisco:~# hardening-check /usr/bin/fbsvcmgr
/usr/bin/fbsvcmgr:
Stack protected: yes
Fortify Source functions: no, no protected functions found!
Read-only relocations: yes
root at pisco:~# hardening-check /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2
/usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2:
Stack protected: yes
Fortify Source functions: no, no protected functions found!
Read-only relocations: yes
The reason is likely that some parts of Firebird build system hardcode
specific flags, which nullify the hardened build flags?
Cheers,
Moritz
More information about the pkg-firebird-general
mailing list