[pkg-firebird-general] Bug#654793: Hardening flags not fully enabled

Moritz Muehlenhoff jmm at debian.org
Thu Jan 5 20:46:12 UTC 2012


Source: firebird2.5
Severity: important

Hi,
I'm currently checking all packages, which had a DSA in the last
year to enable hardened build flags. firebird2.5 has already been
updated to use dpkg-buildflags, but I noticed that not all flags
are fully in effect. You can use the hardening-check scripts from
the package hardening includes:

Out of the three hardening features from the Wheezy default set
(protected stack, fortified source and relro) not all are fully
applied, e.g.

root at pisco:~# hardening-check /usr/sbin/fb_inet_server
/usr/sbin/fb_inet_server:
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes

root at pisco:~# hardening-check /usr/bin/fbsvcmgr
/usr/bin/fbsvcmgr:
 Stack protected: yes
 Fortify Source functions: no, no protected functions found!
 Read-only relocations: yes

root at pisco:~# hardening-check /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2
/usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2:
 Stack protected: yes
 Fortify Source functions: no, no protected functions found!
 Read-only relocations: yes

The reason is likely that some parts of Firebird build system hardcode
specific flags, which nullify the hardened build flags?

Cheers,
        Moritz





More information about the pkg-firebird-general mailing list