[pkg-firebird-general] Bug#654793: Bug#654793: Hardening flags not fully enabled
marius adrian popa
mapopa at gmail.com
Fri Jan 6 15:45:16 UTC 2012
On Thu, Jan 5, 2012 at 10:46 PM, Moritz Muehlenhoff <jmm at debian.org> wrote:
> Source: firebird2.5
> Severity: important
>
> Hi,
> I'm currently checking all packages, which had a DSA in the last
> year to enable hardened build flags. firebird2.5 has already been
> updated to use dpkg-buildflags, but I noticed that not all flags
> are fully in effect. You can use the hardening-check scripts from
> the package hardening includes:
>
> Out of the three hardening features from the Wheezy default set
> (protected stack, fortified source and relro) not all are fully
> applied, e.g.
>
> root at pisco:~# hardening-check /usr/sbin/fb_inet_server
> /usr/sbin/fb_inet_server:
> Stack protected: no, not found!
> Fortify Source functions: unknown, no protectable libc functions used
> Read-only relocations: yes
>
> root at pisco:~# hardening-check /usr/bin/fbsvcmgr
> /usr/bin/fbsvcmgr:
> Stack protected: yes
> Fortify Source functions: no, no protected functions found!
> Read-only relocations: yes
>
> root at pisco:~# hardening-check /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2
> /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2:
> Stack protected: yes
> Fortify Source functions: no, no protected functions found!
> Read-only relocations: yes
>
> The reason is likely that some parts of Firebird build system hardcode
> specific flags, which nullify the hardened build flags?
Weird that firebird2.5-superclassic in ubuntu lucid shows
hardening-check /usr/sbin/fb_smp_server
/usr/sbin/fb_smp_server
/usr/sbin/fb_smp_server:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no, not found!
hardening-check /usr/bin/fbsvcmgr
/usr/bin/fbsvcmgr:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no, not found!
And is build from Damyan repository
filename: pool/main/f/firebird2.5/firebird2.5-superclassic_2.5.1.26351.ds4-2~bpo60+1ubuntu3_amd64.deb
http://jimicompot.blogspot.com/2011/11/rebuilding-firebird-251-from-stable-to.html
I will try to rebuild from testing also see what's happenning on
another sid machine
More information about the pkg-firebird-general
mailing list