[pkg-firebird-general] Bug#654793: Bug#654793: Hardening flags not fully enabled

marius adrian popa mapopa at gmail.com
Fri Jan 6 15:45:16 UTC 2012 

On Thu, Jan 5, 2012 at 10:46 PM, Moritz Muehlenhoff <jmm at debian.org> wrote:
> Source: firebird2.5
> Severity: important
>
> Hi,
> I'm currently checking all packages, which had a DSA in the last
> year to enable hardened build flags. firebird2.5 has already been
> updated to use dpkg-buildflags, but I noticed that not all flags
> are fully in effect. You can use the hardening-check scripts from
> the package hardening includes:
>
> Out of the three hardening features from the Wheezy default set
> (protected stack, fortified source and relro) not all are fully
> applied, e.g.
>
> root at pisco:~# hardening-check /usr/sbin/fb_inet_server
> /usr/sbin/fb_inet_server:
>  Stack protected: no, not found!
>  Fortify Source functions: unknown, no protectable libc functions used
>  Read-only relocations: yes
>
> root at pisco:~# hardening-check /usr/bin/fbsvcmgr
> /usr/bin/fbsvcmgr:
>  Stack protected: yes
>  Fortify Source functions: no, no protected functions found!
>  Read-only relocations: yes
>
> root at pisco:~# hardening-check /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2
> /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2:
>  Stack protected: yes
>  Fortify Source functions: no, no protected functions found!
>  Read-only relocations: yes
>
> The reason is likely that some parts of Firebird build system hardcode
> specific flags, which nullify the hardened build flags?

Weird that firebird2.5-superclassic in ubuntu lucid shows
hardening-check /usr/sbin/fb_smp_server
/usr/sbin/fb_smp_server
/usr/sbin/fb_smp_server:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: no, not found!

hardening-check /usr/bin/fbsvcmgr
/usr/bin/fbsvcmgr:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: no, not found!

And is build from Damyan repository

filename: pool/main/f/firebird2.5/firebird2.5-superclassic_2.5.1.26351.ds4-2~bpo60+1ubuntu3_amd64.deb
http://jimicompot.blogspot.com/2011/11/rebuilding-firebird-251-from-stable-to.html


I will try to rebuild from testing also see what's happenning on
another sid machine

More information about the pkg-firebird-general mailing list