[pkg-firebird-general] Bug#654793: firebird2.5: Hardeneng flags not fully enabled

Moritz Muehlenhoff jmm at inutil.org
Sat Jan 7 13:13:56 UTC 2012

On Sat, Jan 07, 2012 at 10:58:31AM +0200, Damyan Ivanov wrote:
> -=| Moritz Muehlenhoff, 05.01.2012 21:46:12 +0100 |=-
> > I'm currently checking all packages, which had a DSA in the last
> > year to enable hardened build flags. firebird2.5 has already been
> > updated to use dpkg-buildflags, but I noticed that not all flags
> > are fully in effect. You can use the hardening-check scripts from
> > the package hardening includes:
> > 
> > Out of the three hardening features from the Wheezy default set
> > (protected stack, fortified source and relro) not all are fully
> > applied, e.g.
> > 
> > root at pisco:~# hardening-check /usr/sbin/fb_inet_server
> > /usr/sbin/fb_inet_server:
> >  Stack protected: no, not found!
> >  Fortify Source functions: unknown, no protectable libc functions used
> >  Read-only relocations: yes
> Just to make sure: we are aiming at having "yes" for these three, 
> right?
> Does the "no protectable libc functions used" part mean that this item 
> is OK?
> > The reason is likely that some parts of Firebird build system 
> > hardcode specific flags, which nullify the hardened build flags?
> This is quite possible. I try to patch it already so that it accepts 
> things like optimization flags from the environment, but maybe the 
> linking rules need more work.

- relro should on "yes" in all cases. That's the case for the binaries
I checked, so all seems fine.

- The test for a protected stack cannot show that it's activated if the
tested code doesn't use arrays on the stack. Since that's the case for
a few binaries I tested everything seems fine.

- The check for fortified source functions depends on the use of such
functions. If none of them are present the error "no protectable libc
functions used" is shown. However, there are also results that show
"no" (e.g. /usr/bin/fbsvcmgr). As such, there might indeed be a problem
with the LDFLAGS being overwritten.


More information about the pkg-firebird-general mailing list