Bug#657848: Please enable hardened build flags

Simon Ruderich simon at ruderich.org
Tue Mar 6 14:57:19 UTC 2012


Package: multipath-tools
Version: 0.4.9+git0.4dfdaf2b-2
Tags: patch
Followup-For: Bug #657848

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The LDFLAGS hardening flags are not applied everywhere, some
files don't use hardening flags.

An updated 0009-hardened-build-flags.patch is attached which
enables it for all files by setting LDFLAGS in ./Makefile.inc
which is included by all Makefiles. $(shell ..) is used instead
of `..` because it's already used in other Makefiles.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package.

    $ hardening-check /sbin/multipathd /sbin/multipath /lib/libmultipath.so.0 ...
    /sbin/multipathd:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /sbin/multipath:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /lib/libmultipath.so.0:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPViXKAAoJEJL+/bfkTDL5pnYP/Rp+zQ2JJbUBQ62Vhyc+7Htr
ROP0ojjdl1E0LZHZGKB9KAnuGCdgFSsUknrQwdn8jONq3NnJHUbJZEF4rfCjWSTZ
gje0bRQf7YK7lvn2yPtlXD9pbh9pMHIbSt6xg7fiCWecGKC+hOd/Cfa2ZJ5BDvrq
hSdHXVWyeI8xLqjY5b4KBfZkmRixj8pL5+7ciTJNUQi4wx1j7lCQTGOKbAb+rj7E
Mo4QfuLYLYjt4AS8LvVMeJpvisQ2WJsFWR9ZWuZJmeWMIalvw6zUQsu7jjcpUOX8
rEPM8XCUzH+bBqyZAeuUCzdShJHoqCSItpEiz0I6cwJedQznSJ1PoH4mw8U5TnPX
JUcyqiXpazZ531n3EJjcOf2Q8c3mjUYBeDSEZ6vW0mtEyDv/2UC5WJJdzAIHJTik
alX7H09FH8QgPu3osGCvU038TGpjClJ3e8NevVEighy+D8C2VWoYOEIeBHOgsuRR
dxdgwCVl18EZDTmQyrGf6cXN1ocp/EGwLrJ5ih6i5Xg3lAtPNWAemsvme/MvqZLe
AAmhuntXXlbW9zCCOmbqBvn1wzcYxzsP24t/CRr3GU7MYv7+BQq+bKQF7/y8wxEz
FytKCUGRHzj1EwcAg2doUZZtaXMbTBOm6qUa7ZP9rlaBlPtQzubWykp+HXv3Jsb4
gr3RnM8gwJnbzz2FwLNK
=jYnS
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0009-hardened-build-flags.patch
Type: text/x-diff
Size: 1921 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lvm-maintainers/attachments/20120306/cf5db318/attachment.patch>


More information about the pkg-lvm-maintainers mailing list