Bug#657325: Please enabled hardened build flags

Moritz Muehlenhoff jmm at debian.org
Wed Jan 25 16:51:58 UTC 2012 

Source: nss
Severity: important
Tags: patch

Hi Mike,
Please enabled hardened build flags through dpkg-buildflags.

Patches attached:
nss-harden.patch - Enables hardened build flags

nss-harden2.patch - Patch for NSS buildsystem to source LDFLAGS

nss-format.patch, nss-format2.patch, nss-format3.patch - missing
    format strings exposed by "-Wformat -Wformat-security 
    -Werror=format-security"

There's still one deficiency, though: relro applies to the
binaries from libnss3-tools, e.g.

jmm at pisco:~/scratch$ hardening-check /usr/bin/signtool
/usr/bin/signtool:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!

It's not enabled for the NSS libs, though:

jmm at pisco:~/deb/secure-testing/hardening$ hardening-check /usr/lib/x86_64-linux-gnu/libnss3.so
/usr/lib/x86_64-linux-gnu/libnss3.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: no, not found!
 Immediate binding: no not found!

Cheers,
        Moritz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nss-harden.patch
Type: text/x-diff
Size: 692 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20120125/35b6df9a/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nss-harden2.patch
Type: text/x-diff
Size: 726 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20120125/35b6df9a/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nss-format.patch
Type: text/x-diff
Size: 673 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20120125/35b6df9a/attachment-0002.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nss-format2.patch
Type: text/x-diff
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20120125/35b6df9a/attachment-0003.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nss-format3.patch
Type: text/x-diff
Size: 4901 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20120125/35b6df9a/attachment-0004.patch>

More information about the pkg-mozilla-maintainers mailing list