Bug#673090: libnspr4: LDFLAGS hardening flags missing
Mike Hommey
mh at glandium.org
Thu May 17 06:37:23 UTC 2012
On Wed, May 16, 2012 at 12:55:13AM +0200, Simon Ruderich wrote:
> Package: libnspr4
> Version: 2:4.9-2
> Severity: important
>
> Dear Maintainer,
>
> The LDFLAGS hardening flags are missing. For more hardening
> information please have a look at [1], [2] and [3].
>
> $ hardening-check /usr/lib/x86_64-linux-gnu/libplc4.so /usr/lib/x86_64-linux-gnu/libplds4.so /usr/lib/x86_64-linux-gnu/libnspr4.so
> /usr/lib/x86_64-linux-gnu/libplc4.so:
> Position Independent Executable: no, regular shared library (ignored)
> Stack protected: no, not found!
> Fortify Source functions: no, only unprotected functions found!
> Read-only relocations: no, not found!
> Immediate binding: no not found!
> /usr/lib/x86_64-linux-gnu/libplds4.so:
> Position Independent Executable: no, regular shared library (ignored)
> Stack protected: no, not found!
> Fortify Source functions: no, only unprotected functions found!
> Read-only relocations: no, not found!
> Immediate binding: no not found!
> /usr/lib/x86_64-linux-gnu/libnspr4.so:
> Position Independent Executable: no, regular shared library (ignored)
> }tack protected: yes
> Fortify Source functions: yes (some protected functions found)
> Read-only relocations: no, not found!
> Immediate binding: no not found!
>
> To check if all flags were correctly enabled you can use
> `hardening-check` from the hardening-includes package and check
> the build log (for example with blhc [4]) (hardening-check
> doesn't catch everything).
>
> I've no idea what the code in debian/rules in lines 4-7 is
> supposed to do, so I can't propose a patch. If relro should be
> disabled please add a comment so non-make-geeks are not confused
> ;-)
It was meant to be disabled, but otoh, rethinking about it, it's not
that useful to disable it in nspr.
Mike
More information about the pkg-mozilla-maintainers
mailing list