[Unbound-users] [simon at ruderich.org: Bug#658021: Please enable hardened build flags]

W.C.A. Wijngaards wouter at nlnetlabs.nl
Sun May 27 20:51:29 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Robert,

On 05/27/2012 10:20 PM, Robert Edmonds wrote:
> hi,
> 
> it looks like this patch is applicable to upstream unbound.  i'm 
> planning on applying the attached patch to our 1.4.17 package.

Thanks for the patch, applied to svn trunk for the next unbound release.

Be aware, I changed the patch because I think it has to read:
LIBS="$LIBS $PYTHON_LDFLAGS"
CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
On the LIBS= and CPPFLAGS= lines.

Because as the patch is now it removes the normal buildflags for the
python compilecheck, which would fail on platforms where compilation
will not succeed without those flags, and that would fail the python
compilecheck.

Best regards,
   Wouter

> ----- Forwarded message from Simon Ruderich <simon at ruderich.org>
> -----
> 
> Date: Tue, 24 Apr 2012 12:01:19 +0200 From: Simon Ruderich
> <simon at ruderich.org> To: Debian Bug Tracking System
> <658021 at bugs.debian.org> Cc: control at bugs.debian.org Subject:
> Bug#658021: Please enable hardened build flags Reply-To: Simon
> Ruderich <simon at ruderich.org>, 658021 at bugs.debian.org
> 
> reopen 658021 thanks
> 
> Dear Maintainer,
> 
> The CPPFLAGS hardening flags were not enabled because the build 
> system overwrites them in the configure phase. For more hardening 
> information please have a look at [1], [2] and [3].
> 
> The following patch fixes the issue, if possible it should be sent
> to upstream to fix their build system.
> 
> --- unbound-1.4.16.orig/acx_python.m4 +++
> unbound-1.4.16/acx_python.m4 @@ -164,8 +164,11 @@
> $ac_distutils_result]) AC_MSG_CHECKING([consistency of all
> components of python development environment]) AC_LANG_PUSH([C]) #
> save current global flags -        LIBS="$ac_save_LIBS
> $PYTHON_LDFLAGS" -        CPPFLAGS="$ac_save_CPPFLAGS
> $PYTHON_CPPFLAGS" +        ac_save_LIBS="$LIBS" +
> ac_save_CPPFLAGS="$CPPFLAGS" + +        LIBS="$PYTHON_LDFLAGS" +
> CPPFLAGS="$PYTHON_CPPFLAGS" AC_TRY_LINK([ #include <Python.h> ],[
> 
> To check if all flags were correctly enabled you can use 
> `hardening-check` from the hardening-includes package and check the
> build log (for example with blhc [4]) (hardening-check doesn't
> catch everything):
> 
> $ hardening-check /usr/sbin/unbound-checkconf
> /usr/sbin/unbound-control /usr/sbin/unbound ... 
> /usr/sbin/unbound-checkconf: Position Independent Executable: no,
> normal executable! Stack protected: yes Fortify Source functions:
> yes (some protected functions found) Read-only relocations: yes 
> Immediate binding: no not found! /usr/sbin/unbound-control: 
> Position Independent Executable: no, normal executable! Stack
> protected: yes Fortify Source functions: yes (some protected
> functions found) Read-only relocations: yes Immediate binding: no
> not found! /usr/sbin/unbound: Position Independent Executable: no,
> normal executable! Stack protected: yes Fortify Source functions:
> yes (some protected functions found) Read-only relocations: yes 
> Immediate binding: no not found! ...
> 
> (Position Independent Executable and Immediate binding is not 
> enabled by default.)
> 
> Use find -type f \( -executable -o -name \*.so\* \) -exec 
> hardening-check {} + on the build result to check all files.
> 
> Regards, Simon
> 
> [1]:
> https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags 
> [2]: https://wiki.debian.org/HardeningWalkthrough [3]:
> https://wiki.debian.org/Hardening [4]:
> http://ruderich.org/simon/blhc/
> 
> 
> 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPwpPRAAoJEJ9vHC1+BF+Ng9UP/3Q3BRxPfbwu3j7wIw9tVI9s
804u8913YjnlQh6kRVn2kQYOMFGnmezx6ePHWDAoUf2O5RAV+x3Mf2Wd+TTAF2hR
DU9N1Iq2Cp82z19U0Zoj+NRogQ/tCt/6XLuYRx6NFvg+bd51kGtWvpaI18eUgc7Y
lMxJ4vI1p2vzUOUXpUNxaQHcujoRkft33/T90gJO+xVO+ggbgmf6QBoebf9lMPDg
nh2DvkjcrQv3TstAFRpNnoZSTZCVrkvd0jjAgFi+wdt7qEYoPIaCn3nMVLFWRXyX
uWxbq9KOtxEZFiZcYxeFv0ecM79W9vQn0GCy8eKYBp/7hg/xwaI8znoChxAkKKMu
+hjAhsOYqc40kkQ6V3QW3cd9e1LJLoZSBzhJPCPXiffdKPvY96ZzYVudNZDCaqZr
lMRr1TOgjHZSkd7g4GVgFqYfaXgrpzeSgHqw7RVe+/e01isXhFb9etAQwkemTzQE
JJb5tYWpoy62yPM4dCLeLu+8CX3+OXdOhVGNfbRny1nTUR/YCiAXef66ijxb372Q
LECZwkqHVjp9Tp3CxhH9DeaxqYFAx7xoBlT+OusgfJO9yvTN9gE4ijMzcm2ktJKi
AFgsjMrcag76VRf2xRhO6izl26kmt5btfamJMeYN5gFpTrArVPJz075PB0QQHx49
+Z1h/YJs3a1TDcuAZtaq
=O44u
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list