PSPP-BUG: [bug #49302] debian build system - code is compiled without ha

bug-gnu-pspp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #49302] debian build system - code is compiled without ha

From:	Friedrich Beckmann
Subject:	PSPP-BUG: [bug #49302] debian build system - code is compiled without hardening flags
Date:	Mon, 10 Oct 2016 07:58:20 +0000 (UTC)
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50

URL:
  <http://savannah.gnu.org/bugs/?49302>

                 Summary: debian build system - code is compiled without
hardening flags
                 Project: PSPP
            Submitted by: beckmanf
            Submitted on: Mon Oct 10 07:58:17 2016
                Category: Compilation/Portability
                Severity: 5 - Average
                  Status: Confirmed
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
                  Effort: 0.00

    _______________________________________________________

Details:

Some code files are compiled without hardening flags in the debian build
system. This is a result of the lintian warnings:

https://qa.debian.org/bls/packages/p/pspp.html

It seems that the 

q2c.c file is compiled without CFLAGS, CPPFLAGS and LDFLAGS which transport
the hardening flags.

PSPP.c (which is for PERL?) is compiled without CFLAGS and CPPFLAGS

PSPP.so  is linked without LDFLAGS

======= 

The blhc check shows the following:

address@hidden:~/pspp/debian$ blhc --version
blhc 0.07  Copyright (C) 2012-2016  Simon Ruderich

address@hidden:~/pspp/debian$ blhc pspp_0.10.2-1_amd64.build
CFLAGS missing (-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security): gcc ./src/language/lexer/q2c.c -o
./src/language/lexer/q2c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc ./src/language/lexer/q2c.c -o
./src/language/lexer/q2c
LDFLAGS missing (-Wl,-z,relro): gcc ./src/language/lexer/q2c.c -o
./src/language/lexer/q2c
CFLAGS missing (-fstack-protector-strong -Wformat -Werror=format-security):
x86_64-linux-gnu-gcc -c  -I /home/fritz/pspp/debian/pspp-0.10.2  -I
/home/fritz/pspp/debian/pspp-0.10.2/src -I
/home/fritz/pspp/debian/pspp-0.10.2/gl -I
/home/fritz/pspp/debian/pspp-0.10.2/gl -I /home/fritz/pspp/debian/pspp-0.10.2
-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g  
-DVERSION=\"0.10.2\" -DXS_VERSION=\"0.10.2\" -fPIC
"-I/usr/lib/x86_64-linux-gnu/perl/5.22/CORE"   PSPP.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): x86_64-linux-gnu-gcc -c  -I
/home/fritz/pspp/debian/pspp-0.10.2  -I
/home/fritz/pspp/debian/pspp-0.10.2/src -I
/home/fritz/pspp/debian/pspp-0.10.2/gl -I
/home/fritz/pspp/debian/pspp-0.10.2/gl -I /home/fritz/pspp/debian/pspp-0.10.2
-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g  
-DVERSION=\"0.10.2\" -DXS_VERSION=\"0.10.2\" -fPIC
"-I/usr/lib/x86_64-linux-gnu/perl/5.22/CORE"   PSPP.c
LDFLAGS missing (-Wl,-z,relro): x86_64-linux-gnu-gcc  -shared -L/usr/local/lib
-fstack-protector-strong PSPP.o  -o blib/arch/auto/PSPP/PSPP.so
/home/fritz/pspp/debian/pspp-0.10.2/src/.libs/libpspp-core.so   \       \   
address@hidden:~/pspp/debian$ 

=========

The hardening-check shows:

address@hidden:~/pspp/debian/pspp-0.10.2/debian/pspp/usr/bin$ hardening-check
pspp
pspp:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
address@hidden:~/pspp/debian/pspp-0.10.2/debian/pspp/usr/bin$ hardening-check
pspp-convert 
pspp-convert:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no, not found!
address@hidden:~/pspp/debian/pspp-0.10.2/debian/pspp/usr/bin$ hardening-check
pspp-dump-sav 
pspp-dump-sav:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
address@hidden:~/pspp/debian/pspp-0.10.2/debian/pspp/usr/bin$ hardening-check
psppire 
psppire:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
address@hidden:~/pspp/debian/pspp-0.10.2/debian/pspp/usr/bin$





    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?49302>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

PSPP-BUG: [bug #49302] debian build system - code is compiled without hardening flags, Friedrich Beckmann <=
- PSPP-BUG: [bug #49302] debian build system - code is compiled without hardening flags, Ben Pfaff, 2016/10/10
  - Re: PSPP-BUG: [bug #49302] debian build system - code is compiled without hardening flags, Friedrich Beckmann, 2016/10/10
  - PSPP-BUG: [bug #49302] debian build system - code is compiled without hardening flags, Friedrich Beckmann, 2016/10/10
    - PSPP-BUG: [bug #49302] debian build system - code is compiled without hardening flags, Ben Pfaff, 2016/10/10
    - PSPP-BUG: [bug #49302] debian build system - code is compiled without hardening flags, Friedrich Beckmann, 2016/10/10

Prev by Date: PSPP-BUG: cannot
Next by Date: PSPP-BUG: [bug #49230] windows installation link broken
Previous by thread: PSPP-BUG: cannot
Next by thread: PSPP-BUG: [bug #49302] debian build system - code is compiled without hardening flags
Index(es):
- Date
- Thread