hi, it looks like this patch is applicable to upstream unbound. i'm planning on applying the attached patch to our 1.4.17 package. ----- Forwarded message from Simon Ruderich <simon at ruderich.org> ----- Date: Tue, 24 Apr 2012 12:01:19 +0200 From: Simon Ruderich <simon at ruderich.org> To: Debian Bug Tracking System <658021 at bugs.debian.org> Cc: control at bugs.debian.org Subject: Bug#658021: Please enable hardened build flags Reply-To: Simon Ruderich <simon at ruderich.org>, 658021 at bugs.debian.org reopen 658021 thanks Dear Maintainer, The CPPFLAGS hardening flags were not enabled because the build system overwrites them in the configure phase. For more hardening information please have a look at [1], [2] and [3]. The following patch fixes the issue, if possible it should be sent to upstream to fix their build system. --- unbound-1.4.16.orig/acx_python.m4 +++ unbound-1.4.16/acx_python.m4 @@ -164,8 +164,11 @@ $ac_distutils_result]) AC_MSG_CHECKING([consistency of all components of python development environment]) AC_LANG_PUSH([C]) # save current global flags - LIBS="$ac_save_LIBS $PYTHON_LDFLAGS" - CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS" + ac_save_LIBS="$LIBS" + ac_save_CPPFLAGS="$CPPFLAGS" + + LIBS="$PYTHON_LDFLAGS" + CPPFLAGS="$PYTHON_CPPFLAGS" AC_TRY_LINK([ #include <Python.h> ],[ To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (for example with blhc [4]) (hardening-check doesn't catch everything): $ hardening-check /usr/sbin/unbound-checkconf /usr/sbin/unbound-control /usr/sbin/unbound ... /usr/sbin/unbound-checkconf: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/sbin/unbound-control: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/sbin/unbound: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening [4]: http://ruderich.org/simon/blhc/ -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 ----- End forwarded message ----- -- Robert Edmonds edmonds at debian.org -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-acx_python.m4-fix-LIBS-CPPFLAGS-overwrite-issue.patch Type: text/x-diff Size: 947 bytes Desc: not available URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20120527/20158024/attachment.patch>