Maintained by: NLnet Labs

[Unbound-users] [simon at ruderich.org: Bug#658021: Please enable hardened build flags]

Robert Edmonds
Sun May 27 22:20:00 CEST 2012


hi,

it looks like this patch is applicable to upstream unbound.  i'm
planning on applying the attached patch to our 1.4.17 package.

----- Forwarded message from Simon Ruderich <simon at ruderich.org> -----

Date: Tue, 24 Apr 2012 12:01:19 +0200
From: Simon Ruderich <simon at ruderich.org>
To: Debian Bug Tracking System <658021 at bugs.debian.org>
Cc: control at bugs.debian.org
Subject: Bug#658021: Please enable hardened build flags
Reply-To: Simon Ruderich <simon at ruderich.org>, 658021 at bugs.debian.org

reopen 658021
thanks

Dear Maintainer,

The CPPFLAGS hardening flags were not enabled because the build
system overwrites them in the configure phase. For more hardening
information please have a look at [1], [2] and [3].

The following patch fixes the issue, if possible it should be
sent to upstream to fix their build system.

--- unbound-1.4.16.orig/acx_python.m4
+++ unbound-1.4.16/acx_python.m4
@@ -164,8 +164,11 @@ $ac_distutils_result])
         AC_MSG_CHECKING([consistency of all components of python development environment])
         AC_LANG_PUSH([C])
         # save current global flags
-        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
-        CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+        ac_save_LIBS="$LIBS"
+        ac_save_CPPFLAGS="$CPPFLAGS"
+
+        LIBS="$PYTHON_LDFLAGS"
+        CPPFLAGS="$PYTHON_CPPFLAGS"
         AC_TRY_LINK([
                 #include <Python.h>
         ],[

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/sbin/unbound-checkconf /usr/sbin/unbound-control /usr/sbin/unbound ...
    /usr/sbin/unbound-checkconf:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/sbin/unbound-control:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/sbin/unbound:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

----- End forwarded message -----

-- 
Robert Edmonds
edmonds at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-acx_python.m4-fix-LIBS-CPPFLAGS-overwrite-issue.patch
Type: text/x-diff
Size: 947 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20120527/20158024/attachment.patch>