Debian Bug report logs - #657523
Please enabled hardened build flags

version graph

Package: lvm2; Maintainer for lvm2 is Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>; Source for lvm2 is src:lvm2.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Thu, 26 Jan 2012 19:51:01 UTC

Severity: important

Found in version lvm2/2.02.88-2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>:
Bug#657523; Package lvm2. (Thu, 26 Jan 2012 19:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>. (Thu, 26 Jan 2012 19:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Please enabled hardened build flags
Date: Thu, 26 Jan 2012 20:46:50 +0100
Package: lvm2
Version: 2.02.88-2
Severity: important

Please enable hardened build flags through dpkg-buildflags.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>:
Bug#657523; Package lvm2. (Fri, 27 Jan 2012 15:00:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>. (Fri, 27 Jan 2012 15:00:12 GMT) Full text and rfc822 format available.

Message #10 received at 657523@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 657523@bugs.debian.org
Subject: Re: Bug#657523: Please enabled hardened build flags
Date: Fri, 27 Jan 2012 15:53:10 +0100
On Thu, Jan 26, 2012 at 08:46:50PM +0100, Moritz Muehlenhoff wrote:
> Package: lvm2
> Version: 2.02.88-2
> Severity: important

Please explain in what ways this affects the usability of the package.

> Please enable hardened build flags through dpkg-buildflags.

Please provide more informations.

Anyway, did I miss the discussion about mass-bug-filling on d-devel?

Bastian

-- 
There are always alternatives.
		-- Spock, "The Galileo Seven", stardate 2822.3




Information forwarded to debian-bugs-dist@lists.debian.org, Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>:
Bug#657523; Package lvm2. (Fri, 27 Jan 2012 16:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>. (Fri, 27 Jan 2012 16:57:07 GMT) Full text and rfc822 format available.

Message #15 received at 657523@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Bastian Blank <waldi@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 657523@bugs.debian.org
Subject: Re: Bug#657523: Please enabled hardened build flags
Date: Fri, 27 Jan 2012 17:51:25 +0100
On Fri, Jan 27, 2012 at 03:53:10PM +0100, Bastian Blank wrote:
> On Thu, Jan 26, 2012 at 08:46:50PM +0100, Moritz Muehlenhoff wrote:
> > Package: lvm2
> > Version: 2.02.88-2
> > Severity: important
> 
> Please explain in what ways this affects the usability of the package.

It's a Wheezy release goal.
 
> > Please enable hardened build flags through dpkg-buildflags.
> 
> Please provide more informations.

http://lists.debian.org/debian-devel-announce/2011/09/msg00001.html
http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
 
Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>:
Bug#657523; Package lvm2. (Tue, 22 May 2012 13:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Touko Korpela <touko.korpela@iki.fi>:
Extra info received and forwarded to list. Copy sent to Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>. (Tue, 22 May 2012 13:54:03 GMT) Full text and rfc822 format available.

Message #20 received at 657523@bugs.debian.org (full text, mbox):

From: Touko Korpela <touko.korpela@iki.fi>
To: 657523@bugs.debian.org
Cc: Simon Ruderich <simon@ruderich.org>
Subject: Re: Bug#657523: Please enabled hardened build flags
Date: Tue, 22 May 2012 16:51:21 +0300
Here is some more links about this task:

http://wiki.debian.org/Hardening
http://wiki.debian.org/HardeningWalkthrough

Simon Ruderich (CCd) maybe can help with preparing patch.




Information forwarded to debian-bugs-dist@lists.debian.org, simon@ruderich.org, Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>:
Bug#657523; Package lvm2. (Sun, 27 May 2012 00:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon Ruderich <simon@ruderich.org>:
Extra info received and forwarded to list. Copy sent to simon@ruderich.org, Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>. (Sun, 27 May 2012 00:45:03 GMT) Full text and rfc822 format available.

Message #25 received at 657523@bugs.debian.org (full text, mbox):

From: Simon Ruderich <simon@ruderich.org>
To: Debian Bug Tracking System <657523@bugs.debian.org>
Subject: Re: Please enabled hardened build flags
Date: Sun, 27 May 2012 02:42:14 +0200
[Message part 1 (text/plain, inline)]
Dear Maintainer,

The LDFLAGS hardening flags are still missing in a few places:

    cc -shared -Wl,-soname,libdevmapper.so.1.02.1 [...] -o ioctl/libdevmapper.so.1.02.1
    cc -shared -Wl,-soname,liblvm2cmd.so.2.02 [...] -o liblvm2cmd.so [...]
    cc -shared -Wl,-soname,liblvm2app.so.2.2 [...] -o liblvm2app.so.2.2
    cc -shared -Wl,-soname,libdevmapper.so.1.02.1 [...] -o ioctl/libdevmapper.so.1.02.1

The attached patch fixes the issue by modifying configure.ac. I
found no better way to fix the missing flags, but as autoreconf
is called anyway it shouldn't be too much trouble. If possible
the patch should be sent to upstream to fix the build system.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /sbin/lvm /lib/x86_64-linux-gnu/liblvm2cmd.so.2.02 /lib/x86_64-linux-gnu/liblvm2app.so.2.2 /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1 ...
    /sbin/lvm:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /lib/x86_64-linux-gnu/liblvm2cmd.so.2.02:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /lib/x86_64-linux-gnu/liblvm2app.so.2.2:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1:
     Position Independent Executable: no, regular shared library (ignored)
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
[use-dpkg-buildflags.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>:
Bug#657523; Package lvm2. (Sun, 27 May 2012 11:00:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alasdair G Kergon <agk@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>. (Sun, 27 May 2012 11:00:20 GMT) Full text and rfc822 format available.

Message #30 received at 657523@bugs.debian.org (full text, mbox):

From: Alasdair G Kergon <agk@redhat.com>
To: Simon Ruderich <simon@ruderich.org>
Cc: Debian Bug Tracking System <657523@bugs.debian.org>, Zdenek Kabelac <zkabelac@redhat.com>
Subject: Re: Bug#657523: Please enabled hardened build flags
Date: Sun, 27 May 2012 11:56:24 +0100
On Sun, May 27, 2012 at 02:42:14AM +0200, Simon Ruderich wrote:
> -		CLDFLAGS="$CLDFLAGS -Wl,--version-script,.export.sym"
> +		CLDFLAGS="$LDFLAGS $CLDFLAGS -Wl,--version-script,.export.sym"

What are typical contents of the LDFLAGS environment variable in Debian?
- Which cmdline parameters are getting lost?
- Which lines are 'losing' the enviroment LDFLAGS but actually need it?

(There was some problem that led to needing to split LDFLAGS like that, would
have to go back and find the details.)

> +AC_SUBST(LDFLAGS)

Existing inconsistency/bug?
 - make.tmpl.in has LDFLAGS += @LDFLAGS@

Alasdair





Information forwarded to debian-bugs-dist@lists.debian.org, Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>:
Bug#657523; Package lvm2. (Sun, 27 May 2012 12:56:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon Ruderich <simon@ruderich.org>:
Extra info received and forwarded to list. Copy sent to Debian LVM Team <pkg-lvm-maintainers@lists.alioth.debian.org>. (Sun, 27 May 2012 12:56:07 GMT) Full text and rfc822 format available.

Message #35 received at 657523@bugs.debian.org (full text, mbox):

From: Simon Ruderich <simon@ruderich.org>
To: Debian Bug Tracking System <657523@bugs.debian.org>
Cc: Alasdair G Kergon <agk@redhat.com>, Zdenek Kabelac <zkabelac@redhat.com>
Subject: Re: Bug#657523: Please enabled hardened build flags
Date: Sun, 27 May 2012 14:52:59 +0200
[Message part 1 (text/plain, inline)]
On Sun, May 27, 2012 at 11:56:24AM +0100, Alasdair G Kergon wrote:
> On Sun, May 27, 2012 at 02:42:14AM +0200, Simon Ruderich wrote:
>> -		CLDFLAGS="$CLDFLAGS -Wl,--version-script,.export.sym"
>> +		CLDFLAGS="$LDFLAGS $CLDFLAGS -Wl,--version-script,.export.sym"
>
> What are typical contents of the LDFLAGS environment variable in Debian?

This command prints the (current) value of LDFLAGS (on a current
sid/wheezy):

    dpkg-buildflags --get LDFLAGS

But $LDFLAGS already contains the correct value (and it shouldn't
be hardcoded in debian/rules).

> - Which cmdline parameters are getting lost?

All flags from LDFLAGS.

> - Which lines are 'losing' the enviroment LDFLAGS but actually need it?

The lines I pasted in my original patch. The LDFLAGS are missing
when building those libraries (use hardening-check to detect the
missing flags).

>> +AC_SUBST(LDFLAGS)
>
> Existing inconsistency/bug?
>  - make.tmpl.in has LDFLAGS += @LDFLAGS@

Yes, but it's not exported from ./configure without my change.

But I think the following (complete) patch is better than my
original one, it fixes LDFLAGS but passes CLDFLAGS via
debian/rules - thus removing the inconsistency:

diff -Nru lvm2-2.02.95/debian/rules lvm2-2.02.95/debian/rules
--- lvm2-2.02.95/debian/rules	2012-05-03 12:19:33.000000000 +0200
+++ lvm2-2.02.95/debian/rules	2012-05-27 14:45:24.000000000 +0200
@@ -71,7 +71,7 @@
 	rm -rf $(DIR)
 	cp -a '$(SOURCE_DIR)' '$(DIR)'
 	cd $(DIR); \
-	./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+	./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" CLDFLAGS="$(LDFLAGS)" \
 		$(CONFIGURE_FLAGS) \
 		--libdir=\$${exec_prefix}/lib/$(DEB_HOST_MULTIARCH) \
 		--with-optimisation="$(CFLAGS_OPT_DEB)" \
@@ -95,7 +95,7 @@
 	rm -rf $(DIR)
 	cp -a '$(SOURCE_DIR)' '$(DIR)'
 	cd $(DIR); \
-	./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+	./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" CLDFLAGS="$(LDFLAGS)" \
 		$(CONFIGURE_FLAGS) \
 		--with-optimisation="$(CFLAGS_OPT_UDEB)" \
 		--with-cluster=none \

--- lvm2-2.02.95.orig/configure.in
+++ lvm2-2.02.95/configure.in
@@ -1333,6 +1333,7 @@ AC_SUBST(BUILD_DMEVENTD)
 AC_SUBST(BUILD_LVMETAD)
 AC_SUBST(CFLAGS)
 AC_SUBST(CFLOW_CMD)
+AC_SUBST(LDFLAGS)
 AC_SUBST(CLDFLAGS)
 AC_SUBST(CLDNOWHOLEARCHIVE)
 AC_SUBST(CLDWHOLEARCHIVE)

Regards,
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:57:02 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.