Ubuntu
nagios-plugins package

hardened build option lost in debian/control

Bug #837085 reported by Scott Moser
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nagios-plugins (Ubuntu)
Fix Released
Medium
Scott Moser
Ubuntu ubuntu-11.10-beta-2

Bug Description

In the merge with 1.4.15-4, the hardened build option in debian/control was lost.

$ bzr diff -r tag:1.4.15-2ubuntu1..tag:1.4.15-4ubuntu1 debian/control | grep Build-De
-Build-Depends: debhelper (>= 5), dpatch (>= 2.0.9), autotools-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libradius1-dev, libkrb5-dev, libnet-snmp-perl, procps, mawk | awk, hardening-wrapper
+Build-Depends: debhelper (>= 5), dpatch (>= 2.0.9), perl, autotools-dev, libldap2-dev, libpq-dev, libmysqlclient-dev, libradius1-dev, libkrb5-dev, libnet-snmp-perl, procps, mawk | awk

Tags: server-o-rs

Related branches

lp://qastaging/~smoser/ubuntu/oneiric/nagios-plugins/lp837085
Kees Cook: Approve
Diff: 58 lines (+26/-1)
4 files modified
debian/changelog (+6/-0)
debian/control (+1/-1)
debian/patches/00list (+1/-0)
debian/patches/90_hardened_build_fixes.dpatch (+18/-0)
lp://qastaging/ubuntu/oneiric/nagios-plugins
lp://qastaging/debian/nagios-plugins
lp://qastaging/debian/wheezy/nagios-plugins
Dave Walker (davewalker)
tags: added: server-o-rs
Changed in nagios-plugins (Ubuntu):
assignee: nobody → Scott Moser (smoser)
status: New → Confirmed
importance: Undecided → Medium
milestone: none → ubuntu-11.10-beta-2
Revision history for this message
Scott Moser (smoser) wrote :

per kees in #ubuntu-devel:

<kees> smoser: it looks like it's more than just adding it back in, since they appear to have added vulnerable code now, too.
<kees> smoser: so you'll need to fix at least the one flaw that the compiler flags found

Revision history for this message
Jan Wagner (waja) wrote : Re: [Bug 837085] Re: hardened build option lost in debian/control

On Tuesday 30 August 2011 02:21:54 you wrote:
> per kees in #ubuntu-devel:
>
> <kees> smoser: it looks like it's more than just adding it back in, since
> they appear to have added vulnerable code now, too.
> <kees> smoser: so you'll need to fix at least the one flaw that the compiler
> flags found

are there any more specific infos about the problem?

Scott Moser (smoser)
Changed in nagios-plugins (Ubuntu):
status: Confirmed → Fix Released
status: Fix Released → In Progress
Revision history for this message
Thomas Guyot-Sionnest (dermoth) wrote :

The code wasn't actually vulnerable; GCC couldn't check whenever it was. I've fixed this in both master and maint-1.4.15. The fix is so trivial it can be safely applied to any version of the Nagios-Plugins too.

See commit entitled "Make GCC happy" here:

http://nagiosplug.git.sourceforge.net/git/gitweb.cgi?p=nagiosplug/nagiosplug;a=summary

Revision history for this message
Jan Wagner (waja) wrote :

On Wednesday 07 September 2011 14:52:29 you wrote:
> The code wasn't actually vulnerable; GCC couldn't check whenever it was.
> I've fixed this in both master and maint-1.4.15. The fix is so trivial
> it can be safely applied to any version of the Nagios-Plugins too.
>
> See commit entitled "Make GCC happy" here:
>
> http://nagiosplug.git.sourceforge.net/git/gitweb.cgi?p=nagiosplug/nagiosplu
> g;a=summary

I also pushed 1.4.15-5 into unstable some minutes ago which have this fix
incorporated. Feel free to catch that for 11.10.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios-plugins - 1.4.15-4ubuntu2

---------------
nagios-plugins (1.4.15-4ubuntu2) oneiric; urgency=low

  * re-enable hardened builds (LP: #837085)
 -- Scott Moser <email address hidden> Tue, 06 Sep 2011 16:08:53 -0400

Changed in nagios-plugins (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.