[Bug 986314] Re: squid3 missing pie and bind-now hardening options

Micah Gersten launchpad at micahscomputing.com
Fri Apr 20 20:16:40 UTC 2012 

Waiting in unapproved for precise-proposed

** Changed in: squid3 (Ubuntu Precise)
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/986314

Title:
  squid3 missing pie and bind-now hardening options

Status in “squid3” package in Ubuntu:
  Fix Committed
Status in “squid3” source package in Precise:
  Fix Committed

Bug description:
  The squid (v2) package had all of the hardening options enabled (see
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542723) due to squid
  receiving and parsing network input and the number of and severity of
  prior security issues; however, with the transition to squid3 some of
  these options were lost by falling back to the default compiler
  settings.

  STEPS TO REPRODUCE:
  1) install the hardening-includes package
  2) run '/usr/bin/hardening-check /usr/sbin/squid3'

  If all the hardening options were enabled at compile time, the output
  and return code should be:

    $ hardening-check /usr/sbin/squid3
    /usr/sbin/squid3:
     Position Independent Executable: yes
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    $ echo $?
    0

  However, with the current squid3 version in precise(3.1.19-1ubuntu2) ,
  the output and return code are like so:

    $ /usr/bin/hardening-check /usr/sbin/squid3
    /usr/sbin/squid3:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    $ echo $?
    1

  You can also use the test-built-binaries.py script from the lp:qa-
  regression-testing testsuite, with python-nose to run just the squid
  portion, like so:

    $ nosetests test-built-binaries.py:BuiltBinariesTest.test_squid -v
    Testing squid ... ok

    ----------------------------------------------------------------------
    Ran 1 test in 3.699s

    OK

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/986314/+subscriptions

More information about the Ubuntu-sponsors mailing list