From e503a4d5ac668d233c11f64a0dd0c6d20f3b2be1 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 1 Oct 2014 08:22:26 +0200 Subject: debian/rules: add hardening=+all Because of dpkg-buildflags we already get most of the hardening features, +all adds -fPIE and ld -z now Thanks: Simon Ruderich, Markus Waldeck --- debian/rules | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/debian/rules b/debian/rules index c7b5aa304..f031cfddb 100755 --- a/debian/rules +++ b/debian/rules @@ -21,9 +21,12 @@ endif -include build/environment.mak ifneq (,$(shell which dpkg-buildflags)) - export CXXFLAGS = $(shell dpkg-buildflags --get CXXFLAGS) - export LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) - export CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) + # make does not export to $(shell) so we need to workaround + # (http://savannah.gnu.org/bugs/?10593) + dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags + export CXXFLAGS = $(shell $(dpkg_buildflags) --get CXXFLAGS) + export LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS) + export CPPFLAGS = $(shell $(dpkg_buildflags) --get CPPFLAGS) else ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) export CXXFLAGS = -O0 -g -Wall -- cgit v1.2.3 From 4c370aad7539b7e3bc0028aa538f34b95a526cff Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Thu, 2 Oct 2014 17:48:13 +0200 Subject: apt-get: Create the temporary downloaded changelog inside tmpdir The code is creating a secure temporary directory, but then creates the changelog alongside the tmpdir in the same base directory. This defeats the secure tmpdir creation, making the filename predictable. Inject a '/' between the tmpdir and the changelog filename. --- cmdline/apt-get.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 2e283da5a..cfa79339b 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -1563,7 +1563,7 @@ static bool DoChangelog(CommandLine &CmdL) { string changelogfile; if (downOnly == false) - changelogfile.append(tmpname).append("changelog"); + changelogfile.append(tmpname).append("/changelog"); else changelogfile.append(Ver.ParentPkg().Name()).append(".changelog"); if (DownloadChangelog(Cache, Fetcher, Ver, changelogfile) && downOnly == false) -- cgit v1.2.3 From 536fdb8823fdec24c26d984317b8162237c427c3 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 2 Oct 2014 22:07:25 +0200 Subject: releasing package apt version 1.0.9.2 --- debian/changelog | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/debian/changelog b/debian/changelog index 36353bd95..6de853359 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,31 @@ +apt (1.0.9.2) unstable; urgency=medium + + [ Michael Vogt ] + * test/integration/test-apt-update-file: improve test + * Fix regression when copy: is used for a relative path (Closes: #762160) + * generalize Acquire::GzipIndex to support all compressions that + apt supports + * Fix regression for cdrom: sources from latest security update + * Ensure that iTFRewritePackageOrder is "MD5sum" to match + apt-ftparchive + * debian/rules: add hardening=+all. + Thanks to Simon Ruderich, Markus Waldeck + + [ Holger Wansing ] + * German program translation update (Closes: 762223) + + [ Jérémy Bobbio ] + * disable timestamps in the footer of docs by doxygen + + [ Trần Ngọc Quân ] + * Set STRIP_FROM_PATH for doxygen + + [ Guillem Jover ] + * apt-get: Create the temporary downloaded changelog inside tmpdir + (closes: #763780) + + -- Michael Vogt Thu, 02 Oct 2014 22:05:39 +0200 + apt (1.0.9.1) unstable; urgency=high [ Michael Vogt ] -- cgit v1.2.3