[Bug 986314] [NEW] squid3 missing pie and bind-now hardening options

Steve Beattie sbeattie at ubuntu.com
Fri Apr 20 17:47:20 UTC 2012 

Public bug reported:

The squid (v2) package had all of the hardening options enabled (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542723) due to squid
receiving and parsing network input and the number of and severity of
prior security issues; however, with the transition to squid3 some of
these options were lost by falling back to the default compiler
settings.

STEPS TO REPRODUCE:
1) install the hardening-includes package
2) run '/usr/bin/hardening-check /usr/sbin/squid3'

If all the hardening options were enabled at compile time, the output
and return code should be:

  $ hardening-check /usr/sbin/squid3
  /usr/sbin/squid3:
   Position Independent Executable: yes
   Stack protected: yes
   Fortify Source functions: yes (some protected functions found)
   Read-only relocations: yes
   Immediate binding: yes
  $ echo $?
  0

However, with the current squid3 version in precise(3.1.19-1ubuntu2) ,
the output and return code are like so:

  $ /usr/bin/hardening-check /usr/sbin/squid3
  /usr/sbin/squid3:
   Position Independent Executable: no, normal executable!
   Stack protected: yes
   Fortify Source functions: yes (some protected functions found)
   Read-only relocations: yes
   Immediate binding: no not found!
  $ echo $?
  1

You can also use the test-built-binaries.py script from the lp:qa-
regression-testing testsuite, with python-nose to run just the squid
portion, like so:

  $ nosetests test-built-binaries.py:BuiltBinariesTest.test_squid -v
  Testing squid ... ok

  ----------------------------------------------------------------------
  Ran 1 test in 3.699s

  OK

** Affects: squid3 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/986314

Title:
  squid3 missing pie and bind-now hardening options

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/986314/+subscriptions

More information about the Ubuntu-server-bugs mailing list