Package: debhelper Version: 9.20120410 Severity: important Tags: patch Hello,
The cmake buildsystem ignores CPPFLAGS and upstream rejected a patch to include them in CFLAGS (#653916). This prevents automatic hardening with -D_FORTIFY_SOURCE=2 for all CMake packages (see [1] for more information about hardening). Modifying all CMake packages just to append CPPFLAGS to CFLAGS creates unnecessary boilerplate and requires modifying all CMake packages - something maintainers are reluctant to do (#667941). If possible debhelper should be updated as soon as possible to help with the hardening release goal for wheezy. The attached patch updates cmake.pm to append CPPFLAGS to CFLAGS. It seems to work fine, but I don't have much experience with debhelper's buildsystem - please modify the patch if there's a better way to handle that. Regards, Simon [1]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
diff -Nru debhelper-9.20120410/Debian/Debhelper/Buildsystem/cmake.pm debhelper-9.20120410.1~hardening1/Debian/Debhelper/Buildsystem/cmake.pm
--- debhelper-9.20120410/Debian/Debhelper/Buildsystem/cmake.pm 2011-10-20 02:02:57.000000000 +0200
+++ debhelper-9.20120410.1~hardening1/Debian/Debhelper/Buildsystem/cmake.pm 2012-04-14 16:58:24.000000000 +0200
@@ -43,6 +43,12 @@
push @flags, "-DCMAKE_INSTALL_PREFIX=/usr";
push @flags, "-DCMAKE_VERBOSE_MAKEFILE=ON";
+ # CMake doesn't respect CPPFLAGS, see #653916.
+ if ($ENV{CPPFLAGS}) {
+ $ENV{CFLAGS} .= ' ' . $ENV{CPPFLAGS};
+ $ENV{CXXFLAGS} .= ' ' . $ENV{CPPFLAGS};
+ }
+
$this->mkdir_builddir();
eval {
$this->doit_in_builddir("cmake", $this->get_source_rel2builddir(), @flags, @_);
signature.asc
Description: Digital signature
