Bug#712729: cdbs: langcore.mk: support dpkg-buildflags' DEB_CFLAGS_MAINT_APPEND and similar

Sun, 19 Jan 2014 09:51:55 -0800 

severity 712729 important
tags 712729 patch
thanks

Hello,

Raising severity because this causes missing hardening flags for
packages (e.g. shadow and therefore no PIE for setuid su) when
the maintainer uses the DEB_* (which includes
DEB_BUILD_MAINT_OPTIONS) approach documented in dpkg-buildflags
to add additional flags.

The attached patch should fix this issue by exporting all DEB_*
flags when calling dpkg-buildflags. The real issue is that GNU
make's $(shell ..) doesn't use the exported environment which is
normally used when calling subprocesses.

There should be no backwards incompatible changes because the
maintainer must manually set the DEB_* variables. If none of
those variables are used, nothing happens.

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

--- /usr/share/cdbs/1/class/langcore.mk	2013-07-02 10:57:14.000000000 +0200
+++ usr/share/cdbs/1/class/langcore.mk	2014-01-19 18:33:18.302480003 +0100
@@ -26,11 +26,18 @@
 
 # Resolve our defaults
 ifneq (,$(wildcard /usr/bin/dpkg-buildflags))
-deb_cflags := $(shell dpkg-buildflags --get CFLAGS)
-deb_cppflags := $(shell dpkg-buildflags --get CPPFLAGS)
-deb_cxxflags := $(shell dpkg-buildflags --get CXXFLAGS)
-deb_fflags := $(shell dpkg-buildflags --get FFLAGS)
-deb_ldflags := $(shell dpkg-buildflags --get LDFLAGS)
+# GNU Make doesn't export the current environment when using $(shell ..). But
+# we need at least some of the DEB_* flags for dpkg-buildflags, therefore
+# extract them from them defined variables. Sadly there seems to be no way to
+# just get all exported variables.
+get_dpkg_buildflags = $(shell \
+    $(foreach flag,$(filter DEB_%,$(.VARIABLES)),$(flag)="$($(flag))") \
+    dpkg-buildflags --get $(1))
+deb_cflags := $(call get_dpkg_buildflags,CFLAGS)
+deb_cppflags := $(call get_dpkg_buildflags,CPPFLAGS)
+deb_cxxflags := $(call get_dpkg_buildflags,CXXFLAGS)
+deb_fflags := $(call get_dpkg_buildflags,FFLAGS)
+deb_ldflags := $(call get_dpkg_buildflags,LDFLAGS)
 else
 # TODO: Use above unconditionally when oldstable has dpkg >= 1.15.7
 deb_cflags = -g

Attachment: signature.asc
Description: Digital signature

Reply via email to