Package: ocaml Version: 4.01.0-5 Severity: minor Tags: patch Dear Maintainer,
See discussion on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702349 I am including a patch that enables the relro and bindnow hardening flags for OCaml and packages compiled by ocaml. I haven't submitted the patch upstream yet, there is only this bugreport asking for LDFLAGS and having CCLINKFLAGS as solution for ocamlyacc only: http://caml.inria.fr/mantis/view.php?id=4698 There is also this bug about CFLAGS (which can be useful for hardening C stubs perhaps?): http://caml.inria.fr/mantis/view.php?id=3664 My patch simply sets CCLINKFLAGS based on LDFLAGS and includes CCLINKFLAGS into MKEXE/MKDLL/MKMAINDLL, which AFAICT are the cmdlines used to build executables and shared libraries by ocamlc/ocamlopt. Should I submit the patch upstream, or would it require more modifications to support Debian's hardening features? Output of hardening-check before the patch: /usr/bin/ocamlopt.opt: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: no, not found! Immediate binding: no, not found! Output of hardening-check after the patch: ../ocamlopt.opt: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes Running lintian on the newly built packages don't show the hardening-no-relro warning anymore: $ lintian ../*.deb W: ocaml-nox: binary-without-manpage usr/bin/ocamlbuild W: ocaml-mode: binary-without-manpage usr/bin/ocamltags N: 1 tag overridden (1 warning) -- System Information: Debian Release: 8.1 APT prefers stable APT policy: (900, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages ocaml depends on: ii libx11-dev 2:1.6.2-3 ii ocaml-base [ocaml-base-4.01.0] 4.01.0-5 ii ocaml-base-nox 4.01.0-5 ii ocaml-nox [ocaml-nox-4.01.0] 4.01.0-5 ocaml recommends no packages. Versions of packages ocaml suggests: ii tcl-dev 8.6.0+8 pn tk-dev <none> -- no debconf information
--- a/debian/patches/0010-Obey-ldflags.patch 1970-01-01 02:00:00.000000000 +0200 +++ b/debian/patches/0010-Obey-ldflags.patch 2015-07-15 15:59:20.600661858 +0300 @@ -0,0 +1,34 @@ +Description: use CCLINKFLAGS for linking all executables and shared libraries + This allows packagers to set additional linker flags for executables and shared + libraries created by OCaml, and for the OCaml tools themselves. + OCaml code can be linked with various C stubs and C libraries that would + benefit from using hardening link flags, such as -Wl,-z,relro. +--- + +Origin: other +Bug-Debian: https://bugs.debian.org/702349 +Forwarded: no +Last-Update: <2015-07-15> + +--- ocaml-4.02.1.orig/configure ++++ ocaml-4.02.1/configure +@@ -739,6 +739,8 @@ if test $with_sharedlibs = "yes"; then + shared_libraries_supported=true;; + esac + fi ++mksharedlib="$mksharedlib $CCLINKFLAGS" ++mkexe="$mkexe $CCLINKFLAGS" + + if test -z "$mkmaindll"; then + mkmaindll=$mksharedlib +--- ocaml-4.02.1.orig/tools/Makefile.shared ++++ ocaml-4.02.1/tools/Makefile.shared +@@ -278,7 +278,7 @@ beforedepend:: opnames.ml + + objinfo_helper$(EXE): objinfo_helper.c ../config/s.h + $(BYTECC) -o objinfo_helper$(EXE) $(BYTECCCOMPOPTS) \ +- objinfo_helper.c $(LIBBFD_LINK) ++ objinfo_helper.c $(LIBBFD_LINK) $(CCLINKFLAGS) + + OBJINFO=../compilerlibs/ocamlcommon.cma \ + ../compilerlibs/ocamlbytecomp.cma \ diff -rNu ../o/ocaml-4.02.1/debian/patches/series debian/patches/series --- a/debian/patches/series 2014-11-20 17:48:56.000000000 +0200 +++ b/debian/patches/series 2015-07-15 16:07:10.622247953 +0300 @@ -7,3 +7,4 @@ 0007-Tune-resource-usage-of-some-tests.patch 0008-Native-backtraces-don-t-work-on-powerpc-and-sparc.patch 0009-Fix-asmcomp-tests-on-sparc.patch +0010-Obey-ldflags.patch --- a/debian/rules 2015-02-16 12:37:56.000000000 +0200 +++ b/debian/rules 2015-07-15 15:54:11.360881817 +0300 @@ -59,6 +59,9 @@ export OCAML_OPT_ARCH export OCAML_STDLIB_DIR +export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow +export CCLINKFLAGS=$(shell dpkg-buildflags --get LDFLAGS) + CONFIGURE_OPTS := \ --host $(DEB_BUILD_GNU_TYPE)\ --with-pthread -prefix $(DEB_TEST_BUILD_PREFIX)/usr \
