Package: lintian Version: 2.5.50.1 Severity: normal Tags: patch The attached patch turns hardening-no-pie into a warning and improves the description.
This should help to reduce the number of cases where PIE is accidentally disabled (most notably hardening=+all,-pie).
>From b2f0146901669b7b2e3e911a4805213a1ae26174 Mon Sep 17 00:00:00 2001 From: Adrian Bunk <b...@debian.org> Date: Sat, 25 Feb 2017 19:31:28 +0200 Subject: Turn hardening-no-pie into a warning and improve the description --- checks/binaries.desc | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/checks/binaries.desc b/checks/binaries.desc index c3f9d8563..8a43d1891 100644 --- a/checks/binaries.desc +++ b/checks/binaries.desc @@ -394,34 +394,25 @@ Info: This package provides an ELF binary that lacks the "bindnow" Ref: https://wiki.debian.org/Hardening Tag: hardening-no-pie -Severity: wishlist +Severity: normal Certainty: certain Info: This package provides an ELF executable that was not compiled as a position independent executable (PIE). . - In Debian, gcc-6 as of version 6.2.0-9 will compile ELF binaries with - PIE by default. In most cases a simple rebuild will be sufficient to - remove this tag. + In Debian, since version 6.2.0-7 of the gcc-6 package GCC will + compile ELF binaries with PIE by default. In most cases a simple + rebuild will be sufficient to remove this tag. . PIE is required for fully enabling Address Space Layout Randomization (ASLR), which makes "Return-oriented" attacks more difficult. . Historically, PIE has been associated with noticeable performance - overhead on i386. However, GCC-5 has implemented an optimization + overhead on i386. However, GCC >= 5 has implemented an optimization that can reduce the overhead significantly. . - If you use <tt>dpkg-buildflags</tt>, you may have to add - <tt>hardening=+pie</tt> or <tt>hardening=+all</tt> to - <tt>DEB_BUILD_MAINT_OPTIONS</tt>. - . - The relevant compiler flags must be passed both to the compiler - and the linker (e.g. for C that would be commonly be - <tt>CFLAGS</tt> and <tt>LDFLAGS</tt>). - . - If your upstream build compiles either of the above, you may have to - patch the build to ensure that only ELF executables are compiled with - PIE. + If you use <tt>dpkg-buildflags</tt> with <tt>hardening=+all,-pie</tt> + in <tt>DEB_BUILD_MAINT_OPTIONS</tt>, remove the <tt>-pie</tt>. Ref: https://wiki.debian.org/Hardening, https://gcc.gnu.org/gcc-5/changes.html, https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode -- 2.11.0
