Source: ace Version: 6.3.3+dfsg-1.2 Severity: normal Tags: patch With gcc in stretch defaulting to PIE, hardening=...,-pie changed semantics from "enable hardening but not PIE" to "enable hardening and explicitely disable the default PIE". The latter is usually not intended.
The -pie in hardening flags was in some cases required in pre-stretch releases to avoid build failures caused by (incorrectly) passing -fPIE to the compiler when building shared libraries or plugins. This problem does no longer exist. Please consider applying the following change: --- debian/rules.old 2017-03-20 08:43:43.000000000 +0000 +++ debian/rules 2017-03-20 08:43:43.000000000 +0000 @@ -9,7 +9,7 @@ # Copyright © 2010-2014 Johnny Willemsen <jwillem...@remedy.nl> #export DEB_BUILD_MAINT_OPTIONS = hardening=+all -export DEB_BUILD_MAINT_OPTIONS = hardening=+format,+fortify,+stackprotector,+relro,+bindnow,-pie +export DEB_BUILD_MAINT_OPTIONS = hardening=+format,+fortify,+stackprotector,+relro,+bindnow DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk CFLAGS+=$(CPPFLAGS)
