Source: nss-pam-ldapd
Version: 0.9.7-2
Severity: normal
Tags: patch

With gcc in stretch defaulting to PIE, hardening=+all,-pie changed
semantics from "enable hardening but not PIE" to "enable all hardening
and explicitely disable the default PIE".
The latter is usually not intended.

The -pie in hardening flags was in some cases required in pre-stretch
releases to avoid build failures caused by (incorrectly) passing -fPIE
to the compiler when building shared libraries or plugins.
This problem does no longer exist.

Please consider applying the following patch:

--- debian/rules.old    2017-04-03 12:56:50.000000000 +0000
+++ debian/rules        2017-04-03 12:57:00.000000000 +0000
@@ -5,8 +5,8 @@
 # multiarch support
 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
 
-# enable hardening options (we disable pie because it conflicts with -fPIC)
-export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie
+# enable hardening options
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
 
 %:
        dh $@ --with python2

Reply via email to