Bug#988046: bind9: does not honor CPPFLAGS

Emilio Pozuelo Monfort Tue, 04 May 2021 02:21:14 -0700

Package: bind9
Severity: normal

Hi,


While doing a bind9 update for stretch LTS, Anton Gladky added a salsa
pipeline which had a blhc (build log hardening check) test that was
failing.

I have investigated it and found that bind9 is not using automake and while
it tries to honor most *FLAGS variables, it ignores CPPFLAGS. The attached
patch makes it honor CPPFLAGS, so that Debian's default flags (e.g.
-D_FORTIFY_SOURCE=2) get passed. A small diff from the build logs:

-libtool: compile:  gcc -include /build/bind9-9.16.13/config.h 
-I/build/bind9-9.16.13 -I../../.. -I./include -I./../unix/include 
-I./../pthreads/include -I../include -I./../include -I./.. 
-I/usr/include/json-c -I/usr/include/libxml2 -g -O2 
-ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat 
-Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks 
-DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes 
-Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith 
-Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o 
>/dev/null 2>&1
+libtool: compile:  gcc -Wdate-time -D_FORTIFY_SOURCE=2 -include 
/build/bind9-9.16.13/config.h -I/build/bind9-9.16.13 -I../../.. -I./include 
-I./../unix/include -I./../pthreads/include -I../include -I./../include -I./.. 
-I/usr/include/json-c -I/usr/include/libxml2 -g -O2 
-ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat 
-Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks 
-DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes 
-Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith 
-Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o 
>/dev/null 2>&1

I have not tested the resulting package, but it should probably be alright
to add this after the current freeze.

Thanks,
Emilio

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (200, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-5-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bind9 depends on:
ii  adduser                3.118
ii  bind9-libs             1:9.16.13-1
pn  bind9-utils            <none>
ii  debconf [debconf-2.0]  1.5.75
ii  dns-root-data          2021011101
ii  init-system-helpers    1.60
ii  iproute2               5.10.0-4
ii  libc6                  2.31-11
ii  libcap2                1:2.44-1
ii  libfstrm0              0.6.0-1+b1
ii  libjson-c5             0.15-2
ii  liblmdb0               0.9.24-1
ii  libmaxminddb0          1.5.2-1
ii  libprotobuf-c1         1.3.3-1+b2
ii  libssl1.1              1.1.1k-1
ii  libuv1                 1.40.0-1
ii  libxml2                2.9.10+dfsg-6.3+b1
ii  lsb-base               11.1.0
ii  netbase                6.2
ii  zlib1g                 1:1.2.11.dfsg-2

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind-doc                   <none>
ii  bind9-dnsutils [dnsutils]  1:9.16.13-1
ii  dnsutils                   1:9.16.13-1
pn  resolvconf                 <none>
pn  ufw                        <none>

diff -Nru bind9-9.16.13/debian/changelog bind9-9.16.13/debian/changelog
--- bind9-9.16.13/debian/changelog      2021-03-18 14:23:49.000000000 +0100
+++ bind9-9.16.13/debian/changelog      2021-05-04 10:39:27.000000000 +0200
@@ -1,3 +1,10 @@
+bind9 (1:9.16.13-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Pass CPPFLAGS down to make.
+
+ -- Emilio Pozuelo Monfort <po...@debian.org>  Tue, 04 May 2021 10:39:27 +0200
+
 bind9 (1:9.16.13-1) unstable; urgency=medium
 
   * New upstream version 9.16.13
diff -Nru bind9-9.16.13/debian/patches/preserve-cppflags.patch 
bind9-9.16.13/debian/patches/preserve-cppflags.patch
--- bind9-9.16.13/debian/patches/preserve-cppflags.patch        1970-01-01 
01:00:00.000000000 +0100
+++ bind9-9.16.13/debian/patches/preserve-cppflags.patch        2021-05-04 
10:39:27.000000000 +0200
@@ -0,0 +1,23 @@
+Preserve CPPFLAGS
+
+Author: Emilio Pozuelo Monfort <po...@debian.org>
+
+--- a/make/rules.in
++++ b/make/rules.in
+@@ -105,6 +105,7 @@ install uninstall clean distclean mainta
+ 
+ CC =          @CC@
+ CFLAGS =      @CFLAGS@
++CPPFLAGS =    @CPPFLAGS@
+ LDFLAGS =     @LDFLAGS@
+ STD_CINCLUDES =       @STD_CINCLUDES@
+ STD_CDEFINES =        @STD_CDEFINES@
+@@ -160,7 +161,7 @@ ALWAYS_DEFINES = @ALWAYS_DEFINES@
+ ALWAYS_WARNINGS =
+ 
+ ALL_CPPFLAGS = \
+-      ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
++      ${CPPFLAGS} ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
+       ${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
+ 
+ ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \
diff -Nru bind9-9.16.13/debian/patches/series 
bind9-9.16.13/debian/patches/series
--- bind9-9.16.13/debian/patches/series 2021-03-18 14:23:49.000000000 +0100
+++ bind9-9.16.13/debian/patches/series 2021-05-04 10:39:27.000000000 +0200
@@ -5,3 +5,4 @@
 0005-Fix-TCPDNS-and-TLSDNS-timers.patch
 0006-Merge-the-common-parts-between-udp-tcpdns-and-tlsdns.patch
 0007-Change-the-isc_nm_-get-set-timeouts-to-work-with-mil.patch
+preserve-cppflags.patch

Bug#988046: bind9: does not honor CPPFLAGS

Reply via email to