Bug#657853: Please enable hardened build flags

Mon, 06 Feb 2012 08:51:20 -0800 

On Mon, Feb 06, 2012 at 08:55:25AM +0200, Niko Tyni wrote:
> On Sun, Feb 05, 2012 at 10:28:55PM +0000, Dominic Hargreaves wrote:
> > On Sun, Feb 05, 2012 at 08:44:15PM +0200, Niko Tyni wrote:
> > > On Sun, Jan 29, 2012 at 02:02:31PM +0100, Moritz Muehlenhoff wrote:
> > > > Package: perl
> > > > Version: 5.14.2-6
> > > > Severity: important
> > > > 
> > > > Please enable hardened build flags through dpkg-buildflags.
> > > 
> > > While perl builds fine on amd64 with the attached patch, I'm slightly
> > > uneasy about pushing it to unstable without wider testing.
> > 
> > Have you verified the output from hardening-flags before and after,
> > both of perl and of a sample XS module (I used libimager-perl as a test).
> 
> No - I just checked the build log, $Config{ccflags} and the like.
> 
> Will do that when I have the time.

Looks good to me FWIW:

--- before      2012-02-06 18:05:51.000000000 +0200
+++ after       2012-02-06 18:05:52.000000000 +0200
@@ -1,18 +1,18 @@
 /usr/bin/perl:
  Position Independent Executable: no, normal executable!
  Stack protected: yes
  Fortify Source functions: unknown, no protectable libc functions used
- Read-only relocations: no, not found!
+ Read-only relocations: yes
  Immediate binding: no not found!
 /usr/lib/libperl.so.5.14.2:
  Position Independent Executable: no, regular shared library (ignored)
  Stack protected: yes
- Fortify Source functions: no, only unprotected functions found!
- Read-only relocations: no, not found!
+ Fortify Source functions: yes (some protected functions found)
+ Read-only relocations: yes
  Immediate binding: no not found!
 /usr/lib/perl5/auto/Imager/File/ICO/ICO.so:
  Position Independent Executable: no, regular shared library (ignored)
  Stack protected: yes
- Fortify Source functions: no, only unprotected functions found!
- Read-only relocations: no, not found!
+ Fortify Source functions: yes (some protected functions found)
+ Read-only relocations: yes
  Immediate binding: no not found!

> Putting the ldflags into lddlflags along with -shared is rather ugly,
> but I couldn't come up with anything better.

BTW, I see we'd have a hard time to be compatible with
 DEB_BUILD_MAINT_OPTIONS=hardening=+pie.
since most of the flags end up in -fPIC shared builds one way
or another. Do we need to care? Should we explicitly set
hardening=-pie in the package?
-- 
Niko



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to