Bug#657853: Please enable hardened build flags
Niko Tyni
ntyni at debian.org
Mon Feb 6 16:47:57 UTC 2012
On Mon, Feb 06, 2012 at 08:55:25AM +0200, Niko Tyni wrote:
> On Sun, Feb 05, 2012 at 10:28:55PM +0000, Dominic Hargreaves wrote:
> > On Sun, Feb 05, 2012 at 08:44:15PM +0200, Niko Tyni wrote:
> > > On Sun, Jan 29, 2012 at 02:02:31PM +0100, Moritz Muehlenhoff wrote:
> > > > Package: perl
> > > > Version: 5.14.2-6
> > > > Severity: important
> > > >
> > > > Please enable hardened build flags through dpkg-buildflags.
> > >
> > > While perl builds fine on amd64 with the attached patch, I'm slightly
> > > uneasy about pushing it to unstable without wider testing.
> >
> > Have you verified the output from hardening-flags before and after,
> > both of perl and of a sample XS module (I used libimager-perl as a test).
>
> No - I just checked the build log, $Config{ccflags} and the like.
>
> Will do that when I have the time.
Looks good to me FWIW:
--- before 2012-02-06 18:05:51.000000000 +0200
+++ after 2012-02-06 18:05:52.000000000 +0200
@@ -1,18 +1,18 @@
/usr/bin/perl:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: unknown, no protectable libc functions used
- Read-only relocations: no, not found!
+ Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/libperl.so.5.14.2:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
- Fortify Source functions: no, only unprotected functions found!
- Read-only relocations: no, not found!
+ Fortify Source functions: yes (some protected functions found)
+ Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/perl5/auto/Imager/File/ICO/ICO.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
- Fortify Source functions: no, only unprotected functions found!
- Read-only relocations: no, not found!
+ Fortify Source functions: yes (some protected functions found)
+ Read-only relocations: yes
Immediate binding: no not found!
> Putting the ldflags into lddlflags along with -shared is rather ugly,
> but I couldn't come up with anything better.
BTW, I see we'd have a hard time to be compatible with
DEB_BUILD_MAINT_OPTIONS=hardening=+pie.
since most of the flags end up in -fPIC shared builds one way
or another. Do we need to care? Should we explicitly set
hardening=-pie in the package?
--
Niko
More information about the Perl-maintainers
mailing list