MBF: packages not using the default build flags
Hi,
while enabling the arm64 security features known as PAC, BTI, and GCS
we found that some packages are built without the default build flags
emitted by dpkg-buildflags(1). Some of you are aware of this because of
various conversations we had throughout the year, as well as a paper I
presented at Debconf 25:
https://people.debian.org/~ema/nocflags_paper.pdf
A long overdue task of mine is filing bugs about the above mentioned
packages. Here's the template I intend to use. You can find the output
of dd-list attached.
PKG: please build using the defaut build flags
Source: PKG
Version: VERSION
User: debian-security@lists.debian.org
Usertags: hardening-buildflags
PKG is not currently using the default build flags set by
dpkg-buildflags(1). The default flags are chosen for multiple reasons
including security, performance, reproducibility, adherence to
standards, and error handling.
Please make sure that PKG builds using the default build flags. blhc(1p)
and hardening-check(1) can be used to confirm that the issue is fixed.
In the general case, packages honoring CFLAGS, LDFLAGS, and other
similar environment variables get the default build flags for free
without the need for any work on the maintainer side. In the case of
PKG, the flags are either ignored or overridden.
The most common reasons for this are:
Hand-written Makefiles
----------------------
Some upstream Makefiles either override the values of variables such as
CFLAGS and similar or do not use them at all. See:
https://wiki.debian.org/HardeningWalkthrough#Handwritten_Makefiles
Misconfigured build systems
---------------------------
If the upstream code uses autotools, CMake, or other popular build
systems, it usually requires no further modifications. If might however
be that some variables are hardcoded in some way.
In this CMake snippet, the value of CXXFLAGS is overwritten with "-O2":
set(CMAKE_CXX_FLAGS "-O2")
If the intention is to append to CXXFLAGS, one should use the following
instead:
set(CMAKE_CXX_FLAGS "-O2 ${CMAKE_CXX_FLAGS}")
See #655870 for a similar autotools example.
Very old debhelper usage
------------------------
Packages not using dh(1), or those using a debhelper compatibility level
less than 9, need to manually include /usr/share/dpkg/buildflags.mk in
order for the dpkg-buildflags variables to be set:
https://wiki.debian.org/Hardening#dpkg-buildflags
Flags hardcoded in debian/rules (either voluntarily or not)
-----------------------------------------------------------
Some packages voluntarily hardcode the values of CFLAGS and friends in
debian/rules, ignoring the defaults set by dpkg-buildflags(1).
Others attempt to append to the variables, but end up accidentally
overriding the defaults:
#!/usr/bin/make -f
export CFLAGS += -pipe -fPIC -Wall
%:
dh $@
Debhelper only sets CFLAGS if it is not set yet. In the example above,
when dh is invoked the value of CFLAGS is "-pipe -fPIC -Wall", hence the
hardened defaults are not used. The right way to append to CFLAGS is
using DEB_CFLAGS_MAINT_APPEND instead, as documented in
dpkg-buildflags(1).
Adam Majer <adamm@zombino.com>
lpr
Alastair McKinstry <mckinstry@debian.org>
csh
flexpart
Alessio Treglia <alessio@debian.org>
ir.lv2 (U)
jackmeter (U)
klick (U)
Alex Myczko <tar@debian.org>
bchunk (U)
elfkickers
hivelytracker (U)
klystrack (U)
Alex Pennace <alex@pennace.org>
dircproxy
Alexander Bürger <acfb@users.sourceforge.net>
fig2sxd
Alexander Zangerl <az@debian.org>
glimpse
Alexandre Detiste <tchet@debian.org>
dbview
geki3 (U)
pacman (U)
Andreas Barth <aba@ayous.org>
mgetty (U)
Andreas Tille <tille@debian.org>
assembly-stats (U)
ctsim (U)
flashbench (U)
gmotionlive (U)
lumpy-sv (U)
murasaki (U)
obitools (U)
parsinsert (U)
Andrew Gee <andrew@andrewgee.org>
jackmeter (U)
Andrew Lee (李健秋) <ajqlee@debian.org>
juffed (U)
Andrius Merkys <merkys@debian.org>
c2x (U)
feff85exafs (U)
Anibal Monsalve Salazar <anibal@debian.org>
bootp
Ari Pollak <ari@debian.org>
jnettop (U)
Barak A. Pearlmutter <bap@debian.org>
blackbox-terminal
Bdale Garbee <bdale@gag.com>
as31
atlc
pforth
Bill Allombert <ballombe@debian.org>
libjpeg9
menu
Bill MacAllister <bill@ca-zephyr.org>
kafs-client
Boris Pek <tehnick@debian.org>
psi-plugins (U)
Brandon Barnes <winterknight@nerdshack.com>
komi
Camm Maguire <camm@debian.org>
pcal
Carlo Segre <segre@debian.org>
ifeffit (U)
Carsten Schoenert <c.schoenert@t-online.de>
ponyprog (U)
ChangZhuo Chen (陳昌倬) <czchen@debian.org>
dumb-init
juffed (U)
Chris Taylor <ctaylor@debian.org>
nuttcp (U)
Christian T. Steigies <cts@debian.org>
hp2xx
Christoph Berg <myon@debian.org>
ircmarkers
pgmodeler (U)
Christoph Martin <chrism@debian.org>
mimedefang
Dale E. Martin <dale@the-martins.org>
pccts
Daniel Baumann <daniel@debian.org>
clzip
lunzip
lzd
pdlzip
plzip
Dario Minnucci <midget@debian.org>
ftpmirror
Dave Holland <dave@debian.org>
floatbg
David Suárez <deiv@debian.org>
driftnet
Debian Electronics Team <pkg-electronics-devel@alioth-lists.debian.net>
ponyprog
Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
libmozilla-ldap-perl
Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
etw
flobopuyo
garden-of-coloured-lights
geki3
gigalomania
koules
netris
ogamesim
pacman
pente
Debian GCC Maintainers <debian-gcc@lists.debian.org>
debugedit
Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
nailgun
Debian Math Team <team+math@tracker.debian.org>
eprover
Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
assembly-stats
ctsim
dextractor
lumpy-sv
murasaki
nthash
obitools
parsinsert
Debian Mobcom Maintainers <Debian-mobcom-maintainers@lists.alioth.debian.org>
osmo-tetra
Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>
libgdiplus
Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
flvstreamer
hivelytracker
hydrogen
ir.lv2
jackmeter
jamin
klick
klystrack
mppenc
puredata-import
Debian OpenStack <team+openstack@tracker.debian.org>
ntpstat
Debian PaN Maintainers <debian-pan-maintainers@alioth-lists.debian.net>
ifeffit
Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
pgmodeler
Debian Printing Team <debian-printing@lists.debian.org>
magicfilter
Debian QA Group <packages@qa.debian.org>
ascd
asmixer
bwbasic
cdecl
cfingerd
dsdp
elvis-tiny
gcpegg
getstream
hpsockd
icheck
integrit
iroffer
libprintsys
lifelines
mbw
metapixel
msort
nitpic
p910nd
pal
parchive
parprouted
purity
Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
cba
feff85exafs
ifeffit (U)
magic
Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
ispc
Debian TeX Task Force <debian-tex-maint@lists.debian.org>
hintview
Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
asterisk-espeak
asterisk-flite
iaxmodem
Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>
psi-plugins
Debichem Team <debichem-devel@lists.alioth.debian.org>
bagel
c2x
Dennis Braun <d_braun@kabelmail.de>
hydrogen (U)
ir.lv2 (U)
Denys Berkovskyy <berkovskyy@gmail.com>
dmg2img
Dmitrijs Ledkovs <dmitrij.ledkov@ubuntu.com>
flashbench (U)
Dmitry E. Oboukhov <unera@debian.org>
ogamesim (U)
Dmitry Smirnov <onlyjob@debian.org>
dumb-init (U)
Emmanuel Arias <eamanu@debian.org>
logtools (U)
Eric Madesclair <eric-m@wanadoo.fr>
le-dico-de-rene-cougnenc
Eric Sharkey <sharkey@debian.org>
macutils
Ferdinand Griffon <idf.dresden@gmx.net>
cba (U)
Francesco Paolo Lovergine <frankie@debian.org>
autodir
imapfilter
proftpd-mod-kafka (U)
proftpd-mod-sftp-ldap (U)
proftpd-mod-statsd (U)
proftpd-mod-vroot (U)
Francois Mazen <mzf@debian.org>
ispc (U)
Georges Khaznadar <georgesk@debian.org>
cdcover
chemeq
felix-latin
le-dico-de-rene-cougnenc (U)
Ghe Rivero <ghe@debian.org>
lshw
Golf Team <team@golf-lang.com>
golf
Graham Inggs <ginggs@debian.org>
bagel (U)
Hans-Christoph Steiner <hans@eds.org>
puredata-import (U)
Heiko Stuebner <mmind@debian.org>
abootimg
Hideki Yamane <henrich@debian.org>
nailgun (U)
Hilmar Preusse <hille42@web.de>
proftpd-mod-kafka (U)
proftpd-mod-statsd (U)
Hilmar Preuße <hille42@debian.org>
hintview (U)
proftpd-mod-sftp-ldap (U)
proftpd-mod-vroot (U)
Hugo Torres de Lima <hugotorres@protonmail.com>
mp3info
Hwei Sheng Teoh <hsteoh@debian.org>
atom4
Héctor Orón Martínez <zumbi@debian.org>
egctl
Jaromír Mikeš <mira.mikes@seznam.cz>
ir.lv2 (U)
klick (U)
Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
chrootuid
libpam-chroot
Javier Fernández-Sanguino Peña <jfs@debian.org>
chntpw
clips
farpd (U)
netselect
paxtest
Jo Shields <directhex@apebox.org>
libgdiplus (U)
Joerg Dorchain <joerg@dorchain.net>
iaxmodem (U)
John Goerzen <jgoerzen@complete.org>
glulxe
netmaze
Jonas Smedegaard <dr@jones.dk>
asterisk-espeak (U)
asterisk-flite (U)
Jorge Salamero Sanz <bencer@cauterized.net>
mppenc (U)
Jose G. López <josgalo@gmail.com>
gigalomania (U)
Josue Ortega <josue@debian.org>
euler
Juan Cespedes <cespedes@debian.org>
genromfs
Julien Puydt <jpuydt@debian.org>
eprover (U)
Kevin M. Rosenberg <kmr@debian.org>
ctsim (U)
Kevin Zambrano <kevinjzc@gmail.com>
falselogin
Kyle Robbertze <paddatrapper@debian.org>
hashcheck
Laszlo Boszormenyi (GCS) <gcs@debian.org>
crasm
Lionel Elie Mamane <lmamane@debian.org>
dvidvi
Lior Kaplan <kaplan@debian.org>
paps
Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
pgmodeler (U)
LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org>
iwyu
Ludovic Drolez <ldrolez@debian.org>
lookup
LXQt Packaging Team <team+lxqt@tracker.debian.org>
juffed
Mahyuddin Susanto <udienz@ubuntu.com>
proftpd-mod-sftp-ldap (U)
Marcelo Jorge Vieira <metal@debian.org>
gpt
Mark Brown <broonie@debian.org>
clc-intercal
Mark W. Eichin <eichin@thok.org>
lx-gdb
Markus Koschany <apo@debian.org>
etw (U)
pente (U)
Martin A. Godisch <godisch@debian.org>
cgoban
Martin Quinson <mquinson@debian.org>
flexml
Martín Ferrari <tincho@debian.org>
drawterm
Matthew Grant <matt@mattgrant.net.nz>
nomarch
Matthew Palmer <mpalmer@debian.org>
ninvaders
Matthew Vernon <matthew@debian.org>
bible-kjv
electric-fence
Matthias Geiger <werdahias@debian.org>
kew
Matthias Klose <doko@ubuntu.com>
debugedit (U)
Maximiliano Curia <maxy@debian.org>
gmotionlive (U)
Michael Banck <mbanck@debian.org>
bagel (U)
Michael Meskes <meskes@debian.org>
ips
memstat
Michael Tautschnig <mt@debian.org>
boolector
Mirco Bauer <meebey@debian.org>
libgdiplus (U)
Nate Doris <nate.doris@gmail.com>
osmo-tetra (U)
Nicholas D Steeves <sten@debian.org>
hydrogen (U)
Nilesh Patra <nilesh@debian.org>
lumpy-sv (U)
NOKUBI Takatsugu <knok@daionet.gr.jp>
nkf
Norbert Preining <norbert@preining.info>
gwaei
Norbert Schlia <nschlia@oblivion-software.de>
ffmpegfs
Olivier Sallou <osallou@debian.org>
obitools (U)
Otto Kekäläinen <otto@debian.org>
mydumper
Package Salvaging Team <team+salvage@tracker.debian.org>
birthday
farpd
flashbench
gmotionlive
jnettop
logtools
mgetty
nuttcp
Patrick Matthäi <pmatthaei@debian.org>
fraqtive
Patrick Uiterwijk <puiterwijk@gmail.com>
birthday (U)
Petter Reinholdtsen <pere@debian.org>
array-info
Picca Frédéric-Emmanuel <picca@debian.org>
ifeffit (U)
Pierre-Elliott Bécue <peb@debian.org>
drogon
Praveen Arimbrathodiyil <pravi.a@gmail.com>
bchunk
ProFTPD Maintainance Team <pkg-proftpd-maintainers@alioth-lists.debian.net>
proftpd-mod-kafka
proftpd-mod-sftp-ldap
proftpd-mod-statsd
proftpd-mod-vroot
Radovan Garabík <garabik@kassiopeia.juls.savba.sk>
efingerd
Ralf Treinen <treinen@debian.org>
aribas
mccs
Ralph Ronnquist <rrq@rrq.au>
overlay-boot
RenZO <renzo@imaginux.com>
ola (U)
Rhonda D'Vine <rhonda@debian.org>
netris (U)
Ron Lee <ron@debian.org>
dovecot-antispam
mp3splt
Ross Burton <ross@debian.org>
flvstreamer (U)
RPM packaging team <team+pkg-rpm@tracker.debian.org>
debugedit (U)
Ruben Undheim <ruben.undheim@gmail.com>
magic (U)
Russ Allbery <rra@debian.org>
kafs-client (U)
Russell Coker <russell@coker.com.au>
logtools (U)
Santiago Garcia Mantinan <manty@debian.org>
mbr
Sebastian Dröge <slomo@debian.org>
libgdiplus (U)
Shayan Doust <hello@shayandoust.me>
dextractor (U)
Shengjing Zhu <zhsj@debian.org>
dumb-init (U)
Stanislav Maslovski <stanislav.maslovski@gmail.com>
kbdd
Stefan Hornburg (Racke) <racke@linuxia.de>
pure-ftpd
Stephen Kitt <skitt@debian.org>
koules (U)
Steve McIntyre <93sam@debian.org>
dvdtape
Stéphane Glondu <glondu@debian.org>
net-acct
Sylvestre Ledru <sylvestre@debian.org>
imapfilter (U)
iwyu (U)
ohcount
TANIGUCHI Takaki <takaki@debian.org>
dares
Thomas Goirand <zigo@debian.org>
lshw (U)
ntpstat (U)
Thorsten Alteholz <debian@alteholz.de>
bottlerocket
gnucobol3
gnucobol4
magicfilter (U)
npd6
osmo-tetra (U)
pipexec
Tim Booth <tbooth@ceh.ac.uk>
parsinsert (U)
Timo Aaltonen <tjaalton@debian.org>
libmozilla-ldap-perl (U)
Torsten Werner <twerner@debian.org>
nailgun (U)
Tzafrir Cohen <tzafrir@debian.org>
iaxmodem (U)
Uwe Hermann <uwe@debian.org>
cycfx2prog
flobopuyo (U)
Vern Sun <s5unty@gmail.com>
cconv
Vincent Cheng <vcheng@debian.org>
garden-of-coloured-lights (U)
Wartan Hachaturow <wart@debian.org>
grpn
Wookey <wookey@debian.org>
plotsauce
Wouter Verhelst <wouter@debian.org>
ola
Xavier Lüthi <xluthi@debian.org>
nrg2iso
Yann Dirson <dirson@debian.org>
fweb
Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
darknet
groundhog
Reply to: