Bug#856155: Turn hardening-no-pie into a warning and improve the description

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#856155: Turn hardening-no-pie into a warning and improve the description
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 25 Feb 2017 19:39:05 +0200
Message-id: <[🔎] 148804434526.7288.16319510760541886163.reportbug@localhost>
Reply-to: Adrian Bunk <bunk@debian.org>, 856155@bugs.debian.org

Package: lintian
Version: 2.5.50.1
Severity: normal
Tags: patch

The attached patch turns hardening-no-pie into a warning and
improves the description.

This should help to reduce the number of cases where PIE is
accidentally disabled (most notably hardening=+all,-pie).

>From b2f0146901669b7b2e3e911a4805213a1ae26174 Mon Sep 17 00:00:00 2001
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 25 Feb 2017 19:31:28 +0200
Subject: Turn hardening-no-pie into a warning and improve the description

---
 checks/binaries.desc | 23 +++++++----------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/checks/binaries.desc b/checks/binaries.desc
index c3f9d8563..8a43d1891 100644
--- a/checks/binaries.desc
+++ b/checks/binaries.desc
@@ -394,34 +394,25 @@ Info: This package provides an ELF binary that lacks the "bindnow"
 Ref: https://wiki.debian.org/Hardening
 
 Tag: hardening-no-pie
-Severity: wishlist
+Severity: normal
 Certainty: certain
 Info: This package provides an ELF executable that was not compiled
  as a position independent executable (PIE).
  .
- In Debian, gcc-6 as of version 6.2.0-9 will compile ELF binaries with
- PIE by default.  In most cases a simple rebuild will be sufficient to
- remove this tag.
+ In Debian, since version 6.2.0-7 of the gcc-6 package GCC will
+ compile ELF binaries with PIE by default.  In most cases a simple
+ rebuild will be sufficient to remove this tag.
  .
  PIE is required for fully enabling Address Space Layout
  Randomization (ASLR), which makes "Return-oriented" attacks more
  difficult.
  .
  Historically, PIE has been associated with noticeable performance
- overhead on i386.  However, GCC-5 has implemented an optimization
+ overhead on i386.  However, GCC >= 5 has implemented an optimization
  that can reduce the overhead significantly.
  .
- If you use <tt>dpkg-buildflags</tt>, you may have to add
- <tt>hardening=+pie</tt> or <tt>hardening=+all</tt> to
- <tt>DEB_BUILD_MAINT_OPTIONS</tt>.
- .
- The relevant compiler flags must be passed both to the compiler
- and the linker (e.g. for C that would be commonly be
- <tt>CFLAGS</tt> and <tt>LDFLAGS</tt>).
- .
- If your upstream build compiles either of the above, you may have to
- patch the build to ensure that only ELF executables are compiled with
- PIE.
+ If you use <tt>dpkg-buildflags</tt> with <tt>hardening=+all,-pie</tt>
+ in <tt>DEB_BUILD_MAINT_OPTIONS</tt>, remove the <tt>-pie</tt>.
 Ref: https://wiki.debian.org/Hardening,
  https://gcc.gnu.org/gcc-5/changes.html,
  https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
-- 
2.11.0

Reply to:

Prev by Date: Bug#856137: lintian: false extra-license-file positive ("BSD"?)
Next by Date: [lintian] 01/01: spelling: Add one more correction
Previous by thread: Bug#856137: lintian: false extra-license-file positive ("BSD"?)
Next by thread: [lintian] branch master updated (c12f404 -> 5f69fe6)
Index(es):
- Date
- Thread