[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[lintian] 01/01: Turn hardening-no-pie into a warning and improve the description



This is an automated email from the git hooks/post-receive script.

nthykier pushed a commit to branch master
in repository lintian.

commit daead852aec7d0554394fb9f87976386fa4732ea
Author: Adrian Bunk <bunk@debian.org>
Date:   Sat Feb 25 19:31:28 2017 +0200

    Turn hardening-no-pie into a warning and improve the description
    
    Signed-off-by: Niels Thykier <niels@thykier.net>
---
 checks/binaries.desc            | 23 +++++++----------------
 debian/changelog                |  4 ++++
 t/tests/binaries-hardening/tags |  2 +-
 3 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/checks/binaries.desc b/checks/binaries.desc
index c3f9d85..8a43d18 100644
--- a/checks/binaries.desc
+++ b/checks/binaries.desc
@@ -394,34 +394,25 @@ Info: This package provides an ELF binary that lacks the "bindnow"
 Ref: https://wiki.debian.org/Hardening
 
 Tag: hardening-no-pie
-Severity: wishlist
+Severity: normal
 Certainty: certain
 Info: This package provides an ELF executable that was not compiled
  as a position independent executable (PIE).
  .
- In Debian, gcc-6 as of version 6.2.0-9 will compile ELF binaries with
- PIE by default.  In most cases a simple rebuild will be sufficient to
- remove this tag.
+ In Debian, since version 6.2.0-7 of the gcc-6 package GCC will
+ compile ELF binaries with PIE by default.  In most cases a simple
+ rebuild will be sufficient to remove this tag.
  .
  PIE is required for fully enabling Address Space Layout
  Randomization (ASLR), which makes "Return-oriented" attacks more
  difficult.
  .
  Historically, PIE has been associated with noticeable performance
- overhead on i386.  However, GCC-5 has implemented an optimization
+ overhead on i386.  However, GCC >= 5 has implemented an optimization
  that can reduce the overhead significantly.
  .
- If you use <tt>dpkg-buildflags</tt>, you may have to add
- <tt>hardening=+pie</tt> or <tt>hardening=+all</tt> to
- <tt>DEB_BUILD_MAINT_OPTIONS</tt>.
- .
- The relevant compiler flags must be passed both to the compiler
- and the linker (e.g. for C that would be commonly be
- <tt>CFLAGS</tt> and <tt>LDFLAGS</tt>).
- .
- If your upstream build compiles either of the above, you may have to
- patch the build to ensure that only ELF executables are compiled with
- PIE.
+ If you use <tt>dpkg-buildflags</tt> with <tt>hardening=+all,-pie</tt>
+ in <tt>DEB_BUILD_MAINT_OPTIONS</tt>, remove the <tt>-pie</tt>.
 Ref: https://wiki.debian.org/Hardening,
  https://gcc.gnu.org/gcc-5/changes.html,
  https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
diff --git a/debian/changelog b/debian/changelog
index 78f3558..c15d22b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,10 @@ lintian (2.5.51) UNRELEASED; urgency=medium
 
   XXX: generate tag summary
 
+  * checks/binaries.desc:
+    + [NT] Apply patch from Adrian Bunk to bump severity of the
+      hardening-no-pie to a W-tag and improve the tag description.
+      (Closes: #856155)
   * checks/changelog-file.pm:
     + [BR] Check also bug over 1000000 as improbable. Bug below
       50004 are not archived and are thus improbable.
diff --git a/t/tests/binaries-hardening/tags b/t/tests/binaries-hardening/tags
index 656e79f..289dc53 100644
--- a/t/tests/binaries-hardening/tags
+++ b/t/tests/binaries-hardening/tags
@@ -1,4 +1,4 @@
 I: binaries-hardening: hardening-no-bindnow usr/bin/weak
 I: binaries-hardening: hardening-no-fortify-functions usr/bin/weak
-I: binaries-hardening: hardening-no-pie usr/bin/weak
+W: binaries-hardening: hardening-no-pie usr/bin/weak
 W: binaries-hardening: hardening-no-relro usr/bin/weak

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git


Reply to: