[lintian] 01/01: Turn hardening-no-pie into a warning and improve the description
This is an automated email from the git hooks/post-receive script.
nthykier pushed a commit to branch master
in repository lintian.
commit daead852aec7d0554394fb9f87976386fa4732ea
Author: Adrian Bunk <bunk@debian.org>
Date: Sat Feb 25 19:31:28 2017 +0200
Turn hardening-no-pie into a warning and improve the description
Signed-off-by: Niels Thykier <niels@thykier.net>
---
checks/binaries.desc | 23 +++++++----------------
debian/changelog | 4 ++++
t/tests/binaries-hardening/tags | 2 +-
3 files changed, 12 insertions(+), 17 deletions(-)
diff --git a/checks/binaries.desc b/checks/binaries.desc
index c3f9d85..8a43d18 100644
--- a/checks/binaries.desc
+++ b/checks/binaries.desc
@@ -394,34 +394,25 @@ Info: This package provides an ELF binary that lacks the "bindnow"
Ref: https://wiki.debian.org/Hardening
Tag: hardening-no-pie
-Severity: wishlist
+Severity: normal
Certainty: certain
Info: This package provides an ELF executable that was not compiled
as a position independent executable (PIE).
.
- In Debian, gcc-6 as of version 6.2.0-9 will compile ELF binaries with
- PIE by default. In most cases a simple rebuild will be sufficient to
- remove this tag.
+ In Debian, since version 6.2.0-7 of the gcc-6 package GCC will
+ compile ELF binaries with PIE by default. In most cases a simple
+ rebuild will be sufficient to remove this tag.
.
PIE is required for fully enabling Address Space Layout
Randomization (ASLR), which makes "Return-oriented" attacks more
difficult.
.
Historically, PIE has been associated with noticeable performance
- overhead on i386. However, GCC-5 has implemented an optimization
+ overhead on i386. However, GCC >= 5 has implemented an optimization
that can reduce the overhead significantly.
.
- If you use <tt>dpkg-buildflags</tt>, you may have to add
- <tt>hardening=+pie</tt> or <tt>hardening=+all</tt> to
- <tt>DEB_BUILD_MAINT_OPTIONS</tt>.
- .
- The relevant compiler flags must be passed both to the compiler
- and the linker (e.g. for C that would be commonly be
- <tt>CFLAGS</tt> and <tt>LDFLAGS</tt>).
- .
- If your upstream build compiles either of the above, you may have to
- patch the build to ensure that only ELF executables are compiled with
- PIE.
+ If you use <tt>dpkg-buildflags</tt> with <tt>hardening=+all,-pie</tt>
+ in <tt>DEB_BUILD_MAINT_OPTIONS</tt>, remove the <tt>-pie</tt>.
Ref: https://wiki.debian.org/Hardening,
https://gcc.gnu.org/gcc-5/changes.html,
https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
diff --git a/debian/changelog b/debian/changelog
index 78f3558..c15d22b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,10 @@ lintian (2.5.51) UNRELEASED; urgency=medium
XXX: generate tag summary
+ * checks/binaries.desc:
+ + [NT] Apply patch from Adrian Bunk to bump severity of the
+ hardening-no-pie to a W-tag and improve the tag description.
+ (Closes: #856155)
* checks/changelog-file.pm:
+ [BR] Check also bug over 1000000 as improbable. Bug below
50004 are not archived and are thus improbable.
diff --git a/t/tests/binaries-hardening/tags b/t/tests/binaries-hardening/tags
index 656e79f..289dc53 100644
--- a/t/tests/binaries-hardening/tags
+++ b/t/tests/binaries-hardening/tags
@@ -1,4 +1,4 @@
I: binaries-hardening: hardening-no-bindnow usr/bin/weak
I: binaries-hardening: hardening-no-fortify-functions usr/bin/weak
-I: binaries-hardening: hardening-no-pie usr/bin/weak
+W: binaries-hardening: hardening-no-pie usr/bin/weak
W: binaries-hardening: hardening-no-relro usr/bin/weak
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: