--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ocaml: obey hardening LDFLAGS
- From: Török Edwin <edwin@etorok.net>
- Date: Wed, 15 Jul 2015 16:33:23 +0300
- Message-id: <20150715133323.24609.65147.reportbug@debian.home.lan>
Package: ocaml
Version: 4.01.0-5
Severity: minor
Tags: patch
Dear Maintainer,
See discussion on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702349
I am including a patch that enables the relro and bindnow hardening flags for
OCaml and packages compiled by ocaml.
I haven't submitted the patch upstream yet, there is only this bugreport asking
for LDFLAGS and having CCLINKFLAGS as solution for ocamlyacc only:
http://caml.inria.fr/mantis/view.php?id=4698
There is also this bug about CFLAGS (which can be useful for hardening C stubs
perhaps?):
http://caml.inria.fr/mantis/view.php?id=3664
My patch simply sets CCLINKFLAGS based on LDFLAGS and includes CCLINKFLAGS into
MKEXE/MKDLL/MKMAINDLL, which AFAICT
are the cmdlines used to build executables and shared libraries by
ocamlc/ocamlopt.
Should I submit the patch upstream, or would it require more modifications to
support Debian's hardening features?
Output of hardening-check before the patch:
/usr/bin/ocamlopt.opt:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: no, not found!
Immediate binding: no, not found!
Output of hardening-check after the patch:
../ocamlopt.opt:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Running lintian on the newly built packages don't show the hardening-no-relro
warning anymore:
$ lintian ../*.deb
W: ocaml-nox: binary-without-manpage usr/bin/ocamlbuild
W: ocaml-mode: binary-without-manpage usr/bin/ocamltags
N: 1 tag overridden (1 warning)
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (900, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages ocaml depends on:
ii libx11-dev 2:1.6.2-3
ii ocaml-base [ocaml-base-4.01.0] 4.01.0-5
ii ocaml-base-nox 4.01.0-5
ii ocaml-nox [ocaml-nox-4.01.0] 4.01.0-5
ocaml recommends no packages.
Versions of packages ocaml suggests:
ii tcl-dev 8.6.0+8
pn tk-dev <none>
-- no debconf information
--- a/debian/patches/0010-Obey-ldflags.patch 1970-01-01 02:00:00.000000000 +0200
+++ b/debian/patches/0010-Obey-ldflags.patch 2015-07-15 15:59:20.600661858 +0300
@@ -0,0 +1,34 @@
+Description: use CCLINKFLAGS for linking all executables and shared libraries
+ This allows packagers to set additional linker flags for executables and shared
+ libraries created by OCaml, and for the OCaml tools themselves.
+ OCaml code can be linked with various C stubs and C libraries that would
+ benefit from using hardening link flags, such as -Wl,-z,relro.
+---
+
+Origin: other
+Bug-Debian: https://bugs.debian.org/702349
+Forwarded: no
+Last-Update: <2015-07-15>
+
+--- ocaml-4.02.1.orig/configure
++++ ocaml-4.02.1/configure
+@@ -739,6 +739,8 @@ if test $with_sharedlibs = "yes"; then
+ shared_libraries_supported=true;;
+ esac
+ fi
++mksharedlib="$mksharedlib $CCLINKFLAGS"
++mkexe="$mkexe $CCLINKFLAGS"
+
+ if test -z "$mkmaindll"; then
+ mkmaindll=$mksharedlib
+--- ocaml-4.02.1.orig/tools/Makefile.shared
++++ ocaml-4.02.1/tools/Makefile.shared
+@@ -278,7 +278,7 @@ beforedepend:: opnames.ml
+
+ objinfo_helper$(EXE): objinfo_helper.c ../config/s.h
+ $(BYTECC) -o objinfo_helper$(EXE) $(BYTECCCOMPOPTS) \
+- objinfo_helper.c $(LIBBFD_LINK)
++ objinfo_helper.c $(LIBBFD_LINK) $(CCLINKFLAGS)
+
+ OBJINFO=../compilerlibs/ocamlcommon.cma \
+ ../compilerlibs/ocamlbytecomp.cma \
diff -rNu ../o/ocaml-4.02.1/debian/patches/series debian/patches/series
--- a/debian/patches/series 2014-11-20 17:48:56.000000000 +0200
+++ b/debian/patches/series 2015-07-15 16:07:10.622247953 +0300
@@ -7,3 +7,4 @@
0007-Tune-resource-usage-of-some-tests.patch
0008-Native-backtraces-don-t-work-on-powerpc-and-sparc.patch
0009-Fix-asmcomp-tests-on-sparc.patch
+0010-Obey-ldflags.patch
--- a/debian/rules 2015-02-16 12:37:56.000000000 +0200
+++ b/debian/rules 2015-07-15 15:54:11.360881817 +0300
@@ -59,6 +59,9 @@
export OCAML_OPT_ARCH
export OCAML_STDLIB_DIR
+export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow
+export CCLINKFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
+
CONFIGURE_OPTS := \
--host $(DEB_BUILD_GNU_TYPE)\
--with-pthread -prefix $(DEB_TEST_BUILD_PREFIX)/usr \
--- End Message ---
--- Begin Message ---
Source: ocaml
Source-Version: 4.05.0-8
We believe that the bug you reported is fixed in the latest version of
ocaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 792502@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ximin Luo <infinity0@debian.org> (supplier of updated ocaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Sep 2017 12:02:40 +0200
Source: ocaml
Binary: ocaml-base-nox ocaml-base ocaml-nox ocaml ocaml-source ocaml-interp ocaml-compiler-libs ocaml-mode
Architecture: source
Version: 4.05.0-8
Distribution: experimental
Urgency: medium
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Ximin Luo <infinity0@debian.org>
Description:
ocaml - ML language implementation with a class-based object system
ocaml-base - Runtime system for OCaml bytecode executables
ocaml-base-nox - Runtime system for OCaml bytecode executables (no X)
ocaml-compiler-libs - OCaml interpreter and standard libraries
ocaml-interp - OCaml interactive interpreter and standard libraries
ocaml-mode - major mode for editing Objective Caml in Emacs
ocaml-nox - ML implementation with a class-based object system (no X)
ocaml-source - Sources for Objective Caml
Closes: 792502 824139 837359 838188
Changes:
ocaml (4.05.0-8) experimental; urgency=medium
.
[ Ximin Luo ]
* Merge changes from Debian unstable. Relevant ones:
* Tell dh_installdocs to ignore README.Debian (see #868204)
* obey hardening LDFLAGS (Closes: #792502). Thanks to Török Edwin
for the patch!
* Compute a stable name for preprocessed files (Closes: #838188).
Thanks to Johannes Schauer for the patch!
* Close old bugs.
* New upstream release 4.05 closes CVE-2015-8869 (Closes: #824139).
* Debian release 4.03.0-3 defaults to PIC on arm (Closes: #837359).
.
[ Pino Toscano ]
* Convert the menu file to a desktop file. (see #741573)
Checksums-Sha1:
49e734a81d1413cd196de77388a44b7423b4f7a8 2604 ocaml_4.05.0-8.dsc
d04a36af36dbd9b4ea90333001b6274cda842579 46096 ocaml_4.05.0-8.debian.tar.xz
781503aa2a25124b7b3b202c276ca326d103fd65 5893 ocaml_4.05.0-8_source.buildinfo
Checksums-Sha256:
df833e87e1859ac8fdb2a8b217be21937864be2b2529056d8ff20f538dc8f818 2604 ocaml_4.05.0-8.dsc
d7e18addc0b9f152adef10a159c5b21fb9dbd08a8f3deb8e0a3fa0f2ce2f8bb4 46096 ocaml_4.05.0-8.debian.tar.xz
df2f644a573dd3e2aebf68841a1f9e94e3a5832443b68441c775664dddadd72a 5893 ocaml_4.05.0-8_source.buildinfo
Files:
7980f873c8b3075897ce66368c2c6a74 2604 ocaml optional ocaml_4.05.0-8.dsc
fcd9914a763cdb2814a45b00676c3864 46096 ocaml optional ocaml_4.05.0-8.debian.tar.xz
d27d9078463d22485af889b1f8cea5e9 5893 ocaml optional ocaml_4.05.0-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEENmdIajJtsnZtJVVGhg3vO49lC3kFAlm6U9sVHGluZmluaXR5
MEBkZWJpYW4ub3JnAAoJEIYN7zuPZQt5XDsP/RbT8MtAIc5urO/LCJq2vUu8YsVi
wgKCKVqqxMS6bDy/cm5gNpiWr/8O0EkW5Mdhs9ngDSfIaehUoU8i1U+APfMRh2N8
cHyB2G1OER1nt0DUf19KuqW/2LXird66sJBLwOg+J0vDwjH47oygWbwx0NtcYb+F
EQIZju3U00wpd26l0u42yfBpMYxVxHvDMX1XSw+wcVe9f6pF0dvWbkJrhmnETpa8
FbgVlL5Hsa4qJcNoYn9BMvm/JtAYPo7eaO6zjNixER0hMT4h8e6CmP1ULs7vCrYr
Mr/dPPjHmhnY4nnR9rWv3Z+Y0lxRmOQ8MSihW44B8r0w3K5gZN575rdWOh0wpmD4
6g4vRwuJbvFtKNB2DSYXXBa0+OI2aW/bzrUOFLQkrA2vQbz8Pf9wlnnS9YgGWbr9
47RrBAliCoSX6iPyk14iVccaJqfzJzX+hrnyz9lwNRFFBrn4AMSpmti6zd7OlApF
pJD+MIxg0s2Bn4Tiv3ylUOIF6POkG609Wwrn1oxt5sS19upVP4lN4rtE9Fw37phi
b87ER3kYQeho2bnpHrRfDzpeHLL0AUbbQrogMsUPgm9u0JKUTaykDz/NbqBnd02T
WbMM4pcB0CoxODl1bSO6x5EYvrOqi4IPnMCnkzSsNgWZYaHTQ5NttOBHkkwF2pw5
Oe6DWyfMl8YVLtYq
=mkSF
-----END PGP SIGNATURE-----
--- End Message ---