[pkg-sec] Help with CFLAGS/LDFLAGS on t50

Subject: [pkg-sec] Help with CFLAGS/LDFLAGS on t50
From: lukas@schwaighofer.name (Lukas Schwaighofer)
Date: Tue, 20 Jun 2017 19:23:24 +0200
Message-id: <[🔎] mailman.1.1497979414.6340.pkg-security-team@lists.alioth.debian.org>
In-reply-to: <[🔎] 1928783228.3660290.1497947586132@mail.yahoo.com>
References: <[🔎] CABwkT9o9SsokHPZO69QxUcJU7b6+mftq3MVXJBF0Jv2f2x5L9A@mail.gmail.com> <[🔎] 1928783228.3660290.1497947586132@mail.yahoo.com>

Hi Samuel,

I agree with Gianfranco regarding PIE.  However, looking at the compile
flags, I found that the configure script adds the following to the
CFLAGS (with your gcc_flags.patch applied):

    CFLAGS+=" -s -DNDEBUG -fno-stack-protector"

These options come after the "-g" and "-fstack-protector-strong" added
by dpkg-buildflags and disable both of them.

You should definitely remove "-s" (for the dbgsym package, the symbols
will be stripped from the binary package automatically).

You probably should also remove "-fno-stack-protector" (although there
may be a reason why this was added by upstream?).

Regards
Lukas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170620/060d8aa1/attachment.sig>

Reply to:

References:
- [pkg-sec] Help with CFLAGS/LDFLAGS on t50
  - From: samueloph@gmail.com (Samuel Henrique)
- [pkg-sec] Help with CFLAGS/LDFLAGS on t50
  - From: locutusofborg@debian.org (Gianfranco Costamagna)

Prev by Date: [pkg] CurveDNS - review
Next by Date: [pkg-sec] Help with CFLAGS/LDFLAGS on t50
Previous by thread: [pkg-sec] Help with CFLAGS/LDFLAGS on t50
Next by thread: [pkg-sec] Help with CFLAGS/LDFLAGS on t50
Index(es):
- Date
- Thread