[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#849542: PIE specs ignored even with DEB_BUILD_MAINT_OPTIONS hardening



Package: gcc-6
Version: 6.2.1-7
Severity: important

The check introduced to ignore dpkg's PIE specs when PIE is not enabled
by default is wrong, and ends up ignoring them even when hardening=+all
or hardening=+pie is present in DEB_BUILD_MAINT_OPTIONS.

The current check is:

>       if (ignore_pie_specs_when_not_enabled("DEB_BUILD_MAINT_OPTIONS", arg)
>          || ignore_pie_specs_when_not_enabled("DEB_BUILD_OPTIONS", arg))

but since only DEB_BUILD_MAINT_OPTIONS includes the hardening options,
the second call with DEB_BUILD_OPTIONS returns true and causes the file
to be ignored. I believe this should be && rather than ||.

I can reproduce this regression by building one of my packages
(src:polyml) on sparc64:

> $ grep hardening debian/rules
> export DEB_BUILD_MAINT_OPTIONS=hardening=+all
> $ dpkg-buildpackage -us -uc
> [...]
> g++: note: pie specs /usr/share/dpkg/pie-compile.specs ignored when pie is not enabled

Regards,
James


Reply to: