Bug#733986: pixman: Please enable hardening build flags
Source: pixman
Version: 0.32.4-1
Severity: normal
Tags: patch
User: hardening-discuss@lists.alioth.debian.org
Usertags: goal-hardening
Hi,
the attached Git patch enables the default set of hardening
buildflags, plus the bonus "bindnow" (-Wl,-z,now) linker one.
Please review and apply as you see fit.
I have built and tested the resulting binary package on a current sid
system with the only reverse-dependency I'm using: Iceweasel.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
>From 871dea75ba6436ffc9cbf511bcdd02de9bf3f4dc Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@debian.org>
Date: Thu, 2 Jan 2014 21:11:53 +0000
Subject: [PATCH] Enable hardening build flags with dpkg-buildflags.
All default dpkg-buildflags, plus the bonus bindnow one, are used.
The last available one (PIE) is not applicable to shared libraries.
---
debian/rules | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/debian/rules b/debian/rules
index 0cc3337..71e3751 100755
--- a/debian/rules
+++ b/debian/rules
@@ -3,6 +3,7 @@
PACKAGE = libpixman-1-0
SHLIBS = 0.25.2
+export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
# Disable Gtk+ autodetection:
@@ -12,7 +13,8 @@ override_dh_auto_configure:
LS_CFLAGS=" " dh_auto_configure -- --disable-gtk \
--disable-silent-rules \
--disable-arm-iwmmxt \
- --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH)
+ --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
+ $(shell dpkg-buildflags --export=configure)
# Install in debian/tmp to retain control through dh_install:
override_dh_auto_install:
--
1.8.5.2
Reply to: