Bug#653191: Please enable hardened build flags through dpkg-buildpackage

Wed, 18 Apr 2012 02:18:56 -0700 

tags 653191 + patch
thanks

Hi Mike,

Moritz Mühlenhoff wrote (14 Jan 2012 12:34:45 GMT) :
> But it would be nice if you could enable the protected stack and
> fortified source features for iceweasel and iceape.

The attached patch enables the protected stack and fortified source
build flags.

Given concerns were raised regarding dpkg-buildflags injecting
non-hardening flags, the attached patch uses the DEB_*_MAINT_STRIP
variables to strip any such non-hardening flags dpkg-buildflags would
normally inject (namely: -g -O2).

The resulting binary (10.0.3esr-3 + my patch) works fine for me on my
Debian sid system.

For the record, I have intentionally left relro, bindnow and PIE for
further discussion and iterations: better have iceweasel built with
minimal hardening flags than none. Note, though, that Ubuntu's Firefox
binary has been built with all these features for a while; any idea
how other major distributions do?

Regards,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc


diff -Naur iceweasel-10.0.3esr.orig/debian/control.in iceweasel-10.0.3esr/debian/control.in
--- iceweasel-10.0.3esr.orig/debian/control.in	2012-03-30 19:33:54.000000000 +0200
+++ iceweasel-10.0.3esr/debian/control.in	2012-04-18 01:53:15.290769773 +0200
@@ -20,7 +20,7 @@
                libreadline-dev | libreadline5-dev,
                python,
                python-ply,
-               dpkg-dev (>= 1.13.19),
+               dpkg-dev (>= 1.16.1.1~),
                libnspr4-dev (>= 4.8.8),
                libnss3-dev (>= 3.13.1),
                libhunspell-dev (>= 1.2),
diff -Naur iceweasel-10.0.3esr.orig/debian/rules iceweasel-10.0.3esr/debian/rules
--- iceweasel-10.0.3esr.orig/debian/rules	2012-03-30 19:33:54.000000000 +0200
+++ iceweasel-10.0.3esr/debian/rules	2012-04-18 01:49:28.377030714 +0200
@@ -22,6 +22,14 @@
 LIB_DIR := /usr/lib/iceweasel
 SHARE_DIR := /usr/share/iceweasel
 
+export DEB_CFLAGS_MAINT_STRIP   = -g -O2
+export DEB_CPPFLAGS_MAINT_STRIP = -g -O2
+export DEB_CXXFLAGS_MAINT_STRIP = -g -O2
+export DEB_FFLAGS_MAINT_STRIP   = -g -O2
+export DEB_BUILD_MAINT_OPTIONS  = hardening=-relro
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
 MAIN_LDFLAGS := -Wl,--as-needed
 
 AUTOCONF_DIRS := build/autoconf js/src/build/autoconf

Reply via email to