Bug#697387: libdap: Typo in DEB_BUILD_MAINT_OPTIONS prevents enabling all hardening flags

Fri, 04 Jan 2013 08:42:17 -0800 

Package: libdap
Version: 3.11.1-12
Severity: normal
Tags: patch

Dear Maintainer,

There's a typo in debian/rules which prevents enabling all
hardening flags (+allx instead of +all):

diff -Nru libdap-3.11.1/debian/rules libdap-3.11.1/debian/rules
--- libdap-3.11.1/debian/rules  2012-12-22 09:56:59.000000000 +0100
+++ libdap-3.11.1/debian/rules  2013-01-04 16:57:43.000000000 +0100
@@ -5,7 +5,7 @@
 LIBDIR:=/usr/lib/$(DEB_HOST_MULTIARCH)
 
 # To enable all, uncomment following line
-DEB_BUILD_MAINT_OPTIONS:= hardening=+allx
+DEB_BUILD_MAINT_OPTIONS:= hardening=+all
 DEB_CFLAGS_MAINT_APPEND:= -Wall -pedantic
 export DEB_BUILD_MAINT_OPTIONS
 export DEB_CFLAGS_MAINT_APPEND

However there might be one problem with this change. +all enables
PIE and it might be possible that dap-config passes these build
flags to other programs which will cause problems if the programs
are not also built as PIE. Please check the output of dap-config
for -fPIE in CFLAGS and -fPIE -pie in LDFLAGS and strip them if
necessary in the script.

Another option would be to use +all,-pie which doesn't built the
library with PIE (PIE is only relevant for binaries and libdap
only ships a single binary and is mostly used as library so this
should be fine too).

Instead of using LDFLAGS in the override_dh_auto_configure you
could also use DEB_LDFLAGS_MAINT_APPEND like you did for
DEB_CFLAGS_MAINT_APPEND, the following patch applies both
changes:

diff -Nru libdap-3.11.1/debian/rules libdap-3.11.1/debian/rules
--- libdap-3.11.1/debian/rules  2012-12-22 09:56:59.000000000 +0100
+++ libdap-3.11.1/debian/rules  2013-01-04 17:07:47.000000000 +0100
@@ -5,10 +5,12 @@
 LIBDIR:=/usr/lib/$(DEB_HOST_MULTIARCH)
 
 # To enable all, uncomment following line
-DEB_BUILD_MAINT_OPTIONS:= hardening=+allx
+DEB_BUILD_MAINT_OPTIONS:= hardening=+all
 DEB_CFLAGS_MAINT_APPEND:= -Wall -pedantic
+DEB_LDFLAGS_MAINT_APPEND:= -Wl,--as-needed
 export DEB_BUILD_MAINT_OPTIONS
 export DEB_CFLAGS_MAINT_APPEND
+export DEB_LDFLAGS_MAINT_APPEND
 #export DH_VERBOSE=1
 
 
@@ -24,7 +26,7 @@
        dh_autoreconf --as-needed
 
 override_dh_auto_configure:
-       LDFLAGS="$(LDFLAGS)  -Wl,--as-needed" dh_auto_configure -- --with-gnu-ld
+       dh_auto_configure -- --with-gnu-ld
 
 override_dh_auto_build:
        dh_auto_build

Regards,
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature

Reply via email to