Source: ctn Version: 3.2.0~dfsg-3 Severity: important User: [email protected] Usertags: pie-bindnow-20160906 Justification: makes dicomnifti FTBFS on amd64 with extra hardening Affects: dicomnifti
Dear Maintainers, During a rebuild of all packages in sid, dicomnifti failed to build on amd64 with patched GCC and dpkg. The root cause seems to be that libbfd.a is shipped as a non-PIC library. The rebuild tested if packages are ready for a transition enabling PIE and bindnow for amd64. For more information about the changes to sid's dpkg and GCC please visit: https://wiki.debian.org/Hardening/PIEByDefaultTransitio Relevant part of dicomnifti's build log: ... [ 57%] Linking CXX executable dinifti /usr/bin/cmake -E cmake_link_script CMakeFiles/dinifti.dir/link.txt --verbose=1 /usr/bin/c++ -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror= format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now CMakeFiles/dinifti.dir/src/ dinifti.cc.o CMakeFiles/dinifti.dir/src/dicomInfo.cc.o CMakeFiles/dinifti.dir/src/niftiout.cc.o -o di nifti -rdynamic /usr/lib/ctn/libctn.a -lniftiio -lznz /usr/bin/ld: /usr/lib/ctn/libctn.a(condition.o): relocation R_X86_64_32 against `.bss' can not be used when making a shared object; recompile with -fPIC ... The full build log is available from: https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/dicomnifti_2.32.1-1_amd64.build.gz The attached patch fixed the problem. Thanks, Balint
diff -u binutils-2.27/debian/changelog binutils-2.27/debian/changelog --- binutils-2.27/debian/changelog +++ binutils-2.27/debian/changelog @@ -1,3 +1,10 @@ +binutils (2.27-8+rbalint0) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Build libbfd with -fPIC + + -- Balint Reczey <[email protected]> Sat, 10 Sep 2016 15:53:07 +0200 + binutils (2.27-8) unstable; urgency=medium * Fix diversion updates for 32bit x86 targets. diff -u binutils-2.27/debian/patches/series binutils-2.27/debian/patches/series --- binutils-2.27/debian/patches/series +++ binutils-2.27/debian/patches/series @@ -12,6 +12,7 @@ 130_gold_disable_testsuite_build.patch 131_ld_bootstrap_testsuite.patch 135_bfd_version.patch +136_bfd_pic.patch 157_ar_scripts_with_tilde.patch #158_ld_system_root.patch 161_gold_dummy_zoption.diff only in patch2: unchanged: --- binutils-2.27.orig/debian/patches/136_bfd_pic.patch +++ binutils-2.27/debian/patches/136_bfd_pic.patch @@ -0,0 +1,25 @@ +Author: Balint Reczey <[email protected]> +Description: Build libbfd with -fPIC to allow linking with PIE binaries + +--- ./bfd/Makefile.am.bak 2016-09-10 16:26:46.062371030 +0200 ++++ ./bfd/Makefile.am 2016-09-10 16:27:48.913724681 +0200 +@@ -51,7 +51,7 @@ + + WARN_CFLAGS = @WARN_CFLAGS@ + NO_WERROR = @NO_WERROR@ +-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) ++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC + AM_CPPFLAGS = -DBINDIR='"$(bindir)"' + if PLUGINS + bfdinclude_HEADERS += $(INCDIR)/plugin-api.h +--- ./bfd/Makefile.in.bak 2016-09-10 16:26:53.009857349 +0200 ++++ ./bfd/Makefile.in 2016-09-10 16:27:31.886983240 +0200 +@@ -387,7 +387,7 @@ + # case both are empty. + ZLIB = @zlibdir@ -lz + ZLIBINC = @zlibinc@ +-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) ++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC + AM_CPPFLAGS = -DBINDIR='"$(bindir)"' + @PLUGINS_TRUE@LIBDL = @lt_cv_dlopen_libs@ +
