Source: binpac Version: 0.44-1 Severity: important User: [email protected] Usertags: pie-bindnow-20160906 Justification: makes bro FTBFS on amd64 with extra hardening Affects: bro
Dear Maintainers, During a rebuild of all packages in sid, dicomnifti failed to build on amd64 with patched GCC and dpkg. The root cause seems to be that libbinpac.a is shipped as a non-PIC library. The rebuild tested if packages are ready for a transition enabling PIE and bindnow for amd64. For more information about the changes to sid's dpkg and GCC please visit: https://wiki.debian.org/Hardening/PIEByDefaultTransitio Relevant part of bro's build log: ... [100%] Linking CXX executable bro cd /<<BUILDDIR>>/bro-2.4.1+dfsg/build/src && /usr/bin/cmake -E cmake_link_script CMakeFiles/bro.dir/link.txt --verbose=1 /usr/bin/c++ -g -O2 -fdebug-prefix-map=/<<BUILDDIR>>/bro-2.4.1+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wno-unused -Wl,-z,relro -Wl,-z,no w CMakeFiles/bro.dir/version.c.o CMakeFiles/bro.dir/binpac-lib_pac.cc.o CMakeFiles/bro.dir/binpac_bro-lib_pac.cc.o CMakeFiles/bro.dir/rule-parse.cc.o CMakeFiles/bro.dir/re-parse.cc.o CMakeFiles/bro.dir/par se.cc.o CMakeFiles/bro.dir/rule-scan.cc.o CMakeFiles/bro.dir/re-scan.cc.o CMakeFiles/bro.dir/scan.cc.o CMakeFiles/bro.dir/plugins.cc.o CMakeFiles/bro.dir/main.cc.o CMakeFiles/bro.dir/net_util.cc.o CMakeFil es/bro.dir/util.cc.o CMakeFiles/bro.dir/module_util.cc.o CMakeFiles/bro.dir/Anon.cc.o CMakeFiles/bro.dir/Attr.cc.o CMakeFiles/bro.dir/Base64.cc.o CMakeFiles/bro.dir/Brofiler.cc.o CMakeFiles/bro.dir/BroStri ng.cc.o CMakeFiles/bro.dir/CCL.cc.o CMakeFiles/bro.dir/ChunkedIO.cc.o CMakeFiles/bro.dir/CompHash.cc.o CMakeFiles/bro.dir/Conn.cc.o CMakeFiles/bro.dir/ConvertUTF.c.o CMakeFiles/bro.dir/DFA.cc.o CMakeFiles/ bro.dir/DbgBreakpoint.cc.o CMakeFiles/bro.dir/DbgHelp.cc.o CMakeFiles/bro.dir/DbgWatch.cc.o CMakeFiles/bro.dir/Debug.cc.o CMakeFiles/bro.dir/DebugCmds.cc.o CMakeFiles/bro.dir/DebugLogger.cc.o CMakeFiles/br o.dir/Desc.cc.o CMakeFiles/bro.dir/Dict.cc.o CMakeFiles/bro.dir/Discard.cc.o CMakeFiles/bro.dir/DNS_Mgr.cc.o CMakeFiles/bro.dir/EquivClass.cc.o CMakeFiles/bro.dir/Event.cc.o CMakeFiles/bro.dir/EventHandler .cc.o CMakeFiles/bro.dir/EventLauncher.cc.o CMakeFiles/bro.dir/EventRegistry.cc.o CMakeFiles/bro.dir/Expr.cc.o CMakeFiles/bro.dir/File.cc.o CMakeFiles/bro.dir/Flare.cc.o CMakeFiles/bro.dir/Frag.cc.o CMakeF iles/bro.dir/Frame.cc.o CMakeFiles/bro.dir/Func.cc.o CMakeFiles/bro.dir/Hash.cc.o CMakeFiles/bro.dir/ID.cc.o CMakeFiles/bro.dir/IntSet.cc.o CMakeFiles/bro.dir/IP.cc.o CMakeFiles/bro.dir/IPAddr.cc.o CMakeFi les/bro.dir/List.cc.o CMakeFiles/bro.dir/Reporter.cc.o CMakeFiles/bro.dir/NFA.cc.o CMakeFiles/bro.dir/Net.cc.o CMakeFiles/bro.dir/NetVar.cc.o CMakeFiles/bro.dir/Obj.cc.o CMakeFiles/bro.dir/OpaqueVal.cc.o C MakeFiles/bro.dir/OSFinger.cc.o CMakeFiles/bro.dir/PacketFilter.cc.o CMakeFiles/bro.dir/PersistenceSerializer.cc.o CMakeFiles/bro.dir/Pipe.cc.o CMakeFiles/bro.dir/PolicyFile.cc.o CMakeFiles/bro.dir/PrefixT able.cc.o CMakeFiles/bro.dir/PriorityQueue.cc.o CMakeFiles/bro.dir/Queue.cc.o CMakeFiles/bro.dir/RandTest.cc.o CMakeFiles/bro.dir/RE.cc.o CMakeFiles/bro.dir/Reassem.cc.o CMakeFiles/bro.dir/RemoteSerializer .cc.o CMakeFiles/bro.dir/Rule.cc.o CMakeFiles/bro.dir/RuleAction.cc.o CMakeFiles/bro.dir/RuleCondition.cc.o CMakeFiles/bro.dir/RuleMatcher.cc.o CMakeFiles/bro.dir/ScriptAnaly.cc.o CMakeFiles/bro.dir/SmithW aterman.cc.o CMakeFiles/bro.dir/Scope.cc.o CMakeFiles/bro.dir/SerializationFormat.cc.o CMakeFiles/bro.dir/SerialObj.cc.o CMakeFiles/bro.dir/Serializer.cc.o CMakeFiles/bro.dir/Sessions.cc.o CMakeFiles/bro.d ir/StateAccess.cc.o CMakeFiles/bro.dir/Stats.cc.o CMakeFiles/bro.dir/Stmt.cc.o CMakeFiles/bro.dir/Tag.cc.o CMakeFiles/bro.dir/Timer.cc.o CMakeFiles/bro.dir/Traverse.cc.o CMakeFiles/bro.dir/Trigger.cc.o CMa keFiles/bro.dir/TunnelEncapsulation.cc.o CMakeFiles/bro.dir/Type.cc.o CMakeFiles/bro.dir/UID.cc.o CMakeFiles/bro.dir/Val.cc.o CMakeFiles/bro.dir/Var.cc.o CMakeFiles/bro.dir/bsd-getopt-long.c.o CMakeFiles/b ro.dir/bro_inet_ntop.c.o CMakeFiles/bro.dir/cq.c.o CMakeFiles/bro.dir/patricia.c.o CMakeFiles/bro.dir/setsignal.c.o CMakeFiles/bro.dir/PacketDumper.cc.o CMakeFiles/bro.dir/strsep.c.o CMakeFiles/bro.dir/mod p_numtoa.c.o CMakeFiles/bro.dir/threading/BasicThread.cc.o CMakeFiles/bro.dir/threading/Formatter.cc.o CMakeFiles/bro.dir/threading/Manager.cc.o CMakeFiles/bro.dir/threading/MsgThread.cc.o CMakeFiles/bro.d ir/threading/SerialTypes.cc.o CMakeFiles/bro.dir/threading/formatters/Ascii.cc.o CMakeFiles/bro.dir/threading/formatters/JSON.cc.o CMakeFiles/bro.dir/plugin/Component.cc.o CMakeFiles/bro.dir/plugin/Manager .cc.o CMakeFiles/bro.dir/plugin/Plugin.cc.o CMakeFiles/bro.dir/nb_dns.c.o -o bro -rdynamic analyzer/protocol/arp/libplugin-Bro-ARP.a analyzer/protocol/ayiya/libplugin-Bro-AYIYA.a analyzer/protocol/backdoo r/libplugin-Bro-BackDoor.a analyzer/protocol/bittorrent/libplugin-Bro-BitTorrent.a analyzer/protocol/conn-size/libplugin-Bro-ConnSize.a analyzer/protocol/dce-rpc/libplugin-Bro-DCE_RPC.a analyzer/protocol/d hcp/libplugin-Bro-DHCP.a analyzer/protocol/dnp3/libplugin-Bro-DNP3.a analyzer/protocol/dns/libplugin-Bro-DNS.a analyzer/protocol/file/libplugin-Bro-File.a analyzer/protocol/finger/libplugin-Bro-Finger.a an alyzer/protocol/ftp/libplugin-Bro-FTP.a analyzer/protocol/gnutella/libplugin-Bro-Gnutella.a analyzer/protocol/gtpv1/libplugin-Bro-GTPv1.a analyzer/protocol/http/libplugin-Bro-HTTP.a analyzer/protocol/icmp/ libplugin-Bro-ICMP.a analyzer/protocol/ident/libplugin-Bro-Ident.a analyzer/protocol/interconn/libplugin-Bro-InterConn.a analyzer/protocol/irc/libplugin-Bro-IRC.a analyzer/protocol/krb/libplugin-Bro-KRB.a analyzer/protocol/login/libplugin-Bro-Login.a analyzer/protocol/mime/libplugin-Bro-MIME.a analyzer/protocol/modbus/libplugin-Bro-Modbus.a analyzer/protocol/mysql/libplugin-Bro-MySQL.a analyzer/protocol/ncp /libplugin-Bro-NCP.a analyzer/protocol/netbios/libplugin-Bro-NetBIOS.a analyzer/protocol/ntp/libplugin-Bro-NTP.a analyzer/protocol/pia/libplugin-Bro-PIA.a analyzer/protocol/pop3/libplugin-Bro-POP3.a analyz er/protocol/radius/libplugin-Bro-RADIUS.a analyzer/protocol/rdp/libplugin-Bro-RDP.a analyzer/protocol/rpc/libplugin-Bro-RPC.a analyzer/protocol/sip/libplugin-Bro-SIP.a analyzer/protocol/snmp/libplugin-Bro-SNMP.a analyzer/protocol/smb/libplugin-Bro-SMB.a analyzer/protocol/smtp/libplugin-Bro-SMTP.a analyzer/protocol/socks/libplugin-Bro-SOCKS.a analyzer/protocol/ssh/libplugin-Bro-SSH.a analyzer/protocol/ssl/libplugin-Bro-SSL.a analyzer/protocol/stepping-stone/libplugin-Bro-SteppingStone.a analyzer/protocol/syslog/libplugin-Bro-Syslog.a analyzer/protocol/tcp/libplugin-Bro-TCP.a analyzer/protocol/teredo/libplugin-Bro-Teredo.a analyzer/protocol/udp/libplugin-Bro-UDP.a analyzer/protocol/zip/libplugin-Bro-ZIP.a file_analysis/analyzer/data_event/libplugin-Bro-FileDataEvent.a file_analysis/analyzer/extract/libplugin-Bro-FileExtract.a file_analysis/analyzer/hash/libplugin-Bro-FileHash.a file_analysis/analyzer/pe/libplugin-Bro-PE.a file_analysis/analyzer/unified2/libplugin-Bro-Unified2.a file_analysis/analyzer/x509/libplugin-Bro-X509.a input/readers/ascii/libplugin-Bro-AsciiReader.a input/readers/benchmark/libplugin-Bro-BenchmarkReader.a input/readers/binary/libplugin-Bro-BinaryReader.a input/readers/raw/libplugin-Bro-RawReader.a input/readers/sqlite/libplugin-Bro-SQLiteReader.a iosource/pcap/libplugin-Bro-Pcap.a logging/writers/ascii/libplugin-Bro-AsciiWriter.a logging/writers/none/libplugin-Bro-NoneWriter.a logging/writers/sqlite/libplugin-Bro-SQLiteWriter.a broker-dummy/libbro_broker_dummy.a probabilistic/libbro_probabilistic.a logging/libbro_logging.a iosource/libbro_iosource.a input/libbro_input.a file_analysis/libbro_file_analysis.a broxygen/libbro_broxygen.a analyzer/libbro_analyzer.a -Wl,-Bstatic -lbinpac -Wl,-Bdynamic -lpcap -lssl -lcrypto -lresolv -lz -lsqlite3 -lGeoIP -ltcmalloc -lpthread -ldl /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/6/../../../../lib/libbinpac.a(binpac_buffer.cc.o): relocation R_X86_64_32S against symbol `_ZTVN6binpac10FlowBufferE' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: final link failed: Nonrepresentable section on output collect2: error: ld returned 1 exit status src/CMakeFiles/bro.dir/build.make:3140: recipe for target 'src/bro' failed ... The full build log is available from: https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/bro_2.4.1+dfsg-2_amd64.build.gz Thanks, Balint
diff -u binutils-2.27/debian/changelog binutils-2.27/debian/changelog --- binutils-2.27/debian/changelog +++ binutils-2.27/debian/changelog @@ -1,3 +1,10 @@ +binutils (2.27-8+rbalint0) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Build libbfd with -fPIC + + -- Balint Reczey <[email protected]> Sat, 10 Sep 2016 15:53:07 +0200 + binutils (2.27-8) unstable; urgency=medium * Fix diversion updates for 32bit x86 targets. diff -u binutils-2.27/debian/patches/series binutils-2.27/debian/patches/series --- binutils-2.27/debian/patches/series +++ binutils-2.27/debian/patches/series @@ -12,6 +12,7 @@ 130_gold_disable_testsuite_build.patch 131_ld_bootstrap_testsuite.patch 135_bfd_version.patch +136_bfd_pic.patch 157_ar_scripts_with_tilde.patch #158_ld_system_root.patch 161_gold_dummy_zoption.diff only in patch2: unchanged: --- binutils-2.27.orig/debian/patches/136_bfd_pic.patch +++ binutils-2.27/debian/patches/136_bfd_pic.patch @@ -0,0 +1,25 @@ +Author: Balint Reczey <[email protected]> +Description: Build libbfd with -fPIC to allow linking with PIE binaries + +--- ./bfd/Makefile.am.bak 2016-09-10 16:26:46.062371030 +0200 ++++ ./bfd/Makefile.am 2016-09-10 16:27:48.913724681 +0200 +@@ -51,7 +51,7 @@ + + WARN_CFLAGS = @WARN_CFLAGS@ + NO_WERROR = @NO_WERROR@ +-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) ++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC + AM_CPPFLAGS = -DBINDIR='"$(bindir)"' + if PLUGINS + bfdinclude_HEADERS += $(INCDIR)/plugin-api.h +--- ./bfd/Makefile.in.bak 2016-09-10 16:26:53.009857349 +0200 ++++ ./bfd/Makefile.in 2016-09-10 16:27:31.886983240 +0200 +@@ -387,7 +387,7 @@ + # case both are empty. + ZLIB = @zlibdir@ -lz + ZLIBINC = @zlibinc@ +-AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) ++AM_CFLAGS = $(WARN_CFLAGS) $(ZLIBINC) -fPIC + AM_CPPFLAGS = -DBINDIR='"$(bindir)"' + @PLUGINS_TRUE@LIBDL = @lt_cv_dlopen_libs@ +
