Package: dpkg-dev Version: 1.22.18ubuntu2 Severity: normal Tags: patch X-Debbugs-Cc: [email protected]
Hi, We don't pass the branch hardening flags to LDFLAGS. However, this can necessary for the linker to expose the relevant flags in the ELF notes, notably on arm64. It's usually not too much of an issue since *most* build scripts will also import CFLAGS, but that's not strictly necessary. An example package that only use LDFLAGS for building is src:db5.3. Starting with GCC 15, this will become an issue as the linker will start issuing warning when linking GCS-enabled executable to libraries that do not have said GCS flag. -- System Information: Debian Release: trixie/sid APT prefers plucky-updates APT policy: (500, 'plucky-updates'), (500, 'plucky-security'), (500, 'plucky'), (100, 'plucky-proposed') Architecture: amd64 (x86_64) Kernel: Linux 6.14.0-29-generic (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dpkg-dev depends on: ii binutils 2.44-3ubuntu1 ii bzip2 1.0.8-6 ii libdpkg-perl 1.22.18ubuntu2 ii lto-disabled-list 57 ii make 4.4.1-1 ii patch 2.7.6-7build3 ii perl 5.40.1-2ubuntu0.2 ii tar 1.35+dfsg-3.1 ii xz-utils 5.6.4-1ubuntu1 Versions of packages dpkg-dev recommends: ii build-essential 12.12ubuntu1 ii clang-18 [c-compiler] 1:18.1.8-17 ii clang-19 [c-compiler] 1:19.1.7-3ubuntu1 ii clang-20 [c-compiler] 1:20.1.2-0ubuntu1 ii fakeroot 1.37.1-1 ii gcc [c-compiler] 4:14.2.0-1ubuntu1 ii gcc-13 [c-compiler] 13.3.0-13ubuntu1 ii gcc-14 [c-compiler] 14.2.0-19ubuntu2 ii gnupg 2.4.4-2ubuntu23.1 ii gpgv 2.4.4-2ubuntu23.1 ii libalgorithm-merge-perl 0.08-5 Versions of packages dpkg-dev suggests: ii debian-keyring 2025.03.23 -- no debconf information
>From b0afb5e50f653586d86374a3cd5fdd50b3f4d0a8 Mon Sep 17 00:00:00 2001 From: Simon Chopin <[email protected]> Date: Fri, 12 Sep 2025 15:43:45 +0200 Subject: [PATCH] dpkg-buildflags: add branch hardening flags to LDFLAGS (LP: #2122602) Some branch hardening features might need to also touch things up at link time, at least to surface which features were enabled in the module in the ELF notes. This becomes an issue with GCC 15 which enables GCS, as the linker will issue warning if trying to link objects with mixed GCS flags. In essence, this would fail: cc $(CFLAGS) -c foo.c -o foo.o cc $(LDFLAGS) foo.o -o libfoo.so # Produces a lib without GCS bit ... cc $(CFLAGS) $(LDFLAGS) -lfoo -o testexec test.c # Attempts to link # testexec with GCS enabled Output: foo.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking. --- scripts/Dpkg/Vendor/Debian.pm | 1 + scripts/Dpkg/Vendor/Ubuntu.pm | 1 + 2 files changed, 2 insertions(+) diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm index 2284e84d8..21edc713c 100644 --- a/scripts/Dpkg/Vendor/Debian.pm +++ b/scripts/Dpkg/Vendor/Debian.pm @@ -643,6 +643,7 @@ sub add_build_flags { # be on derivatives. if (defined $flag) { $flags->append($_, $flag) foreach @compile_flags; + $flags->append('LDFLAGS', $flag); } } diff --git a/scripts/Dpkg/Vendor/Ubuntu.pm b/scripts/Dpkg/Vendor/Ubuntu.pm index c86eee9d2..37258748a 100644 --- a/scripts/Dpkg/Vendor/Ubuntu.pm +++ b/scripts/Dpkg/Vendor/Ubuntu.pm @@ -190,6 +190,7 @@ sub add_build_flags { } if (defined $flag) { $flags->append($_, $flag) foreach @compile_flags; + $flags->append('LDFLAGS', $flag); } } base-commit: e41dfb5eab1f03b5c3b35ef548862ba24a2aad41 -- 2.48.1
