Hi, while enabling the arm64 security features known as PAC, BTI, and GCS we found that some packages are built without the default build flags emitted by dpkg-buildflags(1). Some of you are aware of this because of various conversations we had throughout the year, as well as a paper I presented at Debconf 25: https://people.debian.org/~ema/nocflags_paper.pdf
A long overdue task of mine is filing bugs about the above mentioned packages. Here's the template I intend to use. You can find the output of dd-list attached. PKG: please build using the defaut build flags Source: PKG Version: VERSION User: [email protected] Usertags: hardening-buildflags PKG is not currently using the default build flags set by dpkg-buildflags(1). The default flags are chosen for multiple reasons including security, performance, reproducibility, adherence to standards, and error handling. Please make sure that PKG builds using the default build flags. blhc(1p) and hardening-check(1) can be used to confirm that the issue is fixed. In the general case, packages honoring CFLAGS, LDFLAGS, and other similar environment variables get the default build flags for free without the need for any work on the maintainer side. In the case of PKG, the flags are either ignored or overridden. The most common reasons for this are: Hand-written Makefiles ---------------------- Some upstream Makefiles either override the values of variables such as CFLAGS and similar or do not use them at all. See: https://wiki.debian.org/HardeningWalkthrough#Handwritten_Makefiles Misconfigured build systems --------------------------- If the upstream code uses autotools, CMake, or other popular build systems, it usually requires no further modifications. If might however be that some variables are hardcoded in some way. In this CMake snippet, the value of CXXFLAGS is overwritten with "-O2": set(CMAKE_CXX_FLAGS "-O2") If the intention is to append to CXXFLAGS, one should use the following instead: set(CMAKE_CXX_FLAGS "-O2 ${CMAKE_CXX_FLAGS}") See #655870 for a similar autotools example. Very old debhelper usage ------------------------ Packages not using dh(1), or those using a debhelper compatibility level less than 9, need to manually include /usr/share/dpkg/buildflags.mk in order for the dpkg-buildflags variables to be set: https://wiki.debian.org/Hardening#dpkg-buildflags Flags hardcoded in debian/rules (either voluntarily or not) ----------------------------------------------------------- Some packages voluntarily hardcode the values of CFLAGS and friends in debian/rules, ignoring the defaults set by dpkg-buildflags(1). Others attempt to append to the variables, but end up accidentally overriding the defaults: #!/usr/bin/make -f export CFLAGS += -pipe -fPIC -Wall %: dh $@ Debhelper only sets CFLAGS if it is not set yet. In the example above, when dh is invoked the value of CFLAGS is "-pipe -fPIC -Wall", hence the hardened defaults are not used. The right way to append to CFLAGS is using DEB_CFLAGS_MAINT_APPEND instead, as documented in dpkg-buildflags(1).
Adam Majer <[email protected]> lpr Alastair McKinstry <[email protected]> csh flexpart Alessio Treglia <[email protected]> ir.lv2 (U) jackmeter (U) klick (U) Alex Myczko <[email protected]> bchunk (U) elfkickers hivelytracker (U) klystrack (U) Alex Pennace <[email protected]> dircproxy Alexander Bürger <[email protected]> fig2sxd Alexander Zangerl <[email protected]> glimpse Alexandre Detiste <[email protected]> dbview geki3 (U) pacman (U) Andreas Barth <[email protected]> mgetty (U) Andreas Tille <[email protected]> assembly-stats (U) ctsim (U) flashbench (U) gmotionlive (U) lumpy-sv (U) murasaki (U) obitools (U) parsinsert (U) Andrew Gee <[email protected]> jackmeter (U) Andrew Lee (李健秋) <[email protected]> juffed (U) Andrius Merkys <[email protected]> c2x (U) feff85exafs (U) Anibal Monsalve Salazar <[email protected]> bootp Ari Pollak <[email protected]> jnettop (U) Barak A. Pearlmutter <[email protected]> blackbox-terminal Bdale Garbee <[email protected]> as31 atlc pforth Bill Allombert <[email protected]> libjpeg9 menu Bill MacAllister <[email protected]> kafs-client Boris Pek <[email protected]> psi-plugins (U) Brandon Barnes <[email protected]> komi Camm Maguire <[email protected]> pcal Carlo Segre <[email protected]> ifeffit (U) Carsten Schoenert <[email protected]> ponyprog (U) ChangZhuo Chen (陳昌倬) <[email protected]> dumb-init juffed (U) Chris Taylor <[email protected]> nuttcp (U) Christian T. Steigies <[email protected]> hp2xx Christoph Berg <[email protected]> ircmarkers pgmodeler (U) Christoph Martin <[email protected]> mimedefang Dale E. Martin <[email protected]> pccts Daniel Baumann <[email protected]> clzip lunzip lzd pdlzip plzip Dario Minnucci <[email protected]> ftpmirror Dave Holland <[email protected]> floatbg David Suárez <[email protected]> driftnet Debian Electronics Team <[email protected]> ponyprog Debian FreeIPA Team <[email protected]> libmozilla-ldap-perl Debian Games Team <[email protected]> etw flobopuyo garden-of-coloured-lights geki3 gigalomania koules netris ogamesim pacman pente Debian GCC Maintainers <[email protected]> debugedit Debian Java Maintainers <[email protected]> nailgun Debian Math Team <[email protected]> eprover Debian Med Packaging Team <[email protected]> assembly-stats ctsim dextractor lumpy-sv murasaki nthash obitools parsinsert Debian Mobcom Maintainers <[email protected]> osmo-tetra Debian Mono Group <[email protected]> libgdiplus Debian Multimedia Maintainers <[email protected]> flvstreamer hivelytracker hydrogen ir.lv2 jackmeter jamin klick klystrack mppenc puredata-import Debian OpenStack <[email protected]> ntpstat Debian PaN Maintainers <[email protected]> ifeffit Debian PostgreSQL Maintainers <[email protected]> pgmodeler Debian Printing Team <[email protected]> magicfilter Debian QA Group <[email protected]> ascd asmixer bwbasic cdecl cfingerd dsdp elvis-tiny gcpegg getstream hpsockd icheck integrit iroffer libprintsys lifelines mbw metapixel msort nitpic p910nd pal parchive parprouted purity Debian Science Maintainers <[email protected]> cba feff85exafs ifeffit (U) magic Debian Science Team <[email protected]> ispc Debian TeX Task Force <[email protected]> hintview Debian VoIP Team <[email protected]> asterisk-espeak asterisk-flite iaxmodem Debian XMPP Maintainers <[email protected]> psi-plugins Debichem Team <[email protected]> bagel c2x Dennis Braun <[email protected]> hydrogen (U) ir.lv2 (U) Denys Berkovskyy <[email protected]> dmg2img Dmitrijs Ledkovs <[email protected]> flashbench (U) Dmitry E. Oboukhov <[email protected]> ogamesim (U) Dmitry Smirnov <[email protected]> dumb-init (U) Emmanuel Arias <[email protected]> logtools (U) Eric Madesclair <[email protected]> le-dico-de-rene-cougnenc Eric Sharkey <[email protected]> macutils Ferdinand Griffon <[email protected]> cba (U) Francesco Paolo Lovergine <[email protected]> autodir imapfilter proftpd-mod-kafka (U) proftpd-mod-sftp-ldap (U) proftpd-mod-statsd (U) proftpd-mod-vroot (U) Francois Mazen <[email protected]> ispc (U) Georges Khaznadar <[email protected]> cdcover chemeq felix-latin le-dico-de-rene-cougnenc (U) Ghe Rivero <[email protected]> lshw Golf Team <[email protected]> golf Graham Inggs <[email protected]> bagel (U) Hans-Christoph Steiner <[email protected]> puredata-import (U) Heiko Stuebner <[email protected]> abootimg Hideki Yamane <[email protected]> nailgun (U) Hilmar Preusse <[email protected]> proftpd-mod-kafka (U) proftpd-mod-statsd (U) Hilmar Preuße <[email protected]> hintview (U) proftpd-mod-sftp-ldap (U) proftpd-mod-vroot (U) Hugo Torres de Lima <[email protected]> mp3info Hwei Sheng Teoh <[email protected]> atom4 Héctor Orón Martínez <[email protected]> egctl Jaromír Mikeš <[email protected]> ir.lv2 (U) klick (U) Javier Fernandez-Sanguino Pen~a <[email protected]> chrootuid libpam-chroot Javier Fernández-Sanguino Peña <[email protected]> chntpw clips farpd (U) netselect paxtest Jo Shields <[email protected]> libgdiplus (U) Joerg Dorchain <[email protected]> iaxmodem (U) John Goerzen <[email protected]> glulxe netmaze Jonas Smedegaard <[email protected]> asterisk-espeak (U) asterisk-flite (U) Jorge Salamero Sanz <[email protected]> mppenc (U) Jose G. López <[email protected]> gigalomania (U) Josue Ortega <[email protected]> euler Juan Cespedes <[email protected]> genromfs Julien Puydt <[email protected]> eprover (U) Kevin M. Rosenberg <[email protected]> ctsim (U) Kevin Zambrano <[email protected]> falselogin Kyle Robbertze <[email protected]> hashcheck Laszlo Boszormenyi (GCS) <[email protected]> crasm Lionel Elie Mamane <[email protected]> dvidvi Lior Kaplan <[email protected]> paps Lisandro Damián Nicanor Pérez Meyer <[email protected]> pgmodeler (U) LLVM Packaging Team <[email protected]> iwyu Ludovic Drolez <[email protected]> lookup LXQt Packaging Team <[email protected]> juffed Mahyuddin Susanto <[email protected]> proftpd-mod-sftp-ldap (U) Marcelo Jorge Vieira <[email protected]> gpt Mark Brown <[email protected]> clc-intercal Mark W. Eichin <[email protected]> lx-gdb Markus Koschany <[email protected]> etw (U) pente (U) Martin A. Godisch <[email protected]> cgoban Martin Quinson <[email protected]> flexml Martín Ferrari <[email protected]> drawterm Matthew Grant <[email protected]> nomarch Matthew Palmer <[email protected]> ninvaders Matthew Vernon <[email protected]> bible-kjv electric-fence Matthias Geiger <[email protected]> kew Matthias Klose <[email protected]> debugedit (U) Maximiliano Curia <[email protected]> gmotionlive (U) Michael Banck <[email protected]> bagel (U) Michael Meskes <[email protected]> ips memstat Michael Tautschnig <[email protected]> boolector Mirco Bauer <[email protected]> libgdiplus (U) Nate Doris <[email protected]> osmo-tetra (U) Nicholas D Steeves <[email protected]> hydrogen (U) Nilesh Patra <[email protected]> lumpy-sv (U) NOKUBI Takatsugu <[email protected]> nkf Norbert Preining <[email protected]> gwaei Norbert Schlia <[email protected]> ffmpegfs Olivier Sallou <[email protected]> obitools (U) Otto Kekäläinen <[email protected]> mydumper Package Salvaging Team <[email protected]> birthday farpd flashbench gmotionlive jnettop logtools mgetty nuttcp Patrick Matthäi <[email protected]> fraqtive Patrick Uiterwijk <[email protected]> birthday (U) Petter Reinholdtsen <[email protected]> array-info Picca Frédéric-Emmanuel <[email protected]> ifeffit (U) Pierre-Elliott Bécue <[email protected]> drogon Praveen Arimbrathodiyil <[email protected]> bchunk ProFTPD Maintainance Team <[email protected]> proftpd-mod-kafka proftpd-mod-sftp-ldap proftpd-mod-statsd proftpd-mod-vroot Radovan Garabík <[email protected]> efingerd Ralf Treinen <[email protected]> aribas mccs Ralph Ronnquist <[email protected]> overlay-boot RenZO <[email protected]> ola (U) Rhonda D'Vine <[email protected]> netris (U) Ron Lee <[email protected]> dovecot-antispam mp3splt Ross Burton <[email protected]> flvstreamer (U) RPM packaging team <[email protected]> debugedit (U) Ruben Undheim <[email protected]> magic (U) Russ Allbery <[email protected]> kafs-client (U) Russell Coker <[email protected]> logtools (U) Santiago Garcia Mantinan <[email protected]> mbr Sebastian Dröge <[email protected]> libgdiplus (U) Shayan Doust <[email protected]> dextractor (U) Shengjing Zhu <[email protected]> dumb-init (U) Stanislav Maslovski <[email protected]> kbdd Stefan Hornburg (Racke) <[email protected]> pure-ftpd Stephen Kitt <[email protected]> koules (U) Steve McIntyre <[email protected]> dvdtape Stéphane Glondu <[email protected]> net-acct Sylvestre Ledru <[email protected]> imapfilter (U) iwyu (U) ohcount TANIGUCHI Takaki <[email protected]> dares Thomas Goirand <[email protected]> lshw (U) ntpstat (U) Thorsten Alteholz <[email protected]> bottlerocket gnucobol3 gnucobol4 magicfilter (U) npd6 osmo-tetra (U) pipexec Tim Booth <[email protected]> parsinsert (U) Timo Aaltonen <[email protected]> libmozilla-ldap-perl (U) Torsten Werner <[email protected]> nailgun (U) Tzafrir Cohen <[email protected]> iaxmodem (U) Uwe Hermann <[email protected]> cycfx2prog flobopuyo (U) Vern Sun <[email protected]> cconv Vincent Cheng <[email protected]> garden-of-coloured-lights (U) Wartan Hachaturow <[email protected]> grpn Wookey <[email protected]> plotsauce Wouter Verhelst <[email protected]> ola Xavier Lüthi <[email protected]> nrg2iso Yann Dirson <[email protected]> fweb Ying-Chun Liu (PaulLiu) <[email protected]> darknet groundhog
