Package: dpkg Version: 1.14.20 Severity: normal Tags: patch User: [EMAIL PROTECTED] Usertags: origin-ubuntu intrepid ubuntu-patch
Hello! This is a patch that add support for the "hardening-wrapper" package's set of build flags, in the hopes of merging hardening-wrapper's functionality into dpkg-buildpackage at some point in the future. Thanks, -Kees -- Kees Cook @outflux.net
diff -Nru dpkg-1.14.20ubuntu1/man/dpkg-buildpackage.1 dpkg-1.14.20ubuntu2/man/dpkg-buildpackage.1 --- dpkg-1.14.20ubuntu1/man/dpkg-buildpackage.1 2008-06-26 05:06:51.000000000 -0700 +++ dpkg-1.14.20ubuntu2/man/dpkg-buildpackage.1 2008-07-07 10:46:04.000000000 -0700 @@ -286,6 +286,38 @@ Optimization options appended to the compiler flags when linking code, which must not be overwritten by the package (mostly used to for test builds). Default value: empty. +.TP +.B DEB_BUILD_OPTIONS +As indicated above, +.BR noopt +will disable optimation. +Additionally, when used with the +.BR hardening-wrapper +package, the values +.BR hardening +and +.BR nohardening +will be converted into their respective DEB_BUILD_HARDENING values. +The +.BR hardening +option can also include (optionally prefixed with +.BR no +) the following sub-options: +.BR stackprotector +.BR format +.BR fortify +.BR pie +.BR relro +For example, +.BR DEB_BUILD_OPTIONS=hardening=nopie +would cause +.BR DEB_BUILD_HARDENING_PIE=0 +to be set, or +.BR DEB_BUILD_OPTIONS=nohardening +would cause +.BR DEB_BUILD_HARDENING=0 +to be set. +See http://wiki.debian.org/Hardening for further details. . .SH BUGS It should be possible to specify spaces and shell metacharacters in diff -Nru dpkg-1.14.20ubuntu1/scripts/dpkg-buildpackage.pl dpkg-1.14.20ubuntu2/scripts/dpkg-buildpackage.pl --- dpkg-1.14.20ubuntu1/scripts/dpkg-buildpackage.pl 2008-06-26 05:06:51.000000000 -0700 +++ dpkg-1.14.20ubuntu2/scripts/dpkg-buildpackage.pl 2008-07-03 13:57:19.000000000 -0700 @@ -278,6 +278,41 @@ } } +# Allow control of hardening-wrapper via dpkg-buildpackage DEB_BUILD_OPTIONS +my $hardening = $build_opts->{'hardening'}; +if (defined $build_opts->{'nohardening'}) { + $hardening = 0; +} +if (defined $hardening) { + my $flag = 'DEB_BUILD_HARDENING'; + if ($hardening ne "0") { + if (! -x '/usr/bin/hardened-cc') { + syserr(_g("%s: 'hardened' flag found but 'hardening-wrapper' not installed\n"), + $progname); + } + if ($hardening ne "1") { + my @options = split(/,\s*/,$hardening); + $hardening=1; + + my @hardopts = ('format', 'fortify', 'stackprotector', + 'pie', 'relro'); + foreach my $item (@hardopts) { + my $upitem = uc($item); + foreach my $option (@options) { + if ($option =~ /^(no)?$item$/) { + $ENV{$flag.'_'.$upitem} = ($1 eq ""); + } + } + } + } + } + if (defined $ENV{$flag}) { + printf(_g("%s: overriding %s in environment: %s\n"), $progname, + $flag, $hardening); + } + $ENV{$flag}=$hardening; +} + my $cwd = cwd(); my $dir = basename($cwd);
