Package: dpkg Version: 1.18.10 Severity: wishlist Tags: patch moreinfo Dear Guillem,
As a continuation of the discussions [1][2] on debian-devel I'm attaching the simple patch that changes dpkg's pie hardening flag to adapt to GCC's new default settings proposed in #835148. I'm continuing with the rebuild/autopkgtest tests according to the Dpkg FAQ, hence the moreinfo tag. Cheers, Balint [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>From c0d867dcd6bffe6a504c0699e64258191e760a49 Mon Sep 17 00:00:00 2001 From: Balint Reczey <[email protected]> Date: Mon, 4 Jul 2016 20:06:55 +0200 Subject: [PATCH 2/2] Dpkg::Vendor::Debian: Enable PIE by default on some architectures --- scripts/Dpkg/Vendor/Debian.pm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm index f8854e2..8e9a0ac 100644 --- a/scripts/Dpkg/Vendor/Debian.pm +++ b/scripts/Dpkg/Vendor/Debian.pm @@ -280,6 +280,13 @@ sub _add_hardening_flags { bindnow => 1, ); + # GCC enables PIE by default on some architectures + my $pie_by_default = 0; + if ($arch =~ /^(?:amd64|ppc64el|s390x)$/) { + $pie_by_default = 1; + $use_feature{pie} = 1; + } + # Adjust features based on user or maintainer's desires. $self->_parse_feature_area('hardening', \%use_feature); @@ -321,7 +328,17 @@ sub _add_hardening_flags { } # PIE - if ($use_feature{pie}) { + if ($pie_by_default == 1 and not $use_feature{pie}) { + my $flag = '-fno-PIE'; + $flags->append('CFLAGS', $flag); + $flags->append('OBJCFLAGS', $flag); + $flags->append('OBJCXXFLAGS', $flag); + $flags->append('FFLAGS', $flag); + $flags->append('FCFLAGS', $flag); + $flags->append('CXXFLAGS', $flag); + $flags->append('GCJFLAGS', $flag); + $flags->append('LDFLAGS', '-fno-PIE -no-pie'); + } elsif ($pie_by_default == 0 and $use_feature{pie}) { my $flag = '-fPIE'; $flags->append('CFLAGS', $flag); $flags->append('OBJCFLAGS', $flag); -- 2.1.4
