Package: dpkg-dev Version: 1.21.7 Severity: normal Please add "-ftrivial-auto-var-init=zero" for GCC 12 (which is the first release of GCC to provide this flag).
It goes well with the other important security flaw mitigation flags already enabled in Debian: https://wiki.debian.org/Hardening#dpkg-buildflags While many variables are initialized (due to -Wuninitialized), there is a blind spot for variables passed by reference, padding, and cases where -Wuninitialized just fails to track it. Universally wiping the variables eliminates nearly the entire class of uninitialized stack variable use (https://cwe.mitre.org/data/definitions/457.html) with nearly no overhead (e.g. any duplicate assignments will already be squashed during dead store elimination, etc). -- Package-specific info: -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.13.0-37-generic (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages dpkg-dev depends on: ii binutils 2.38-3 ii bzip2 1.0.8-5 ii libdpkg-perl 1.21.7 ii make 4.3-4.1 ii patch 2.7.6-7 ii perl 5.34.0-4 ii tar 1.34+dfsg-1 ii xz-utils 5.2.5-2.1 Versions of packages dpkg-dev recommends: pn build-essential <none> ii fakeroot 1.28-1 ii gcc [c-compiler] 4:11.2.0-2 ii gcc-10 [c-compiler] 10.3.0-15 ii gcc-11 [c-compiler] 11.2.0-20 ii gcc-4.2 [c-compiler] 4.2.4-6 ii gcc-4.4 [c-compiler] 4.4.7-8 ii gcc-4.5 [c-compiler] 4.5.4-1 ii gcc-4.6 [c-compiler] 4.6.4-7 ii gcc-4.7 [c-compiler] 4.7.4-3 ii gcc-4.8 [c-compiler] 4.8.5-4 ii gcc-4.9 [c-compiler] 4.9.4-2 ii gcc-5 [c-compiler] 5.5.0-12 ii gcc-6 [c-compiler] 6.5.0-2 ii gcc-9 [c-compiler] 9.4.0-5 pn gnupg <none> ii gpgv 2.2.34-1 ii libalgorithm-merge-perl 0.08-3 Versions of packages dpkg-dev suggests: ii debian-keyring 2021.12.24 -- no debconf information