On Dec 28, 2016 6:21 AM, "James Clarke" <jrt...@jrtc27.com> wrote:
> Package: gcc-6
> Version: 6.2.1-7
> Severity: important
>
> The check introduced to ignore dpkg's PIE specs when PIE is not enabled
> by default is wrong, and ends up ignoring them even when hardening=+all
> or hardening=+pie is present in DEB_BUILD_MAINT_OPTIONS.
>
> The current check is:
>
> > if (ignore_pie_specs_when_not_enabled("DEB_BUILD_MAINT_OPTIONS",
> arg)
> > || ignore_pie_specs_when_not_enabled("DEB_BUILD_OPTIONS", arg))
>
> but since only DEB_BUILD_MAINT_OPTIONS includes the hardening options,
> the second call with DEB_BUILD_OPTIONS returns true and causes the file
> to be ignored. I believe this should be && rather than ||.
>
> I can reproduce this regression by building one of my packages
> (src:polyml) on sparc64:
>
> > $ grep hardening debian/rules
> > export DEB_BUILD_MAINT_OPTIONS=hardening=+all
> > $ dpkg-buildpackage -us -uc
> > [...]
> > g++: note: pie specs /usr/share/dpkg/pie-compile.specs ignored when pie
> is not enabled
>
> Regards,
> James
>
>
