Source: libhdf4 Version: 4.2.12-1 Severity: important Tags: patch With gcc in stretch defaulting to PIE, hardening=+all,-pie changed semantics from "enable hardening but not PIE" to "enable all hardening and explicitely disable the default PIE". The latter is usually not intended.
For packages like libhdf4 that include static libraries the situation is even worse, since non-PIE static libraries cannot be used with the stretch gcc unless -no-pie is explicitly passed when linking. The -pie in hardening flags was in some cases required in pre-stretch releases to avoid build failures caused by (incorrectly) passing -fPIE to the compiler when building shared libraries or plugins. This problem does no longer exist. Please apply the following patch: --- debian/rules.old 2017-04-03 10:46:45.000000000 +0000 +++ debian/rules 2017-04-03 10:47:06.000000000 +0000 @@ -6,7 +6,7 @@ # # Enable hardening build flags -export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie +export DEB_BUILD_MAINT_OPTIONS=hardening=+all DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) @@ -24,9 +24,9 @@ CXX := g++ LIBS := -ljpeg -lz -lm -CFLAGS = $(shell DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie dpkg-buildflags --get CFLAGS) -CFLAGS += $(shell DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie dpkg-buildflags --get CPPFLAGS) -LDFLAGS = $(shell DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie dpkg-buildflags --get LDFLAGS) +CFLAGS = $(shell DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags --get CFLAGS) +CFLAGS += $(shell DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags --get CPPFLAGS) +LDFLAGS = $(shell DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags --get LDFLAGS) ifneq (,$(findstring verbose,$(DEB_BUILD_OPTIONS))) DH_VERBOSE=1 _______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel