Package: libfl-dev Version: 2.6.1-1.3 Control: affects -1 src:motif X-Debbugs-Cc: gin...@debian.org
Hi, In order to build a PIE using libfl, there must be a static library built with PIE (or PIC) enabled. On architectures with PIE by default, this is the case, and libfl.a can be used normally. However, on other architectures, libfl.a contains position-dependent code, and thus cannot be used. There *is* a libfl_pic.a which could in theory be used, but it actually is no different from libfl.a, as it was not built with -fPIC. This was found by upstream, and since nobody had noticed this before, they decided to drop it[0] rather than fix it (a trivial fix of adding -fPIC to libfl_pic_la_CFLAGS). Motif uses libfl for some of its tools built and used during the build, but also exports DEB_BUILD_MAINT_OPTIONs=hardening+=all, so it builds these tools as PIEs. Therefore, please either always built libfl.a with -fPIE, or ensure libfl_pic.a is built with -fPIC (in this case, -fPIE should suffice, as libfl provides main, which needs to be in the executable, so it will never be linked into a shared library). Graham: Depending on the solution, Motif may need to be changed to use libfl_pic.a, but that belongs in a different bug. Regards, James [0] https://github.com/westes/flex/commit/2bf2ad6d686f5e2a3b6329ecedc756ddfcf71453
