[Build-common-hackers] Bug#712729: cdbs: langcore.mk: support dpkg-buildflags' DEB_CFLAGS_MAINT_APPEND and similar

[Simon Ruderich]

severity 712729 important
tags 712729 patch
thanks

Hello,

Raising severity because this causes missing hardening flags for
packages (e.g. shadow and therefore no PIE for setuid su) when
the maintainer uses the DEB_* (which includes
DEB_BUILD_MAINT_OPTIONS) approach documented in dpkg-buildflags
to add additional flags.

The attached patch should fix this issue by exporting all DEB_*
flags when calling dpkg-buildflags. The real issue is that GNU
make's $(shell ..) doesn't use the exported environment which is
normally used when calling subprocesses.

There should be no backwards incompatible changes because the
maintainer must manually set the DEB_* variables. If none of
those variables are used, nothing happens.

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cdbs-respect-deb-variables-for-dpkg-buildflags.patch
Type: text/x-diff
Size: 1280 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/build-common-hackers/attachments/20140119/468d8229/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/build-common-hackers/attachments/20140119/468d8229/attachment.sig>