[debhelper-devel] Bug#742701: [buildd-tools-devel] Bug#742701: Bug#742701: package built without _FORTIFY_SOURCE=2, debhelper or schroot issue?

Colin Watson cjwatson at ubuntu.com
Tue Apr 1 14:02:43 UTC 2014 

Control: reassign -1 schroot
Control: tag -1 patch

On Wed, Mar 26, 2014 at 06:00:59PM +0100, Matthias Klose wrote:
> Am 26.03.2014 17:30, schrieb Roger Leigh:
> >I checked the debhelper change, and it does set CXXFLAGS.  Looking at e.g.
> >https://buildd.debian.org/status/fetch.php?pkg=schroot&arch=powerpc&ver=1.6.8-1&stamp=1388838030:
> >
> >   -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> >
> >are being added.  So at least some options are being set automatically.
> >Is _FORTIFY_SOURCE passed using a different mechanism or a different variable?
> >Or do I need to take some additional measure to explicitly enable it?
> 
> yes, it is passed in CPPFLAGS and supposed to be appended in both
> CFLAGS and CXXFLAGS.
> 
> /usr/share/perl5/Debian/Debhelper/Buildsystem/cmake.pm has:
> 
>         # CMake doesn't respect CPPFLAGS, see #653916.
>         if ($ENV{CPPFLAGS} && ! compat(8)) {
>                 $ENV{CFLAGS}   .= ' ' . $ENV{CPPFLAGS};
>                 $ENV{CXXFLAGS} .= ' ' . $ENV{CPPFLAGS};
>         }
> 
> but I can't figure out why it is not called.

Because schroot/debian/rules overrides dh_auto_configure and calls cmake
itself, so it doesn't use that code from the debhelper cmake
buildsystem.  This patch fixes it.

While I was here, I modernised the CFLAGS handling code (which was
essentially pre-dpkg-buildflags cruft) and made it use all the available
hardening features, which seems like a good idea given that schroot
builds setuid executables.

  * Pass CPPFLAGS through to cmake (closes: #742701, cf. #653916).
  * Enable all hardening features.

diff -Nru schroot-1.6.8/debian/rules schroot-1.6.8/debian/rules
--- schroot-1.6.8/debian/rules	2014-01-04 11:10:51.000000000 +0000
+++ schroot-1.6.8/debian/rules	2014-04-01 14:57:34.000000000 +0100
@@ -21,13 +21,9 @@
 	UUID_OPTIONS = -Duuid=OFF
 endif
 
-CFLAGS = -Wall -g
-
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-	CFLAGS += -O0
-else
-	CFLAGS += -O2
-endif
+export DEB_CFLAGS_MAINT_APPEND := -Wall
+export DEB_CXXFLAGS_MAINT_APPEND := -Wall
+export DEB_BUILD_MAINT_OPTIONS := hardening=+all
 
 DH_OPTIONS = --buildsystem=cmake --builddirectory=debian/build --parallel
 
@@ -51,6 +47,8 @@
 	mkdir -p $(dir $@)
 	cd $(dir $@) ; \
           GTEST_ROOT="$(CURDIR)/debian/build/gtest" \
+          CFLAGS="$(CFLAGS) $(CPPFLAGS)" \
+          CXXFLAGS="$(CXXFLAGS) $(CPPFLAGS)" \
 	  cmake -DCMAKE_INSTALL_PREFIX=/usr \
 	        -DCMAKE_INSTALL_SYSCONFDIR=/etc \
 	        -DCMAKE_INSTALL_LOCALSTATEDIR=/var \

Thanks,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]

More information about the debhelper-devel mailing list