[hardening-discuss] Bug#802579: binutils changed ld.bfd / ld.gold files and symlinks
Sven Joachim
svenjoac at gmx.de
Mon Dec 7 20:49:44 UTC 2015
On 2015-12-07 11:39 +0800, YunQiang Su wrote:
> On Sat, 14 Nov 2015 02:20:40 +0100 Matthias Klose <doko at debian.org> wrote:
>> Control: severity -1 serious
>>
>> binutils built from the 2.26 branch is now in unstable.
>>
>>
>
> I uploaded this packages with the attached patch to 3-days delay.
Thanks for taking care of hardening-wrapper, but I am afraid your
changes are not quite correct.
> diff -Nru hardening-wrapper-2.7/debian/hardening-wrapper.links hardening-wrapper-2.8+nmu1/debian/hardening-wrapper.links
> --- hardening-wrapper-2.7/debian/hardening-wrapper.links 2013-09-14 03:55:36.000000000 +0800
> +++ hardening-wrapper-2.8+nmu1/debian/hardening-wrapper.links 2015-12-07 11:33:14.000000000 +0800
> @@ -1,12 +1,13 @@
> #!/bin/sh
> # programatically build links (change debian/h-w.{preinst,postrm} too)
> -for ver in 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9
> +eval $(dpkg-architecture -a)
> +for ver in 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 5
> do
> echo usr/bin/hardened-cc usr/bin/gcc-$ver
> echo usr/bin/hardened-c++ usr/bin/g++-$ver
> done
> cat <<EOM
> -usr/bin/hardened-ld usr/bin/ld.bfd
> -usr/bin/hardened-ld usr/bin/ld.gold
> +usr/bin/hardened-ld usr/bin/${DEB_BUILD_MULTIARCH}-ld.bfd
> +usr/bin/hardened-ld usr/bin/${DEB_BUILD_MULTIARCH}-ld.gold
DEB_BUILD_MULTIARCH is not the right variable, you want
DEB_HOST_GNU_TYPE instead - except on {,kfreebsd-,hurd-}i386, where
binutils is configured for i686{-linux,-kfreebsd,}-gnu rather than
i586{-linux,-kfreebsd,}-gnu currently reported by dpkg-architecture.
> diff -Nru hardening-wrapper-2.7/debian/hardening-wrapper.postrm hardening-wrapper-2.8+nmu1/debian/hardening-wrapper.postrm
> --- hardening-wrapper-2.7/debian/hardening-wrapper.postrm 2013-09-14 03:55:52.000000000 +0800
> +++ hardening-wrapper-2.8+nmu1/debian/hardening-wrapper.postrm 2015-12-07 10:48:44.000000000 +0800
> @@ -6,17 +6,19 @@
> --rename --remove /usr/bin/"$1" || true
> }
>
> +eval $(dpkg-architecture -a)
You can't really use dpkg-architecture in maintainer scripts, since
hardening-wrapper does not depend on dpkg-dev. Even if it were to do
that, the result is not necessarily correct, e.g. hardening-wrapper
could have a different architecture than dpkg.
Cheers,
Sven
More information about the hardening-discuss
mailing list