[hardening-discuss] Bug#837543: hardening-wrapper: FTBFS with bindnow and PIE enabled
Balint Reczey
balint at balintreczey.hu
Mon Sep 12 11:43:57 UTC 2016
Source: hardening-wrapper
Version: 2.8+nmu2
Severity: important
User: balint at balintreczey.hu
Usertags: pie-bindnow-20160906
Justification: FTBFS on amd64 with extra hardening
Hi,
During a rebuild of all packages in sid, your package failed to build on
amd64 with patched GCC and dpkg.
The rebuild tested if packages are ready for a transition
enabling PIE and bindnow for amd64.
For more information about the changes to sid's dpkg and GCC please
visit:
https://wiki.debian.org/Hardening/PIEByDefaultTransition
Relevant part (hopefully):
...
if perl ../build-tree/hardening-check
../build-tree/includes-test-none.a; then exit 1; fi
../build-tree/includes-test-none.a:
Position Independent Executable: no, object archive (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: no, non-ELF (ignored)
Immediate binding: no, non-ELF (ignored)
# Disable PIE
cc \
-g -O2 -fdebug-prefix-map=/<<BUILDDIR>>/hardening-wrapper-2.8+nmu2=.
-fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
-Werror=format-security -O2 \
-Wl,-z,relro -Wl,-z,now \
-o ../build-tree/includes-disabled hello.c
if perl ../build-tree/hardening-check ../build-tree/includes-disabled;
then exit 1; fi
../build-tree/includes-disabled:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Makefile.includes:14: recipe for target
'../build-tree/includes-disabled' failed
make[3]: *** [../build-tree/includes-disabled] Error 1
make[3]: Leaving directory '/<<BUILDDIR>>/hardening-wrapper-2.8+nmu2/tests'
Makefile:6: recipe for target 'check' failed
m
...
The full build log is available from:
https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/hardening-wrapper_2.8+nmu2_amd64.build.gz
I know about hardening-wrapper being scheduled for removal and this bug
will probably be closed with the removal instead of being fixed.
Thanks,
Balint
More information about the hardening-discuss
mailing list