Bug#657523: Please enabled hardened build flags

Simon Ruderich simon at ruderich.org
Sun May 27 12:52:59 UTC 2012 

On Sun, May 27, 2012 at 11:56:24AM +0100, Alasdair G Kergon wrote:
> On Sun, May 27, 2012 at 02:42:14AM +0200, Simon Ruderich wrote:
>> -		CLDFLAGS="$CLDFLAGS -Wl,--version-script,.export.sym"
>> +		CLDFLAGS="$LDFLAGS $CLDFLAGS -Wl,--version-script,.export.sym"
>
> What are typical contents of the LDFLAGS environment variable in Debian?

This command prints the (current) value of LDFLAGS (on a current
sid/wheezy):

    dpkg-buildflags --get LDFLAGS

But $LDFLAGS already contains the correct value (and it shouldn't
be hardcoded in debian/rules).

> - Which cmdline parameters are getting lost?

All flags from LDFLAGS.

> - Which lines are 'losing' the enviroment LDFLAGS but actually need it?

The lines I pasted in my original patch. The LDFLAGS are missing
when building those libraries (use hardening-check to detect the
missing flags).

>> +AC_SUBST(LDFLAGS)
>
> Existing inconsistency/bug?
>  - make.tmpl.in has LDFLAGS += @LDFLAGS@

Yes, but it's not exported from ./configure without my change.

But I think the following (complete) patch is better than my
original one, it fixes LDFLAGS but passes CLDFLAGS via
debian/rules - thus removing the inconsistency:

diff -Nru lvm2-2.02.95/debian/rules lvm2-2.02.95/debian/rules
--- lvm2-2.02.95/debian/rules	2012-05-03 12:19:33.000000000 +0200
+++ lvm2-2.02.95/debian/rules	2012-05-27 14:45:24.000000000 +0200
@@ -71,7 +71,7 @@
 	rm -rf $(DIR)
 	cp -a '$(SOURCE_DIR)' '$(DIR)'
 	cd $(DIR); \
-	./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+	./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" CLDFLAGS="$(LDFLAGS)" \
 		$(CONFIGURE_FLAGS) \
 		--libdir=\$${exec_prefix}/lib/$(DEB_HOST_MULTIARCH) \
 		--with-optimisation="$(CFLAGS_OPT_DEB)" \
@@ -95,7 +95,7 @@
 	rm -rf $(DIR)
 	cp -a '$(SOURCE_DIR)' '$(DIR)'
 	cd $(DIR); \
-	./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+	./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" CLDFLAGS="$(LDFLAGS)" \
 		$(CONFIGURE_FLAGS) \
 		--with-optimisation="$(CFLAGS_OPT_UDEB)" \
 		--with-cluster=none \

--- lvm2-2.02.95.orig/configure.in
+++ lvm2-2.02.95/configure.in
@@ -1333,6 +1333,7 @@ AC_SUBST(BUILD_DMEVENTD)
 AC_SUBST(BUILD_LVMETAD)
 AC_SUBST(CFLAGS)
 AC_SUBST(CFLOW_CMD)
+AC_SUBST(LDFLAGS)
 AC_SUBST(CLDFLAGS)
 AC_SUBST(CLDNOWHOLEARCHIVE)
 AC_SUBST(CLDWHOLEARCHIVE)

Regards,
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lvm-maintainers/attachments/20120527/047d10ed/attachment.pgp>

More information about the pkg-lvm-maintainers mailing list