[libembperl-perl] 01/04: Opt out of bindow (closes: #837562)

[Florian Schlichting]

This is an automated email from the git hooks/post-receive script.

fsfs pushed a commit to branch master
in repository libembperl-perl.

commit 541b0e9c6d9f88c7ca1929866d2e7effd13c388f
Author: Florian Schlichting <fsfs at debian.org>
Date:   Sat Oct 22 00:42:49 2016 +0200

    Opt out of bindow (closes: #837562)
    
    quoting Niko from the bug:
    
    My understanding is that the Apache module parts (mod_embperl) get
    compiled into Embperl.so, but don't get used unless the thing is loaded
    by Apache. The 'bindnow' hardening is incompatible with this scheme;
    from the ld(1) documentation for '-z now':
    
      When generating an executable or shared library, mark it to tell the
      dynamic linker to resolve all symbols when the program is started, or
      when the shared library is linked to using dlopen, instead of deferring
      function call resolution to the point when the function is first called.
    
    So when perl dlopens Embperl.so without Apache, the ap_* functions
    aren't needed but still get loaded (unsuccessfully).
---
 debian/rules | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/rules b/debian/rules
index 3576476..0e971e7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -8,6 +8,8 @@ POD2TEXT = Changes Config Faq Features FeaturesD \
 
 ARCHLIB := $(shell perl -MConfig -e 'print $$Config{vendorarch}')
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-bindnow
+
 %: %.pod
 	pod2text < $< > $@
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libembperl-perl.git