[pkg-gnupg-maint] Bug#846889: Bug#846889: gnupg2: FTBFS on hppa - Please don't link static version with -pie on hppa
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Dec 5 17:27:52 UTC 2016
Hi Dave--
thanks for this report!
On Sat 2016-12-03 18:12:41 -0500, John David Anglin wrote:
>
> make[2]: Entering directory '/<<PKGBUILDDIR>>/build-gpgv-static/g10'
> gcc -Wall -Wno-pointer-sign -Wpointer-arith -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -Wformat -Werror=format-security -pie -static -o gpgv gpgv.o build-packet.o compress.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o rmd160.o openfile.o keyid.o parse-packet.o cpr.o plaintext.o sig-check.o keylist.o pkglue.o ecdh.o verify.o ../kbx/libkeybox.a ../common/libcommon.a ../common/libgpgrl.a -lz -lgcrypt -L/usr/lib/hppa-linux-gnu -lgpg-error
> /usr/bin/ld: /usr/lib/gcc/hppa-linux-gnu/6/crtbeginT.o: relocation R_PARISC_DPREL21L can not be used when making a shared object; recompile with -fPIC
> /usr/lib/gcc/hppa-linux-gnu/6/crtbeginT.o: error adding symbols: Bad value
> collect2: error: ld returned 1 exit status
> Makefile:788: recipe for target 'gpgv' failed
>
> Full log is here:
> https://buildd.debian.org/status/fetch.php?pkg=gnupg2&arch=hppa&ver=2.1.16-2&stamp=1479760527
>
> The build will complete successfully if "-pie" is removed from the following
> line in debian/rules:
> cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS -pie -static" gpgv
>
> PIE support is not well tested on hppa. Further, gcc on hppa is not built
> with --enable-pie-default. So, archive libraries and executable code are
> not built by default with -fPIE. So, in general, linking with -pie and -static
> isn't going to work.
that's a bummer, since it means that ASLR isn't going to work for hppa,
which leaves hppa users more vulnerable to certain kinds of attack.
I plan on resolving this in the next upload with a change like the following:
--- a/debian/rules
+++ b/debian/rules
@@ -14,6 +14,12 @@ include /usr/share/dpkg/architecture.mk
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+ifeq ($(DEB_HOST_ARCH),hppa)
+ GPGV_STATIC_HARDENING = ""
+else
+ GPGV_STATIC_HARDENING = "-pie"
+endif
+
%:
dh $@ --with=autoreconf --builddirectory=build
@@ -36,7 +42,7 @@ override_dh_auto_build-arch:
dh_auto_build --builddirectory=build
cp -a build-gpgv-udeb build-gpgv-static
rm -f build-gpgv-static/g10/gpgv
- cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS -pie -static" gpgv
+ cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS $(GPGV_STATIC_HARDENING) -static" gpgv
mv build-gpgv-static/g10/gpgv build-gpgv-static/g10/gpgv-static
override_dh_auto_build-indep:
Please let me know if you think this could be improved.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20161205/87156a1a/attachment.sig>
More information about the pkg-gnupg-maint
mailing list