Bug#799738: mpv: Please re-enable all hardening options

Simon Ruderich simon at ruderich.org
Tue Sep 22 00:40:13 UTC 2015

Package: mpv
Version: 0.10.0-1
Severity: important
Tags: patch


in the last upload all additional hardening options were dropped.
Please re-enable them. As video player mpv is prone to
vulnerabilities in its libraries and the additional hardening
flags make exploits more difficult.

The source of the build problem is a PIE vs. PIC conflict.
Libraries must be built with PIC, binaries with PIE. When passed
the PIE flag via CFLAGS/LDFLAGS, the build system must filter it
out when it's linking shared libraries, however waf is apparently
not doing that.

The attached hacky patch fixes this issue for mpv, please apply
it for now. If possible waf should be improved to handle that
conflict on its own. With the patch, all hardening options can be
enabled again:

    export DEB_BUILD_MAINT_OPTIONS := hardening=+all

+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 04_fix_waf_pic_pie_conflict.patch
Type: text/x-diff
Size: 583 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150922/7e3537b3/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150922/7e3537b3/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list