Ubuntu
dpkg package

dpkg-buildflags should explicitly pass -fno-PIE and -no-pie if DEB_BUILD_{MAINT_,}OPTIONS=hardening=-pie is set

Bug #1576915 reported by Matthias Klose on 2016-04-30
36
This bug affects 6 people
Affects Status Importance Assigned to Milestone
dpkg (Debian)
Fix Released
Unknown
dpkg (Ubuntu)
Fix Released
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

now with the default to pie, dpkg-buildflags should explicitly pass -fno-PIE and -no-pie if DEB_BUILD_HARDENING_PIE=0 is set

Matthias Klose (doko) wrote :

same for DEB_BUILD_HARDENING_BINDNOW=0

Steve Langasek (vorlon) wrote :

This should rather be DEB_BUILD_{MAINT_,}OPTIONS=hardening=-pie,-bindnow; DEB_BUILD_HARDENING_* are options for the obsolete hardening-wrapper.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dpkg (Ubuntu):
status: New → Confirmed
Gianfranco Costamagna (costamagnagianfranco) wrote :
Download full text (3.4 KiB)

it seems to be not working for virtualbox
DEB_BUILD_MAINT_OPTIONS=hardening=-pie

/usr/bin/kmk_redirect -wo /build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR3/common/math/RTUInt128MulByU64.o.dep -- yasm -DKBUILD_GENERATING_MAKEFILE_DEPENDENCIES -f elf64 -DASM_FORMAT_ELF -D__YASM__ -Worphan-labels -g dwarf2 -I/build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/include/ -I/build/virtualbox-5.0.20-dfsg/src/libs/liblzf-3.4/ -I/build/virtualbox-5.0.20-dfsg/src/libs/kStuff/kStuff/include/ -I/build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR3/dtrace/ -I/usr/include/libxml2/ -I/build/virtualbox-5.0.20-dfsg/include/ -I/build/virtualbox-5.0.20-dfsg/out/ -DVBOX -DVBOX_OSE -DVBOX_WITH_64_BITS_GUESTS -DVBOX_WITH_DEBUGGER -DRT_OS_LINUX -D_FILE_OFFSET_BITS=64 -DRT_ARCH_AMD64 -D__AMD64__ -D_REENTRANT -DIN_RT_STATIC -DIN_RT_R3 -DIN_SUP_STATIC -DIN_RING3 -DHC_ARCH_BITS=64 -DGC_ARCH_BITS=64 -DVBOX_WITH_DTRACE -DVBOX_WITH_DTRACE_R3 -DIN_RT_R3 -DIN_SUP_R3 -DLDR_WITH_NATIVE -DLDR_WITH_ELF32 -DLDR_WITH_PE -DRT_WITH_VBOX -DRT_NO_GIP -DRT_WITHOUT_NOCRT_WRAPPERS -DIPRT_WITH_OPENSSL -DLDR_WITH_KLDR -DRT_WITH_ICONV_CACHE -o /build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR3/common/math/RTUInt128MulByU64.o /build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/common/math/RTUInt128MulByU64.asm -M
kBuild: Compiling RuntimeR0 - /build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/common/log/logcom.cpp => /build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR0/common/log/logcom.o
g++ -c -O2 -nostdinc -g -pipe -Werror -pedantic -Wshadow -Wshadow -Wall -Wextra -Wno-missing-field-initializers -Wno-unused -Wno-trigraphs -fdiagnostics-show-option -Wno-unused-parameter -Wlogical-op -Wno-long-long -Wno-long-long -Wno-delete-non-virtual-dtor -Wno-variadic-macros -O2 -mtune=generic -fno-omit-frame-pointer -fno-strict-aliasing -fno-exceptions -fno-stack-protector -fno-common -fvisibility-inlines-hidden -fvisibility=hidden -DVBOX_HAVE_VISIBILITY_HIDDEN -DRT_USE_VISIBILITY_DEFAULT -fno-rtti -m64 -mno-red-zone -mcmodel=kernel -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -fno-asynchronous-unwind-tables -I/build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/include -I/build/virtualbox-5.0.20-dfsg/include/iprt/nocrt -I/build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR0/dtrace -I/build/virtualbox-5.0.20-dfsg/include -I/build/virtualbox-5.0.20-dfsg/out -DVBOX -DVBOX_OSE -DVBOX_WITH_64_BITS_GUESTS -DVBOX_WITH_DEBUGGER -DRT_OS_LINUX -D_FILE_OFFSET_BITS=64 -DRT_ARCH_AMD64 -D__AMD64__ -DVBOX_WITH_HARDENING -DRTPATH_APP_PRIVATE=\"/usr/share/virtualbox\" -DRTPATH_APP_PRIVATE_ARCH=\"/usr/lib/virtualbox\" -DRTPATH_SHARED_LIBS=\"/usr/lib/virtualbox\" -DRTPATH_APP_DOCS=\"/usr/share/doc/virtualbox\" -DIN_RING0 -DIN_RING0_AGNOSTIC -DIPRT_NO_CRT -DRT_WITH_NOCRT_ALIASES -DHC_ARCH_BITS=64 -DGC_ARCH_BITS=64 -DVBOX_WITH_DTRACE -DVBOX_WITH_DTRACE_R0 -DIN_RT_R0 -DRT_WITH_VBOX -Wp,-MD,/build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR0/common/log/logcom.o.dep -Wp,-MT,/build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR0/common/log/logcom.o -Wp,-MP -o /build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR0/common/log/logcom.o /build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/common/log/logcom.cpp
/build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/common/log/logellipsis.cpp:1:0: error: co...

Read more...

Matthias Klose (doko) on 2016-05-02
summary: dpkg-buildflags should explicitly pass -fno-PIE and -no-pie if
- DEB_BUILD_HARDENING_PIE=0 is set
+ DEB_BUILD_{MAINT_,}OPTIONS=hardening=-pie is set
Bug Watch Updater (bug-watch-updater) on 2016-05-10
Changed in dpkg (Debian):
status: Unknown → New
dino99 (9d9) wrote :

Debian answer & possible solution:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823869#10

its an Ubuntu problem, and Debian will probably change nothing to their dkms version.

dino99 (9d9) wrote :

Some more comment:

the ubuntu kenel team have teached the compiler to take care of that issue directly; so it seems 'dkms' task opened here can be dropped too now.

 * Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not
    supported by compiler (LP: #1574982)
    - SAUCE: (no-up) disable -pie when gcc has it enabled by default

dino99 (9d9) wrote :

but a solution is still needed in case of vanilla kernel installation

Bug Watch Updater (bug-watch-updater) on 2016-06-13
Changed in dpkg (Debian):
status: New → Fix Released
dino99 (9d9) wrote :

Looks like an old problem now fixed; Maybe closing that report then.

Gianfranco Costamagna (costamagnagianfranco) wrote :

more a wontfix, but workarounds are already in place.

Changed in dpkg (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.