Ubuntu
dpkg package

dpkg-buildflags should explicitly pass -fno-PIE and -no-pie if DEB_BUILD_{MAINT_,}OPTIONS=hardening=-pie is set

Bug #1576915 reported by Matthias Klose
36
This bug affects 6 people
Affects Status Importance Assigned to Milestone
dpkg (Debian)
Fix Released
Unknown
dpkg (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

now with the default to pie, dpkg-buildflags should explicitly pass -fno-PIE and -no-pie if DEB_BUILD_HARDENING_PIE=0 is set

Revision history for this message
Matthias Klose (doko) wrote :

same for DEB_BUILD_HARDENING_BINDNOW=0

Revision history for this message
Steve Langasek (vorlon) wrote :

This should rather be DEB_BUILD_{MAINT_,}OPTIONS=hardening=-pie,-bindnow; DEB_BUILD_HARDENING_* are options for the obsolete hardening-wrapper.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dpkg (Ubuntu):
status: New → Confirmed
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :
Download full text (3.4 KiB)

it seems to be not working for virtualbox
DEB_BUILD_MAINT_OPTIONS=hardening=-pie

/usr/bin/kmk_redirect -wo /build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR3/common/math/RTUInt128MulByU64.o.dep -- yasm -DKBUILD_GENERATING_MAKEFILE_DEPENDENCIES -f elf64 -DASM_FORMAT_ELF -D__YASM__ -Worphan-labels -g dwarf2 -I/build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/include/ -I/build/virtualbox-5.0.20-dfsg/src/libs/liblzf-3.4/ -I/build/virtualbox-5.0.20-dfsg/src/libs/kStuff/kStuff/include/ -I/build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR3/dtrace/ -I/usr/include/libxml2/ -I/build/virtualbox-5.0.20-dfsg/include/ -I/build/virtualbox-5.0.20-dfsg/out/ -DVBOX -DVBOX_OSE -DVBOX_WITH_64_BITS_GUESTS -DVBOX_WITH_DEBUGGER -DRT_OS_LINUX -D_FILE_OFFSET_BITS=64 -DRT_ARCH_AMD64 -D__AMD64__ -D_REENTRANT -DIN_RT_STATIC -DIN_RT_R3 -DIN_SUP_STATIC -DIN_RING3 -DHC_ARCH_BITS=64 -DGC_ARCH_BITS=64 -DVBOX_WITH_DTRACE -DVBOX_WITH_DTRACE_R3 -DIN_RT_R3 -DIN_SUP_R3 -DLDR_WITH_NATIVE -DLDR_WITH_ELF32 -DLDR_WITH_PE -DRT_WITH_VBOX -DRT_NO_GIP -DRT_WITHOUT_NOCRT_WRAPPERS -DIPRT_WITH_OPENSSL -DLDR_WITH_KLDR -DRT_WITH_ICONV_CACHE -o /build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR3/common/math/RTUInt128MulByU64.o /build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/common/math/RTUInt128MulByU64.asm -M
kBuild: Compiling RuntimeR0 - /build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/common/log/logcom.cpp => /build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR0/common/log/logcom.o
g++ -c -O2 -nostdinc -g -pipe -Werror -pedantic -Wshadow -Wshadow -Wall -Wextra -Wno-missing-field-initializers -Wno-unused -Wno-trigraphs -fdiagnostics-show-option -Wno-unused-parameter -Wlogical-op -Wno-long-long -Wno-long-long -Wno-delete-non-virtual-dtor -Wno-variadic-macros -O2 -mtune=generic -fno-omit-frame-pointer -fno-strict-aliasing -fno-exceptions -fno-stack-protector -fno-common -fvisibility-inlines-hidden -fvisibility=hidden -DVBOX_HAVE_VISIBILITY_HIDDEN -DRT_USE_VISIBILITY_DEFAULT -fno-rtti -m64 -mno-red-zone -mcmodel=kernel -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -fno-asynchronous-unwind-tables -I/build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/include -I/build/virtualbox-5.0.20-dfsg/include/iprt/nocrt -I/build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR0/dtrace -I/build/virtualbox-5.0.20-dfsg/include -I/build/virtualbox-5.0.20-dfsg/out -DVBOX -DVBOX_OSE -DVBOX_WITH_64_BITS_GUESTS -DVBOX_WITH_DEBUGGER -DRT_OS_LINUX -D_FILE_OFFSET_BITS=64 -DRT_ARCH_AMD64 -D__AMD64__ -DVBOX_WITH_HARDENING -DRTPATH_APP_PRIVATE=\"/usr/share/virtualbox\" -DRTPATH_APP_PRIVATE_ARCH=\"/usr/lib/virtualbox\" -DRTPATH_SHARED_LIBS=\"/usr/lib/virtualbox\" -DRTPATH_APP_DOCS=\"/usr/share/doc/virtualbox\" -DIN_RING0 -DIN_RING0_AGNOSTIC -DIPRT_NO_CRT -DRT_WITH_NOCRT_ALIASES -DHC_ARCH_BITS=64 -DGC_ARCH_BITS=64 -DVBOX_WITH_DTRACE -DVBOX_WITH_DTRACE_R0 -DIN_RT_R0 -DRT_WITH_VBOX -Wp,-MD,/build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR0/common/log/logcom.o.dep -Wp,-MT,/build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR0/common/log/logcom.o -Wp,-MP -o /build/virtualbox-5.0.20-dfsg/out/obj/RuntimeR0/common/log/logcom.o /build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/common/log/logcom.cpp
/build/virtualbox-5.0.20-dfsg/src/VBox/Runtime/common/log/logellipsis.cpp:1:0: error: co...

Read more...

Matthias Klose (doko)
summary: dpkg-buildflags should explicitly pass -fno-PIE and -no-pie if
- DEB_BUILD_HARDENING_PIE=0 is set
+ DEB_BUILD_{MAINT_,}OPTIONS=hardening=-pie is set
Bug Watch Updater (bug-watch-updater)
Changed in dpkg (Debian):
status: Unknown → New
Revision history for this message
dino99 (9d9) wrote :

Debian answer & possible solution:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823869#10

its an Ubuntu problem, and Debian will probably change nothing to their dkms version.

Revision history for this message
dino99 (9d9) wrote :

Some more comment:

the ubuntu kenel team have teached the compiler to take care of that issue directly; so it seems 'dkms' task opened here can be dropped too now.

 * Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not
    supported by compiler (LP: #1574982)
    - SAUCE: (no-up) disable -pie when gcc has it enabled by default

Revision history for this message
dino99 (9d9) wrote :

but a solution is still needed in case of vanilla kernel installation

Bug Watch Updater (bug-watch-updater)
Changed in dpkg (Debian):
status: New → Fix Released
Revision history for this message
dino99 (9d9) wrote :

Looks like an old problem now fixed; Maybe closing that report then.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

more a wontfix, but workarounds are already in place.

Changed in dpkg (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.