From a36a945244e581785e36ea457b0b3a4f2ede0af6 Mon Sep 17 00:00:00 2001 From: Mehdi Dogguy Date: Thu, 22 Dec 2016 00:14:41 +0100 Subject: [PATCH] obey hardening LDFLAGS (Closes: #792502) --- debian/changelog | 8 ++++ ...for-linking-all-executables-and-shar.patch | 44 +++++++++++++++++++ debian/patches/series | 1 + debian/rules | 3 ++ 4 files changed, 56 insertions(+) create mode 100644 debian/patches/0013-Use-CCLINKFLAGS-for-linking-all-executables-and-shar.patch diff --git a/debian/changelog b/debian/changelog index c3360574..b74401be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +ocaml (4.02.3-9) UNRELEASED; urgency=medium + + * obey hardening LDFLAGS (Closes: #792502). Thanks to Török Edwin + for the patch! + - add patch 0013-Obey-ldflags.patch + + -- Mehdi Dogguy Thu, 22 Dec 2016 00:12:38 +0100 + ocaml (4.02.3-8) unstable; urgency=medium * Default to PIC on arm, to fix failing armhf tests (Closes: #837359). diff --git a/debian/patches/0013-Use-CCLINKFLAGS-for-linking-all-executables-and-shar.patch b/debian/patches/0013-Use-CCLINKFLAGS-for-linking-all-executables-and-shar.patch new file mode 100644 index 00000000..6cdc64c6 --- /dev/null +++ b/debian/patches/0013-Use-CCLINKFLAGS-for-linking-all-executables-and-shar.patch @@ -0,0 +1,44 @@ +From: Torok Edwin +Date: Wed, 15 Jul 2015 16:33:23 +0300 +Subject: Use CCLINKFLAGS for linking all executables and shared libraries + +This allows packagers to set additional linker flags for executables and shared +libraries created by OCaml, and for the OCaml tools themselves. +OCaml code can be linked with various C stubs and C libraries that would +benefit from using hardening link flags, such as -Wl,-z,relro. + +Origin: other +Bug-Debian: https://bugs.debian.org/702349 +Forwarded: no +Last-Update: <2015-07-15> +--- + configure | 2 ++ + tools/Makefile.shared | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/configure b/configure +index c37a2e5..b58a86d 100755 +--- a/configure ++++ b/configure +@@ -768,6 +768,8 @@ if test $with_sharedlibs = "yes"; then + shared_libraries_supported=true;; + esac + fi ++mksharedlib="$mksharedlib $CCLINKFLAGS" ++mkexe="$mkexe $CCLINKFLAGS" + + if test -z "$mkmaindll"; then + mkmaindll=$mksharedlib +diff --git a/tools/Makefile.shared b/tools/Makefile.shared +index 0b90cd3..2d5546e 100644 +--- a/tools/Makefile.shared ++++ b/tools/Makefile.shared +@@ -287,7 +287,7 @@ endif + + objinfo_helper$(EXE): objinfo_helper.c ../config/s.h + $(BYTECC) $(CCOUT)objinfo_helper$(EXE) $(BYTECCCOMPOPTS) \ +- objinfo_helper.c $(LIBBFD_LINK) ++ objinfo_helper.c $(LIBBFD_LINK) $(CCLINKFLAGS) + + OBJINFO=../compilerlibs/ocamlcommon.cma \ + ../compilerlibs/ocamlbytecomp.cma \ diff --git a/debian/patches/series b/debian/patches/series index 552c4d78..7ca62b30 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,4 @@ 0010-Add-a-.file-directive-to-generated-.s-files.patch 0011-Compatibility-with-x32-architecture.patch 0012-arm-default-PIC.patch +0013-Use-CCLINKFLAGS-for-linking-all-executables-and-shar.patch diff --git a/debian/rules b/debian/rules index a1e56b3f..438b0d0c 100755 --- a/debian/rules +++ b/debian/rules @@ -61,6 +61,9 @@ endif export OCAML_OPT_ARCH export OCAML_STDLIB_DIR +export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow +export CCLINKFLAGS=$(shell dpkg-buildflags --get LDFLAGS) + CONFIGURE_OPTS := \ --host $(DEB_BUILD_GNU_TYPE)\ --with-pthread -prefix $(DEB_TEST_BUILD_PREFIX)/usr \ -- 2.30.2