Debian Bug report logs - #657853
Please enable hardened build flags

version graph

Package: perl; Maintainer for perl is Niko Tyni <ntyni@debian.org>; Source for perl is src:perl.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sun, 29 Jan 2012 13:06:02 UTC

Severity: important

Found in version perl/5.14.2-6

Fixed in version perl/5.14.2-8

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Sun, 29 Jan 2012 13:06:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 29 Jan 2012 13:06:35 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Please enable hardened build flags
Date: Sun, 29 Jan 2012 14:02:31 +0100
Package: perl
Version: 5.14.2-6
Severity: important

Please enable hardened build flags through dpkg-buildflags.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Sun, 05 Feb 2012 18:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Sun, 05 Feb 2012 18:48:03 GMT) Full text and rfc822 format available.

Message #10 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 657853@bugs.debian.org
Subject: Re: Bug#657853: Please enable hardened build flags
Date: Sun, 5 Feb 2012 20:44:15 +0200
[Message part 1 (text/plain, inline)]
On Sun, Jan 29, 2012 at 02:02:31PM +0100, Moritz Muehlenhoff wrote:
> Package: perl
> Version: 5.14.2-6
> Severity: important
> 
> Please enable hardened build flags through dpkg-buildflags.

While perl builds fine on amd64 with the attached patch, I'm slightly
uneasy about pushing it to unstable without wider testing.

Possibly we should do an experimental upload first to verify that it builds
on all architectures, and then do a test rebuild of (say) lib*-perl to catch
any obvious regressions. Dominic, thoughts?
-- 
Niko Tyni   ntyni@debian.org
[657853.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Sun, 05 Feb 2012 22:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 05 Feb 2012 22:33:06 GMT) Full text and rfc822 format available.

Message #15 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 657853@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#657853: Please enable hardened build flags
Date: Sun, 5 Feb 2012 22:28:55 +0000
On Sun, Feb 05, 2012 at 08:44:15PM +0200, Niko Tyni wrote:
> On Sun, Jan 29, 2012 at 02:02:31PM +0100, Moritz Muehlenhoff wrote:
> > Package: perl
> > Version: 5.14.2-6
> > Severity: important
> > 
> > Please enable hardened build flags through dpkg-buildflags.
> 
> While perl builds fine on amd64 with the attached patch, I'm slightly
> uneasy about pushing it to unstable without wider testing.

Have you verified the output from hardening-flags before and after,
both of perl and of a sample XS module (I used libimager-perl as a test).
 
> Possibly we should do an experimental upload first to verify that it builds
> on all architectures, and then do a test rebuild of (say) lib*-perl to catch
> any obvious regressions. Dominic, thoughts?

Probably not a bad idea. We'll need to binnmu all XS modules to pick
up the hardening flags anyway, so it'd be as well to make sure that
we've test-rebuilt those if not Arch: all packages.

I see that you fixed the problem that I identified in [1] with cppflags
not getting set by including them in ccflags.

[1] <http://lists.alioth.debian.org/pipermail/perl-maintainers/2012-January/002886.html>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Mon, 06 Feb 2012 06:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Mon, 06 Feb 2012 06:57:08 GMT) Full text and rfc822 format available.

Message #20 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 657853@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#657853: Please enable hardened build flags
Date: Mon, 6 Feb 2012 08:55:25 +0200
On Sun, Feb 05, 2012 at 10:28:55PM +0000, Dominic Hargreaves wrote:
> On Sun, Feb 05, 2012 at 08:44:15PM +0200, Niko Tyni wrote:
> > On Sun, Jan 29, 2012 at 02:02:31PM +0100, Moritz Muehlenhoff wrote:
> > > Package: perl
> > > Version: 5.14.2-6
> > > Severity: important
> > > 
> > > Please enable hardened build flags through dpkg-buildflags.
> > 
> > While perl builds fine on amd64 with the attached patch, I'm slightly
> > uneasy about pushing it to unstable without wider testing.
> 
> Have you verified the output from hardening-flags before and after,
> both of perl and of a sample XS module (I used libimager-perl as a test).

No - I just checked the build log, $Config{ccflags} and the like.

Will do that when I have the time.
 
> Probably not a bad idea. We'll need to binnmu all XS modules to pick
> up the hardening flags anyway, so it'd be as well to make sure that
> we've test-rebuilt those if not Arch: all packages.

Also, maybe check with upstream that there aren't any known issues with
these flags?

> I see that you fixed the problem that I identified in [1] with cppflags
> not getting set by including them in ccflags.
> 
> [1] <http://lists.alioth.debian.org/pipermail/perl-maintainers/2012-January/002886.html>

I'd sort of missed that mail, sorry. Yes, I think this is the only
way to get cppflags into the build.

Putting the ldflags into lddlflags along with -shared is rather ugly,
but I couldn't come up with anything better.
-- 
Niko




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Mon, 06 Feb 2012 16:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Mon, 06 Feb 2012 16:51:05 GMT) Full text and rfc822 format available.

Message #25 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 657853@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#657853: Please enable hardened build flags
Date: Mon, 6 Feb 2012 18:47:57 +0200
On Mon, Feb 06, 2012 at 08:55:25AM +0200, Niko Tyni wrote:
> On Sun, Feb 05, 2012 at 10:28:55PM +0000, Dominic Hargreaves wrote:
> > On Sun, Feb 05, 2012 at 08:44:15PM +0200, Niko Tyni wrote:
> > > On Sun, Jan 29, 2012 at 02:02:31PM +0100, Moritz Muehlenhoff wrote:
> > > > Package: perl
> > > > Version: 5.14.2-6
> > > > Severity: important
> > > > 
> > > > Please enable hardened build flags through dpkg-buildflags.
> > > 
> > > While perl builds fine on amd64 with the attached patch, I'm slightly
> > > uneasy about pushing it to unstable without wider testing.
> > 
> > Have you verified the output from hardening-flags before and after,
> > both of perl and of a sample XS module (I used libimager-perl as a test).
> 
> No - I just checked the build log, $Config{ccflags} and the like.
> 
> Will do that when I have the time.

Looks good to me FWIW:

--- before	2012-02-06 18:05:51.000000000 +0200
+++ after	2012-02-06 18:05:52.000000000 +0200
@@ -1,18 +1,18 @@
 /usr/bin/perl:
  Position Independent Executable: no, normal executable!
  Stack protected: yes
  Fortify Source functions: unknown, no protectable libc functions used
- Read-only relocations: no, not found!
+ Read-only relocations: yes
  Immediate binding: no not found!
 /usr/lib/libperl.so.5.14.2:
  Position Independent Executable: no, regular shared library (ignored)
  Stack protected: yes
- Fortify Source functions: no, only unprotected functions found!
- Read-only relocations: no, not found!
+ Fortify Source functions: yes (some protected functions found)
+ Read-only relocations: yes
  Immediate binding: no not found!
 /usr/lib/perl5/auto/Imager/File/ICO/ICO.so:
  Position Independent Executable: no, regular shared library (ignored)
  Stack protected: yes
- Fortify Source functions: no, only unprotected functions found!
- Read-only relocations: no, not found!
+ Fortify Source functions: yes (some protected functions found)
+ Read-only relocations: yes
  Immediate binding: no not found!

> Putting the ldflags into lddlflags along with -shared is rather ugly,
> but I couldn't come up with anything better.

BTW, I see we'd have a hard time to be compatible with
 DEB_BUILD_MAINT_OPTIONS=hardening=+pie.
since most of the flags end up in -fPIC shared builds one way
or another. Do we need to care? Should we explicitly set
hardening=-pie in the package?
-- 
Niko




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Mon, 06 Feb 2012 18:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 06 Feb 2012 18:45:05 GMT) Full text and rfc822 format available.

Message #30 received at 657853@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Niko Tyni <ntyni@debian.org>
Cc: 657853@bugs.debian.org
Subject: Re: Bug#657853: Please enable hardened build flags
Date: Mon, 6 Feb 2012 19:44:15 +0100
On Mon, Feb 06, 2012 at 06:47:57PM +0200, Niko Tyni wrote:
> On Mon, Feb 06, 2012 at 08:55:25AM +0200, Niko Tyni wrote:
> > On Sun, Feb 05, 2012 at 10:28:55PM +0000, Dominic Hargreaves wrote:
> > > On Sun, Feb 05, 2012 at 08:44:15PM +0200, Niko Tyni wrote:
> > > > On Sun, Jan 29, 2012 at 02:02:31PM +0100, Moritz Muehlenhoff wrote:
> > > > > Package: perl
> > > > > Version: 5.14.2-6
> > > > > Severity: important
> > > > > 
> > > > > Please enable hardened build flags through dpkg-buildflags.
> > > > 
> > > > While perl builds fine on amd64 with the attached patch, I'm slightly
> > > > uneasy about pushing it to unstable without wider testing.
> > > 
> > > Have you verified the output from hardening-flags before and after,
> > > both of perl and of a sample XS module (I used libimager-perl as a test).
> > 
> > No - I just checked the build log, $Config{ccflags} and the like.
> > 
> > Will do that when I have the time.
> 
> Looks good to me FWIW:

[..]

Looks good, yes.
 
> > Putting the ldflags into lddlflags along with -shared is rather ugly,
> > but I couldn't come up with anything better.
> 
> BTW, I see we'd have a hard time to be compatible with
>  DEB_BUILD_MAINT_OPTIONS=hardening=+pie.
> since most of the flags end up in -fPIC shared builds one way
> or another. 

Libtool handles this gracefully, see 
http://permalink.gmane.org/gmane.linux.debian.devel.general/168849

Right now -pie is not in the default set of hardening flags
for Wheezy. It will likely be enabled after Wheezy at least for
amd64 and other archs with sufficient registers, so setting
hardening=-pie can't hurt.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Mon, 06 Feb 2012 19:12:21 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 06 Feb 2012 19:12:21 GMT) Full text and rfc822 format available.

Message #35 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 657853@bugs.debian.org
Subject: Re: Bug#657853: Please enable hardened build flags
Date: Mon, 6 Feb 2012 19:11:23 +0000
On Mon, Feb 06, 2012 at 06:47:57PM +0200, Niko Tyni wrote:
> On Mon, Feb 06, 2012 at 08:55:25AM +0200, Niko Tyni wrote:
> > On Sun, Feb 05, 2012 at 10:28:55PM +0000, Dominic Hargreaves wrote:
> > > On Sun, Feb 05, 2012 at 08:44:15PM +0200, Niko Tyni wrote:
> > > > On Sun, Jan 29, 2012 at 02:02:31PM +0100, Moritz Muehlenhoff wrote:
> > > > > Package: perl
> > > > > Version: 5.14.2-6
> > > > > Severity: important
> > > > > 
> > > > > Please enable hardened build flags through dpkg-buildflags.
> > > > 
> > > > While perl builds fine on amd64 with the attached patch, I'm slightly
> > > > uneasy about pushing it to unstable without wider testing.
> > > 
> > > Have you verified the output from hardening-flags before and after,
> > > both of perl and of a sample XS module (I used libimager-perl as a test).
> > 
> > No - I just checked the build log, $Config{ccflags} and the like.
> > 
> > Will do that when I have the time.
> 
> Looks good to me FWIW:

Cool.

I'm preparing a fix for #656869 which I wouldn't mind getting a bit
of exposure in experimental, at least for the test suite on different
archs. Shall we aim to do such a build quite soon? Are you happy for
your other changes in -8 to be delayed a bit via experimental, keeping
a linear history?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Mon, 06 Feb 2012 20:15:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Mon, 06 Feb 2012 20:15:11 GMT) Full text and rfc822 format available.

Message #40 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 657853@bugs.debian.org
Subject: Re: Bug#657853: Please enable hardened build flags
Date: Mon, 6 Feb 2012 22:11:41 +0200
On Mon, Feb 06, 2012 at 07:11:23PM +0000, Dominic Hargreaves wrote:

> I'm preparing a fix for #656869 which I wouldn't mind getting a bit
> of exposure in experimental, at least for the test suite on different
> archs. Shall we aim to do such a build quite soon? Are you happy for
> your other changes in -8 to be delayed a bit via experimental, keeping
> a linear history?

Sure, no problem there. I'm still looking a bit into the -fPIE part, but
that doesn't have to make it in at the same time. None of my changes so
far are really urgent, so they'd have to wait for -7 testing transition
first anyway before they can go into sid.

I just pushed the dpkg-buildflags changes, so feel free to go ahead and
upload to experimental when you're ready.
-- 
Niko




Added tag(s) pending. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Mon, 06 Feb 2012 21:21:08 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Mon, 06 Feb 2012 22:25:40 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 06 Feb 2012 22:25:41 GMT) Full text and rfc822 format available.

Message #47 received at 657853-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 657853-close@bugs.debian.org
Subject: Bug#657853: fixed in perl 5.14.2-8
Date: Mon, 06 Feb 2012 22:22:41 +0000
Source: perl
Source-Version: 5.14.2-8

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.14.2-8_all.deb
  to main/p/perl/libcgi-fast-perl_5.14.2-8_all.deb
libperl-dev_5.14.2-8_i386.deb
  to main/p/perl/libperl-dev_5.14.2-8_i386.deb
libperl5.14_5.14.2-8_i386.deb
  to main/p/perl/libperl5.14_5.14.2-8_i386.deb
perl-base_5.14.2-8_i386.deb
  to main/p/perl/perl-base_5.14.2-8_i386.deb
perl-debug_5.14.2-8_i386.deb
  to main/p/perl/perl-debug_5.14.2-8_i386.deb
perl-doc_5.14.2-8_all.deb
  to main/p/perl/perl-doc_5.14.2-8_all.deb
perl-modules_5.14.2-8_all.deb
  to main/p/perl/perl-modules_5.14.2-8_all.deb
perl_5.14.2-8.debian.tar.gz
  to main/p/perl/perl_5.14.2-8.debian.tar.gz
perl_5.14.2-8.dsc
  to main/p/perl/perl_5.14.2-8.dsc
perl_5.14.2-8_i386.deb
  to main/p/perl/perl_5.14.2-8_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 657853@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Feb 2012 21:17:04 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.14 libperl-dev perl
Architecture: source all i386
Version: 5.14.2-8
Distribution: experimental
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.14 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 656869 657853 657940
Changes: 
 perl (5.14.2-8) experimental; urgency=low
 .
   [ Dominic Hargreaves ]
   * Include some notes in debian/rules about not using perl more than
     necessary
   * Fix CGI.pm to not use the deprecated shellwords.pl library
   * Don't use _POSIX_PATH_MAX as a fallback PATH_MAX (Closes: #656869)
 .
   [ Niko Tyni ]
   * Pass system zlib information to the Compress-Raw-Zlib build system
     with environment variables instead of patching the source.
   * Make perl-base and perl-modules conflict with defoma (<< 0.11.12),
     whose older versions may break when invoked from preinst scripts
     during squeeze -> wheezy upgrades. (Closes: #657940)
   * Use dpkg-buildflags (when available) to enable hardened builds.
     (Closes: #657853)
     + explicitly disable the 'pie' flags until somebody finds a way
       to make them work with the build system
Checksums-Sha1: 
 3a67b9791f4e8a183fc3131d2f199de212dab98b 1717 perl_5.14.2-8.dsc
 c9b9c8bed98b60020bad71b75b35d011a1f9e6b3 133441 perl_5.14.2-8.debian.tar.gz
 b4ab62c53496364b0e515e1dd593ac20c700cf6a 73308 libcgi-fast-perl_5.14.2-8_all.deb
 3c4985080950636002f11d46c428e47bab45e592 8165780 perl-doc_5.14.2-8_all.deb
 b4f8d0261f75afab739a3bcb228b5848e9becfb8 3438286 perl-modules_5.14.2-8_all.deb
 41228b64f632e9054c9a94884e4ead575abdfc8a 1484376 perl-base_5.14.2-8_i386.deb
 29e51ba41345f1930403e5f58032b69cd9e64b7c 7809886 perl-debug_5.14.2-8_i386.deb
 412fe3666ec415f0974022f81f4f92c699df306c 725556 libperl5.14_5.14.2-8_i386.deb
 456c71df7e2f964c2a6f348fde56ef6787fd0934 2693490 libperl-dev_5.14.2-8_i386.deb
 0c379d9b8a920959f365fccd96b6de868cd687e4 3698090 perl_5.14.2-8_i386.deb
Checksums-Sha256: 
 5198c172c842bb5caeb156c4e51d9cd064122fb6f0120e17edf0dd26a5e073d1 1717 perl_5.14.2-8.dsc
 3eff4fe788e03625e39bace9b75c4a77a755e67c42b54a5e3f547422e8987ba8 133441 perl_5.14.2-8.debian.tar.gz
 ddaf88e8ff2a42bd5159ff01ecd4f65e5728c6280e6e7dc51a6617544348a3f5 73308 libcgi-fast-perl_5.14.2-8_all.deb
 d92dc36a827a3bec6f2909cc00b03a8893372a393074a31429ed6ab98faa1bbd 8165780 perl-doc_5.14.2-8_all.deb
 542d103a7e7cc4a85157ae0a7cbcaf1cff7f7aeff44349f7d644809437720ac6 3438286 perl-modules_5.14.2-8_all.deb
 9e79aeb1078f5a50d997fd0a144c1d7239053b4a35af71e2069563d705cb49cf 1484376 perl-base_5.14.2-8_i386.deb
 ebcaf6d276ec3dbde9ef6ad3fd763ae25025ce9900a1cebfcc311df10d6b8a54 7809886 perl-debug_5.14.2-8_i386.deb
 4077597e816a7f01dddce2bc4a3b301d684c97f211602d0308ae00676ef18b7c 725556 libperl5.14_5.14.2-8_i386.deb
 52e85d55786ed088fef6cc0dc35bf0d20618bdba0e927cd0b8ea952c5babaacd 2693490 libperl-dev_5.14.2-8_i386.deb
 b842d078fd26dd8a1a99aa745758ae3476a0106db34ec7a61ccf110f2ad6c4a2 3698090 perl_5.14.2-8_i386.deb
Files: 
 d71ee36b978e0474d9a206cff5139e7e 1717 perl standard perl_5.14.2-8.dsc
 f825895046a73de75c81178f98e51e5e 133441 perl standard perl_5.14.2-8.debian.tar.gz
 113954f43fce9a7f3d2489dbfc911618 73308 perl optional libcgi-fast-perl_5.14.2-8_all.deb
 99c21892e3b093959c3c7670e9ae9018 8165780 doc optional perl-doc_5.14.2-8_all.deb
 3af3c085fc7fdca0b020d1717afe03ff 3438286 perl standard perl-modules_5.14.2-8_all.deb
 065299bd41628af018a24d516802a4ae 1484376 perl required perl-base_5.14.2-8_i386.deb
 212b53e247904e753c5be9c4574aa044 7809886 debug extra perl-debug_5.14.2-8_i386.deb
 83c339c28db8281335df1c0ec1c0c9e0 725556 libs optional libperl5.14_5.14.2-8_i386.deb
 213c4a141fa09ee3438d2038521762b3 2693490 libdevel optional libperl-dev_5.14.2-8_i386.deb
 9c4e5d32a6b08a6cfa59a54f8b8e742e 3698090 perl standard perl_5.14.2-8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPME88YzuFKFF44qURApxgAKDQyPnzbNSArBWyn05a2akoi5AB7gCgwZIX
LBTJIG2YeJGDU1hyfXrgrwQ=
=KGCA
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Mon, 06 Feb 2012 22:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 06 Feb 2012 22:30:05 GMT) Full text and rfc822 format available.

Message #52 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 657853@bugs.debian.org
Subject: Re: Bug#657853: Please enable hardened build flags
Date: Mon, 6 Feb 2012 22:27:40 +0000
On Mon, Feb 06, 2012 at 10:11:41PM +0200, Niko Tyni wrote:
> On Mon, Feb 06, 2012 at 07:11:23PM +0000, Dominic Hargreaves wrote:
> 
> > I'm preparing a fix for #656869 which I wouldn't mind getting a bit
> > of exposure in experimental, at least for the test suite on different
> > archs. Shall we aim to do such a build quite soon? Are you happy for
> > your other changes in -8 to be delayed a bit via experimental, keeping
> > a linear history?
> 
> Sure, no problem there. I'm still looking a bit into the -fPIE part, but
> that doesn't have to make it in at the same time. None of my changes so
> far are really urgent, so they'd have to wait for -7 testing transition
> first anyway before they can go into sid.
> 
> I just pushed the dpkg-buildflags changes, so feel free to go ahead and
> upload to experimental when you're ready.

Okay, done. Of course this means I will have to dust off my test
rebuild infrastructure...

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Tue, 07 Feb 2012 02:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 07 Feb 2012 02:57:05 GMT) Full text and rfc822 format available.

Message #57 received at 657853@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: 657853@bugs.debian.org, Niko Tyni <ntyni@debian.org>
Subject: Re: Bug#657853: Please enable hardened build flags
Date: Mon, 06 Feb 2012 18:55:17 -0800
Moritz Mühlenhoff <jmm@inutil.org> writes:

> Right now -pie is not in the default set of hardening flags for
> Wheezy. It will likely be enabled after Wheezy at least for amd64 and
> other archs with sufficient registers, so setting hardening=-pie can't
> hurt.

It won't hurt, but I'm skeptical we'll be able to make PIE the default.
Not only does it break all add-on modules that don't use libtool but pass
linker flags directly to the build (affecting not only Perl but also
Python, PHP, etc.; I tested with remctl just to see what would happen, and
it pretty much broke all the interpretor build systems), but I've had it
just break otherwise normal code.  gnubg, for example, will immediately
die with "Killed" if built with PIE.  (I didn't investigate further, since
gnubg is not the sort of program that has much security exposure.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Tue, 07 Feb 2012 20:51:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 07 Feb 2012 20:51:08 GMT) Full text and rfc822 format available.

Message #62 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: perl5-porters@perl.org
Cc: 657853@bugs.debian.org
Subject: Building perl with hardened build flags
Date: Tue, 7 Feb 2012 20:48:12 +0000
Hello,

As discussed in <http://bugs.debian.org/657853/> we are adding various
hardening build flags to the perl build in Debian, as part of a Debian
release goal[1].

The version currently in Debian experimental has the following additional
flags defined:

ccflags: add -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security

(note: -fstack-protector is added by perl's config already, but is also
in the standard set of flags defined by the Debian dpkg-buildflags
utility; -g -O2 is also not new, at least for the non-debugging build).

ldflags: -Wl,-z,relro

Notes on what the flags do are availble at [2].

These flags will also be enabled on XS modules built on Debian once this
goes into unstable. I've just kicked off a test rebuild of all CPAN 
modules in Debian with the perl from experimental, to try and catch any
severe breakage introduced by this.

My question: does anyone know of any problems with using these flags with
perl?

Thanks,
Dominic.
 
[1] <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>
[2] <http://wiki.debian.org/Hardening>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Tue, 07 Feb 2012 22:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 07 Feb 2012 22:15:07 GMT) Full text and rfc822 format available.

Message #67 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 657853@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Tue, 7 Feb 2012 22:13:58 +0000
On Tue, Feb 07, 2012 at 08:48:12PM +0000, Dominic Hargreaves wrote:
> I've just kicked off a test rebuild of all CPAN 
> modules in Debian with the perl from experimental, to try and catch any
> severe breakage introduced by this.

Early indications from my rebuilds indicate that we will have some
new FTBFS bugs with

-Wformat-security -Werror=format-security

So far (for all lib*-perl, alphabetically, up to libc):

libapache2-mod-perl2:

cc -c  -I/build/dom-libapache2-mod-perl2_2.0.5-5-i386-x1v_OO/libapache2-mod-perl2-2.0.5/src/modules/perl -I/build/dom-libapache2-mod-perl2_2.0.5-5-i386-
x1v_OO/libapache2-mod-perl2-2.0.5/xs -I/usr/include/apache2 -I/usr/include/apr-1.0 -I/us
r/include/apr-1.0 -I/usr/include/apr-1.0 -I/usr/include -I/usr/include/apache2 -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DMOD_PERL -DMP_USE_GTOP -DMP_COMPAT_1X -Wall      -DVERSION=\"0.009000\" -DXS_VERSION=\"0.009000\" -fPIC "-I/usr/lib/perl/5.14/CORE"  -DMP_HAVE_APR_LIBS Pool.c
In file included from Pool.xs:26:0:
/build/dom-libapache2-mod-perl2_2.0.5-5-i386-x1v_OO/libapache2-mod-perl2-2.0.5/xs/APR/Pool/APR__Pool.h: In function 'mpxs_cleanup_run':
/build/dom-libapache2-mod-perl2_2.0.5-5-i386-x1v_OO/libapache2-mod-perl2-2.0.5/xs/APR/Pool/APR__Pool.h:315:9: error: format not a string literal and no format arguments [-Werror=format-security]
cc1: some warnings being treated as errors

libberkeleydb-perl:

cc -c  -I/usr/local/BerkeleyDB/include -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wform
at -Wformat-security -Werror=format-security -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64    -DVERSION=\"0
.49\" -DXS_VERSION=\"0.49\" -fPIC "-I/usr/lib/perl/5.14/CORE"   BerkeleyDB.c
BerkeleyDB.xs: In function 'softCrash':
BerkeleyDB.xs:948:5: error: format not a string literal and no format arguments [-Werror=format-security]
BerkeleyDB.xs: In function 'XS_BerkeleyDB__Env__db_appinit':
BerkeleyDB.xs:2697:7: warning: too many arguments for format [-Wformat-extra-args]
BerkeleyDB.xs:2709:11: warning: too many arguments for format [-Wformat-extra-args]
BerkeleyDB.c: In function 'XS_BerkeleyDB__Env_DB_ENV':
BerkeleyDB.c:3194:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
BerkeleyDB.xs: In function 'XS_BerkeleyDB__Unknown__db_open_unknown':
BerkeleyDB.xs:3630:10: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
cc1: some warnings being treated as errors

Moritz, could you comment on your preferred way of dealing with
communicating/fixing this problem for packages which inherit build
flags from perl? I'll post a complete list of affected packages to
debian-perl once the rebuilds are complete.

Thanks,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Wed, 08 Feb 2012 07:48:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Wed, 08 Feb 2012 07:48:07 GMT) Full text and rfc822 format available.

Message #72 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 657853@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Wed, 8 Feb 2012 09:46:22 +0200
On Tue, Feb 07, 2012 at 10:13:58PM +0000, Dominic Hargreaves wrote:
> On Tue, Feb 07, 2012 at 08:48:12PM +0000, Dominic Hargreaves wrote:
> > I've just kicked off a test rebuild of all CPAN 
> > modules in Debian with the perl from experimental, to try and catch any
> > severe breakage introduced by this.
> 
> Early indications from my rebuilds indicate that we will have some
> new FTBFS bugs with
> 
> -Wformat-security -Werror=format-security

I suspect we need to patch ExtUtils::CBuilder to invoke dpkg-buildflags
at XS module build time rather than blindly use $Config{ccflags} from
perl. That way XS module packages can disable some hardening flags if
necessary.

No idea how to do that yet :)
-- 
Niko




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Wed, 08 Feb 2012 18:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 08 Feb 2012 18:03:03 GMT) Full text and rfc822 format available.

Message #77 received at 657853@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Dominic Hargreaves <dom@earth.li>
Cc: 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Wed, 8 Feb 2012 18:58:53 +0100
On Tue, Feb 07, 2012 at 10:13:58PM +0000, Dominic Hargreaves wrote:
> 
> Moritz, could you comment on your preferred way of dealing with
> communicating/fixing this problem for packages which inherit build
> flags from perl? I'll post a complete list of affected packages to
> debian-perl once the rebuilds are complete.

I've been working on a "hardening/dpkg-buildflags walkthrough"
document, which is 80% ready. I'll add it to wiki.debian.org
once ready and send a mail to d-d-a pointing to it.

I'll add the necessary steps for perl Modules there.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Thu, 09 Feb 2012 20:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Thu, 09 Feb 2012 20:48:03 GMT) Full text and rfc822 format available.

Message #82 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 657853@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Thu, 9 Feb 2012 20:44:25 +0000
On Wed, Feb 08, 2012 at 09:46:22AM +0200, Niko Tyni wrote:
> On Tue, Feb 07, 2012 at 10:13:58PM +0000, Dominic Hargreaves wrote:
> > On Tue, Feb 07, 2012 at 08:48:12PM +0000, Dominic Hargreaves wrote:
> > > I've just kicked off a test rebuild of all CPAN 
> > > modules in Debian with the perl from experimental, to try and catch any
> > > severe breakage introduced by this.
> > 
> > Early indications from my rebuilds indicate that we will have some
> > new FTBFS bugs with
> > 
> > -Wformat-security -Werror=format-security
> 
> I suspect we need to patch ExtUtils::CBuilder to invoke dpkg-buildflags
> at XS module build time rather than blindly use $Config{ccflags} from
> perl. That way XS module packages can disable some hardening flags if
> necessary.

Hrm, I guess. Or add a more generic function to allow the stripping out
of build flags (NOCCFLAGS?)? Presumably we'd need to fix
ExtUtils::MakeMaker too.

It would be nice to fix all the packages first, but it's probably not
a sensible approach.

The summary of my test run is:

- 13 packages newly FTBFS with the perl from experimental installed
- of those, 12 are -Werror=format-security issues
- 1 (libsystem-command-perl) is a test failure I haven't diagnosed,
  which is also found at [1] and [2] (at least) where hardening flags
  aren't to be found.

The test build logs are up at
<http://people.debian.org/~dom/perl/test/hardening-logs/>

[1] <http://www.cpantesters.org/cpan/report/8df074dc-5142-11e1-a48f-e7fb434ae6f1>
[2] <http://www.cpantesters.org/cpan/report/29dae392-4058-11e1-9d6f-f6dbfa7543f5>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Thu, 09 Feb 2012 22:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Thu, 09 Feb 2012 22:15:03 GMT) Full text and rfc822 format available.

Message #87 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Mühlenhoff <jmm@inutil.org>, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Thu, 9 Feb 2012 22:12:03 +0000
On Wed, Feb 08, 2012 at 06:58:53PM +0100, Moritz Mühlenhoff wrote:
> On Tue, Feb 07, 2012 at 10:13:58PM +0000, Dominic Hargreaves wrote:
> > 
> > Moritz, could you comment on your preferred way of dealing with
> > communicating/fixing this problem for packages which inherit build
> > flags from perl? I'll post a complete list of affected packages to
> > debian-perl once the rebuilds are complete.
> 
> I've been working on a "hardening/dpkg-buildflags walkthrough"
> document, which is 80% ready. I'll add it to wiki.debian.org
> once ready and send a mail to d-d-a pointing to it.
> 
> I'll add the necessary steps for perl Modules there.

Okay - I'd be happy to check the perl bits over before it goes out.

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Fri, 10 Feb 2012 21:30:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Fri, 10 Feb 2012 21:30:35 GMT) Full text and rfc822 format available.

Message #92 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 657853@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Fri, 10 Feb 2012 23:29:09 +0200
On Thu, Feb 09, 2012 at 08:44:25PM +0000, Dominic Hargreaves wrote:
> On Wed, Feb 08, 2012 at 09:46:22AM +0200, Niko Tyni wrote:

> > I suspect we need to patch ExtUtils::CBuilder to invoke dpkg-buildflags
> > at XS module build time rather than blindly use $Config{ccflags} from
> > perl. That way XS module packages can disable some hardening flags if
> > necessary.
> 
> Hrm, I guess. Or add a more generic function to allow the stripping out
> of build flags (NOCCFLAGS?)?

I see I was rather confused there. Sorry.

Going back to square one, I see three options for pushing
the hardening flags to the XS module packages:

A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
   ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
   invocations (it currently passes only CFLAGS, starting with compat
   level 9)

B. make ExtUtils::MakeMaker and ExtUtils::CBuilder honour all of
   CFLAGS, CPPFLAGS, and LDFLAGS from the environment (debhelper
   sets these with compat level 9)

C. force the flags that Perl was compiled with to the XS modules via
   $Config{ccflags} and friends

Option A has the downside that it probably requires a debhelper
compat bump, so I doubt it can happen for wheezy. It's IMO the
cleanest one as it uses existing interfaces and doesn't require
any patching (except for subdirectory Makefile.PL files; see below.)

Option B requires patching EU::MM, which always makes me nervous.
Note that AFAICS ExtUtils::CBuilder (which is used by Build.PL based
build systems) already honours CFLAGS and LDFLAGS.

Option C is what was implemented in perl 5.14.2-8/experimental.  Its
upside is that it doesn't require any changes to existing (non-buggy) XS
module packages. The downsides are that it has a flag day for the dozen
or so buggy packages, it's opt-out for all XS modules (both packaged
and non-packaged), and there's currently not even a way to opt out
(implementing your NOCCFLAGS suggestion would fix this.) This makes me
think it's the worst of the options above.

Options A and B both require compat level changes to the all the XS
module packages. On the positive side, that also brings in the support
for DEB_BUILD_OPTIONS=noopt.

Options A and B also require some fiddling inside the perl package to
prevent the hardening flags from going into $Config{ccflags} and friends
even if we build perl itself with them. I don't except this to be
a big problem.

> Presumably we'd need to fix ExtUtils::MakeMaker too.

Heh, indeed. For some reason I thought it uses EU::CBuilder too,
but obviously not.


I haven't really investigated yet what it would take to implement
option B.

For option A, I see we could get EU::MakeMaker to act in the desired
way by running

 perl Makefile.PL OPTIMIZE="$(dpkg-buildflags --get CFLAGS) $(dpkg-buildflags --get CPPFLAGS)" \
                  LD="$(perl -V::ld:) $(dpkg-buildflags --get LDFLAGS)"

OTHERLDFLAGS would be even cleaner, but for some reason it can't be
specified on the command line (only in Makefile.PL or on the actual
'make' invocation.)

A complication: testing with libimager-perl, I see that any command line
Makefile.PL parameters are *not* passed to any subdirectory Makefile.PL
invocations. This seems to be a known bug, and an old one at that.
See [rt.cpan.org #28632] and [rt.cpan.org #67407]. I guess we could fix
this if necessary. Fortunately, subdirectory Makefile.PL files are an
exception rather than the norm (I think.)

For Module::Build, the invocation could be
 perl Build.PL --config optimize="$(dpkg-buildflags --get CFLAGS) $(dpkg-buildflags --get CPPFLAGS)" \
               --config ld="$(perl -V::ld:) $(dpkg-buildflags --get LDFLAGS)"

> The summary of my test run is:
> 
> - 13 packages newly FTBFS with the perl from experimental installed
> - of those, 12 are -Werror=format-security issues

> It would be nice to fix all the packages first, but it's probably not
> a sensible approach.

Those numbers are lower than I expected, and the format-security fixes
are generally trivial: change croak(var) to croak("%s", var) AIUI. So
it might be sensible anyway. Somebody (TM) should file bugs about those
in any case.

Somewhat surprisingly, I don't see the compile error with
libparams-validate-perl on amd64 although I do on i386. I wonder why;
there's no difference in the preprocessor output. 

> The test build logs are up at
> <http://people.debian.org/~dom/perl/test/hardening-logs/>

Thanks for your work once again!
-- 
Niko




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Sat, 11 Feb 2012 13:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sat, 11 Feb 2012 13:54:03 GMT) Full text and rfc822 format available.

Message #97 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 657853@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>, debian-perl@lists.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Sat, 11 Feb 2012 13:51:19 +0000
[Adding debian-perl, since the decisions we take might have a wide
impact].

On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote:
> On Thu, Feb 09, 2012 at 08:44:25PM +0000, Dominic Hargreaves wrote:

> Going back to square one, I see three options for pushing
> the hardening flags to the XS module packages:
> 
> A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
>    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
>    invocations (it currently passes only CFLAGS, starting with compat
>    level 9)
> 
> B. make ExtUtils::MakeMaker and ExtUtils::CBuilder honour all of
>    CFLAGS, CPPFLAGS, and LDFLAGS from the environment (debhelper
>    sets these with compat level 9)

You haven't made it explicit, but I assume that the opt-out strategy
here is to unset those environment flags in debian/rules (there is
no specific way to opt-out with debhelper incantations that I can see).

> C. force the flags that Perl was compiled with to the XS modules via
>    $Config{ccflags} and friends
> 
> Option A has the downside that it probably requires a debhelper
> compat bump, so I doubt it can happen for wheezy. It's IMO the
> cleanest one as it uses existing interfaces and doesn't require
> any patching (except for subdirectory Makefile.PL files; see below.)
> 
> Option B requires patching EU::MM, which always makes me nervous.
> Note that AFAICS ExtUtils::CBuilder (which is used by Build.PL based
> build systems) already honours CFLAGS and LDFLAGS.
> 
> Option C is what was implemented in perl 5.14.2-8/experimental.  Its
> upside is that it doesn't require any changes to existing (non-buggy) XS
> module packages. The downsides are that it has a flag day for the dozen
> or so buggy packages, it's opt-out for all XS modules (both packaged
> and non-packaged), and there's currently not even a way to opt out
> (implementing your NOCCFLAGS suggestion would fix this.) This makes me
> think it's the worst of the options above.

Yes, I hadn't considered impact on non-packaged XS modules; it's probably
less acceptable for them to have to opt-out. A shame, since it's the
best way of ensuring that the buggy packages do get fixed, and in many
ways my preferred option.

> Options A and B both require compat level changes to the all the XS
> module packages. On the positive side, that also brings in the support
> for DEB_BUILD_OPTIONS=noopt.

The compat changes are only required to get the benefit of hardening
flags in those modules, which isn't strictly speaking necessary within
the wheezy timeframe, AIUI. (In other words, we can satisfy the request
to build perl itself with hardening flags without touching any other
packages, if we implement A or B.)

> Options A and B also require some fiddling inside the perl package to
> prevent the hardening flags from going into $Config{ccflags} and friends
> even if we build perl itself with them. I don't except this to be
> a big problem.

Although it may well be straying in a direction that upstream doesn't
like.

> > Presumably we'd need to fix ExtUtils::MakeMaker too.
> 
> Heh, indeed. For some reason I thought it uses EU::CBuilder too,
> but obviously not.
> 
> 
> I haven't really investigated yet what it would take to implement
> option B.
> 
> For option A, I see we could get EU::MakeMaker to act in the desired
> way by running
> 
>  perl Makefile.PL OPTIMIZE="$(dpkg-buildflags --get CFLAGS) $(dpkg-buildflags --get CPPFLAGS)" \
>                   LD="$(perl -V::ld:) $(dpkg-buildflags --get LDFLAGS)"
> 
> OTHERLDFLAGS would be even cleaner, but for some reason it can't be
> specified on the command line (only in Makefile.PL or on the actual
> 'make' invocation.)
> 
> A complication: testing with libimager-perl, I see that any command line
> Makefile.PL parameters are *not* passed to any subdirectory Makefile.PL
> invocations. This seems to be a known bug, and an old one at that.
> See [rt.cpan.org #28632] and [rt.cpan.org #67407]. I guess we could fix
> this if necessary. Fortunately, subdirectory Makefile.PL files are an
> exception rather than the norm (I think.)

Right.

> For Module::Build, the invocation could be
>  perl Build.PL --config optimize="$(dpkg-buildflags --get CFLAGS) $(dpkg-buildflags --get CPPFLAGS)" \
>                --config ld="$(perl -V::ld:) $(dpkg-buildflags --get LDFLAGS)"
> 
> > The summary of my test run is:
> > 
> > - 13 packages newly FTBFS with the perl from experimental installed
> > - of those, 12 are -Werror=format-security issues
> 
> > It would be nice to fix all the packages first, but it's probably not
> > a sensible approach.
> 
> Those numbers are lower than I expected, and the format-security fixes
> are generally trivial: change croak(var) to croak("%s", var) AIUI. So
> it might be sensible anyway. Somebody (TM) should file bugs about those
> in any case.

Agreed. Moritz, do you have any views on how/if to report those, and
at which severity?

> Somewhat surprisingly, I don't see the compile error with
> libparams-validate-perl on amd64 although I do on i386. I wonder why;
> there's no difference in the preprocessor output. 
> 
> > The test build logs are up at
> > <http://people.debian.org/~dom/perl/test/hardening-logs/>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Sun, 12 Feb 2012 12:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Sun, 12 Feb 2012 12:57:03 GMT) Full text and rfc822 format available.

Message #102 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: debian-perl@lists.debian.org
Cc: 657853@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Sun, 12 Feb 2012 14:54:59 +0200
[Thanks for taking this to the list; should've done that myself.
 Just a couple of quick comments for now.]

On Sat, Feb 11, 2012 at 01:51:19PM +0000, Dominic Hargreaves wrote:
> On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote:
> > On Thu, Feb 09, 2012 at 08:44:25PM +0000, Dominic Hargreaves wrote:

> > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
> >    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
> >    invocations (it currently passes only CFLAGS, starting with compat
> >    level 9)
> > 
> > B. make ExtUtils::MakeMaker and ExtUtils::CBuilder honour all of
> >    CFLAGS, CPPFLAGS, and LDFLAGS from the environment (debhelper
> >    sets these with compat level 9)
> 
> You haven't made it explicit, but I assume that the opt-out strategy
> here is to unset those environment flags in debian/rules (there is
> no specific way to opt-out with debhelper incantations that I can see).

debhelper v9 sets CFLAGS and the rest based on dpkg-buildflags, so
DEB_BUILD_MAINT_OPTIONS would be the way to opt out of specific hardening
flags when necessary.

> > C. force the flags that Perl was compiled with to the XS modules via
> >    $Config{ccflags} and friends

> Yes, I hadn't considered impact on non-packaged XS modules; it's probably
> less acceptable for them to have to opt-out. A shame, since it's the
> best way of ensuring that the buggy packages do get fixed, and in many
> ways my preferred option.

Yes, it certainly has upsides. I'm not totally ruling it out, but
it doesn't feel "right" to me.

> > Options A and B both require compat level changes to the all the XS
> > module packages. On the positive side, that also brings in the support
> > for DEB_BUILD_OPTIONS=noopt.
> 
> The compat changes are only required to get the benefit of hardening
> flags in those modules, which isn't strictly speaking necessary within
> the wheezy timeframe, AIUI. (In other words, we can satisfy the request
> to build perl itself with hardening flags without touching any other
> packages, if we implement A or B.)

That's a good point about the timeframe. So there's no real hurry with
the proposed debhelper changes in option A, they can be done after wheezy.

> > Options A and B also require some fiddling inside the perl package to
> > prevent the hardening flags from going into $Config{ccflags} and friends
> > even if we build perl itself with them. I don't except this to be
> > a big problem.
> 
> Although it may well be straying in a direction that upstream doesn't
> like.

I was thinking of a running sed on Config_heavy.pl after the build to take
the dpkg-buildflags induced options out. I think that's in our domain.
If there's a cleaner way to apply those flags to the Perl build without
imposing them on XS modules, I'd certainly be happy to adopt that.
-- 
Niko Tyni   ntyni@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Sun, 12 Feb 2012 18:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 12 Feb 2012 18:54:07 GMT) Full text and rfc822 format available.

Message #107 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: debian-perl@lists.debian.org, 657853@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Sun, 12 Feb 2012 18:52:18 +0000
On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote:
> [Thanks for taking this to the list; should've done that myself.
>  Just a couple of quick comments for now.]
> 
> On Sat, Feb 11, 2012 at 01:51:19PM +0000, Dominic Hargreaves wrote:
> > On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote:
> > > On Thu, Feb 09, 2012 at 08:44:25PM +0000, Dominic Hargreaves wrote:
> 
> > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
> > >    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
> > >    invocations (it currently passes only CFLAGS, starting with compat
> > >    level 9)
> > > 
> > > B. make ExtUtils::MakeMaker and ExtUtils::CBuilder honour all of
> > >    CFLAGS, CPPFLAGS, and LDFLAGS from the environment (debhelper
> > >    sets these with compat level 9)
> > 
> > You haven't made it explicit, but I assume that the opt-out strategy
> > here is to unset those environment flags in debian/rules (there is
> > no specific way to opt-out with debhelper incantations that I can see).
> 
> debhelper v9 sets CFLAGS and the rest based on dpkg-buildflags, so
> DEB_BUILD_MAINT_OPTIONS would be the way to opt out of specific hardening
> flags when necessary.
> 
> > > C. force the flags that Perl was compiled with to the XS modules via
> > >    $Config{ccflags} and friends
> 
> > Yes, I hadn't considered impact on non-packaged XS modules; it's probably
> > less acceptable for them to have to opt-out. A shame, since it's the
> > best way of ensuring that the buggy packages do get fixed, and in many
> > ways my preferred option.
> 
> Yes, it certainly has upsides. I'm not totally ruling it out, but
> it doesn't feel "right" to me.
> 
> > > Options A and B both require compat level changes to the all the XS
> > > module packages. On the positive side, that also brings in the support
> > > for DEB_BUILD_OPTIONS=noopt.
> > 
> > The compat changes are only required to get the benefit of hardening
> > flags in those modules, which isn't strictly speaking necessary within
> > the wheezy timeframe, AIUI. (In other words, we can satisfy the request
> > to build perl itself with hardening flags without touching any other
> > packages, if we implement A or B.)
> 
> That's a good point about the timeframe. So there's no real hurry with
> the proposed debhelper changes in option A, they can be done after wheezy.

Except perhaps for the modules which are specifically included in
the wheezy criteria:

<http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>

I don't know how many of those there are.

I realised that this thread is pretty relevant - I'm afraid I forgot
about some of the detail in there:

<http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/2012-January/050055.html>
<http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/2012-January/050100.html>

> > > Options A and B also require some fiddling inside the perl package to
> > > prevent the hardening flags from going into $Config{ccflags} and friends
> > > even if we build perl itself with them. I don't except this to be
> > > a big problem.
> > 
> > Although it may well be straying in a direction that upstream doesn't
> > like.
> 
> I was thinking of a running sed on Config_heavy.pl after the build to take
> the dpkg-buildflags induced options out. I think that's in our domain.
> If there's a cleaner way to apply those flags to the Perl build without
> imposing them on XS modules, I'd certainly be happy to adopt that.

This sounds like a reasonable way.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Sun, 12 Feb 2012 20:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 12 Feb 2012 20:27:05 GMT) Full text and rfc822 format available.

Message #112 received at 657853@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: joeyh@debian.org, debian-perl@lists.debian.org, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Sun, 12 Feb 2012 21:24:40 +0100
[Adding Joey Hess to CC]

On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote:
> [Thanks for taking this to the list; should've done that myself.
>  Just a couple of quick comments for now.]
> 
> On Sat, Feb 11, 2012 at 01:51:19PM +0000, Dominic Hargreaves wrote:
> > On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote:
> > > On Thu, Feb 09, 2012 at 08:44:25PM +0000, Dominic Hargreaves wrote:
> 
> > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
> > >    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
> > >    invocations (it currently passes only CFLAGS, starting with compat
> > >    level 9)

I would prefer this strategy.

Joey, are you comfortable with changing this for debhelper compat 9,
although it has been finalised already?

> > > B. make ExtUtils::MakeMaker and ExtUtils::CBuilder honour all of
> > >    CFLAGS, CPPFLAGS, and LDFLAGS from the environment (debhelper
> > >    sets these with compat level 9)
> > 
> > You haven't made it explicit, but I assume that the opt-out strategy
> > here is to unset those environment flags in debian/rules (there is
> > no specific way to opt-out with debhelper incantations that I can see).
> 
> debhelper v9 sets CFLAGS and the rest based on dpkg-buildflags, so
> DEB_BUILD_MAINT_OPTIONS would be the way to opt out of specific hardening
> flags when necessary.

Agreed. DEB_BUILD_MAINT_OPTIONS="hardening=-format" would be an exemplary
way to disable format string checks.

> > > Options A and B both require compat level changes to the all the XS
> > > module packages. On the positive side, that also brings in the support
> > > for DEB_BUILD_OPTIONS=noopt.
> > 
> > The compat changes are only required to get the benefit of hardening
> > flags in those modules, which isn't strictly speaking necessary within
> > the wheezy timeframe, AIUI. (In other words, we can satisfy the request
> > to build perl itself with hardening flags without touching any other
> > packages, if we implement A or B.)
> 
> That's a good point about the timeframe. So there's no real hurry with
> the proposed debhelper changes in option A, they can be done after wheezy.

Yep. The release goal for Wheezy is "fix as many as possible, but make
a concentrated effort for all packages of priority >= important and 
which had a DSA since 2006. perl itself matches both conditions :-)
 
Cheers,
        Moritz






Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Sun, 12 Feb 2012 20:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 12 Feb 2012 20:30:05 GMT) Full text and rfc822 format available.

Message #117 received at 657853@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Dominic Hargreaves <dom@earth.li>
Cc: Niko Tyni <ntyni@debian.org>, 657853@bugs.debian.org, debian-perl@lists.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Sun, 12 Feb 2012 21:27:24 +0100
On Sat, Feb 11, 2012 at 01:51:19PM +0000, Dominic Hargreaves wrote:

> > > - 13 packages newly FTBFS with the perl from experimental installed
> > > - of those, 12 are -Werror=format-security issues
> > 
> > > It would be nice to fix all the packages first, but it's probably not
> > > a sensible approach.
> > 
> > Those numbers are lower than I expected, and the format-security fixes
> > are generally trivial: change croak(var) to croak("%s", var) AIUI. So
> > it might be sensible anyway. Somebody (TM) should file bugs about those
> > in any case.
> 
> Agreed. Moritz, do you have any views on how/if to report those, and
> at which severity?

If the missing format string is variable and controlled externally (e.g. 
if read from a file or from network communication), please file it 
with RC severity and the security tag. (If it's a popular Perl module, 
please contact  team@security.debian.org, so that we can coordinate with 
other distros.)

Otherwise it's rather "normal" severity.

Cheers,
        Moritz







Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Sun, 12 Feb 2012 20:30:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 12 Feb 2012 20:30:07 GMT) Full text and rfc822 format available.

Message #122 received at 657853@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Dominic Hargreaves <dom@earth.li>
Cc: debian-perl@lists.debian.org, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Sun, 12 Feb 2012 21:28:48 +0100
On Sun, Feb 12, 2012 at 06:52:18PM +0000, Dominic Hargreaves wrote:
> > That's a good point about the timeframe. So there's no real hurry with
> > the proposed debhelper changes in option A, they can be done after wheezy.
> 
> Except perhaps for the modules which are specifically included in
> the wheezy criteria:
> 
> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>
> 
> I don't know how many of those there are.

These four Perl modules had a DSA since 2006 and are not pure Perl:

libhtml-parser-perl
libdbd-pg-perl
libimager-perl
libnet-dns-perl

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Sun, 12 Feb 2012 21:16:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 12 Feb 2012 21:16:21 GMT) Full text and rfc822 format available.

Message #127 received at 657853@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: debian-perl@lists.debian.org, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Sun, 12 Feb 2012 17:12:31 -0400
[Message part 1 (text/plain, inline)]
Moritz Mühlenhoff wrote:
> > > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
> > > >    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
> > > >    invocations (it currently passes only CFLAGS, starting with compat
> > > >    level 9)
> 
> I would prefer this strategy.
> 
> Joey, are you comfortable with changing this for debhelper compat 9,
> although it has been finalised already?

Well, how many perl packages that this could affect use v9 already?

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Sun, 12 Feb 2012 21:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 12 Feb 2012 21:57:07 GMT) Full text and rfc822 format available.

Message #132 received at 657853@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>, debian-perl@lists.debian.org, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Sun, 12 Feb 2012 22:55:13 +0100
[Message part 1 (text/plain, inline)]
On Sun, 12 Feb 2012 17:12:31 -0400, Joey Hess wrote:

> > > > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
> > > > >    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
> > > > >    invocations (it currently passes only CFLAGS, starting with compat
> > > > >    level 9)
> > I would prefer this strategy.
> > Joey, are you comfortable with changing this for debhelper compat 9,
> > although it has been finalised already?
> Well, how many perl packages that this could affect use v9 already?

Assuming they are all uploaded and all arch:any (and only looking at
packages in the Debian perl Group):

% grep 9 */debian/compat | wc -l
31

Cheers,
gregor
 
-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   BOFH excuse #362:  Plasma conduit breach 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Thu, 16 Feb 2012 22:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Thu, 16 Feb 2012 22:51:03 GMT) Full text and rfc822 format available.

Message #137 received at 657853@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: debian-perl@lists.debian.org, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Thu, 16 Feb 2012 18:46:36 -0400
[Message part 1 (text/plain, inline)]
gregor herrmann wrote:
> Assuming they are all uploaded and all arch:any (and only looking at
> packages in the Debian perl Group):
> 
> % grep 9 */debian/compat | wc -l
> 31

Well, it seems easy enough to test 30 packages. It would help if someone
developed a patch before there are too many more.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Fri, 17 Feb 2012 10:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Fri, 17 Feb 2012 10:39:06 GMT) Full text and rfc822 format available.

Message #142 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: joeyh@debian.org, debian-perl@lists.debian.org, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Fri, 17 Feb 2012 12:36:21 +0200
On Sun, Feb 12, 2012 at 09:24:40PM +0100, Moritz Mühlenhoff wrote:
> On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote:
> > > On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote:

> > > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
> > > >    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
> > > >    invocations (it currently passes only CFLAGS, starting with compat
> > > >    level 9)
> 
> I would prefer this strategy.

I think it's my preferred alternative as well.

If we have consensus on that, the way forward as I see it:

- prepare a perl upload in unstable that is built with the hardened flags
  but doesn't export them through Config.pm
- preferably fix #660195 (recursive Makefile.PL arguments) while at it
- find the optimal invocations of Makefile.PL and Build.PL
  that honour all of CFLAGS, CPPFLAGS, and LDFLAGS
- either 
  + change the handful of release goal packages to use those invocations
    instead of the debhelper v9 defaults, and make debhelper v10 to use
    them by default after wheezy
  or
  + test the 30 or so affected packages and change debhelper v9
    for wheezy

For reference, the invocations I came up earlier were

 perl Makefile.PL OPTIMIZE="$(dpkg-buildflags --get CFLAGS) $(dpkg-buildflags --get CPPFLAGS)" \
                  LD="$(perl -V::ld:) $(dpkg-buildflags --get LDFLAGS)"

 perl Build.PL --config optimize="$(dpkg-buildflags --get CFLAGS) $(dpkg-buildflags --get CPPFLAGS)" \
               --config ld="$(perl -V::ld:) $(dpkg-buildflags --get LDFLAGS)"

but I didn't dwell long on that and there might be better ways to do
this. In particular, I think EU::CBuilder already honours some of the
flags so they might end up being used twice in the Build.PL version?

I don't have much time to work on this myself, help welcome.
-- 
Niko Tyni   ntyni@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Tue, 21 Feb 2012 11:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Tue, 21 Feb 2012 11:39:07 GMT) Full text and rfc822 format available.

Message #147 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Tue, 21 Feb 2012 13:38:07 +0200
[Message part 1 (text/plain, inline)]
On Fri, Feb 17, 2012 at 12:36:21PM +0200, Niko Tyni wrote:

(cc's trimmed for the implementation details) 

> If we have consensus on that, the way forward as I see it:

Dominic, I'm not sure if you're fine with that plan?

> - prepare a perl upload in unstable that is built with the hardened flags
>   but doesn't export them through Config.pm

Here's my first try at this. It works, but I'm not really happy with it.
My hack time is fairly limited ATM and I haven't got any further just
by glaring at it, so it's probably better to share this anyway.

Problems/thoughts:

- we're invoking dpkg-buildflags in two places (debian/rules and
  debian/config.debian), and if the invocations go out of sync we get
  a silent failure.
- not sure if we should blindly remove the dpkg-buildflags output
  from every line in Config_heavy.pm or just the ones we care about
  (i.e. ccflags, ld(dl?)flags)
- should we be defensive against a situation where dpkg-buildflags
  returns something short and generic (like " " or "-g")? If we should,
  the "blindly" part above becomes much less attractive
- I'd love to delegate the -Doptimize handling to dpkg-buildflags
  instead of doing it manually, but that way we end up stripping the
  default optimize flags from Perl modules in the same way as the
  hardening flags, which is probably not good.

Ideas/patches welcome.
-- 
Niko
[0001-Massage-Config_heavy.pm-after-the-build-to-remove-dp.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Tue, 21 Feb 2012 22:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 21 Feb 2012 22:24:03 GMT) Full text and rfc822 format available.

Message #152 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Tue, 21 Feb 2012 22:21:04 +0000
On Tue, Feb 21, 2012 at 01:38:07PM +0200, Niko Tyni wrote:
> On Fri, Feb 17, 2012 at 12:36:21PM +0200, Niko Tyni wrote:
> 
> (cc's trimmed for the implementation details) 
> 
> > If we have consensus on that, the way forward as I see it:
> 
> Dominic, I'm not sure if you're fine with that plan?

Yes. Sorry I've lagged behind on this conversation recently.

> > - prepare a perl upload in unstable that is built with the hardened flags
> >   but doesn't export them through Config.pm
> 
> Here's my first try at this. It works, but I'm not really happy with it.
> My hack time is fairly limited ATM and I haven't got any further just
> by glaring at it, so it's probably better to share this anyway.
> 
> Problems/thoughts:
> 
> - we're invoking dpkg-buildflags in two places (debian/rules and
>   debian/config.debian), and if the invocations go out of sync we get
>   a silent failure.

Wouldn't be too much work to abstract that if needed.

> - not sure if we should blindly remove the dpkg-buildflags output
>   from every line in Config_heavy.pm or just the ones we care about
>   (i.e. ccflags, ld(dl?)flags)

No particular ideas about this one.

> - should we be defensive against a situation where dpkg-buildflags
>   returns something short and generic (like " " or "-g")? If we should,
>   the "blindly" part above becomes much less attractive

Mmm.

> - I'd love to delegate the -Doptimize handling to dpkg-buildflags
>   instead of doing it manually, but that way we end up stripping the
>   default optimize flags from Perl modules in the same way as the
>   hardening flags, which is probably not good.
> 
> Ideas/patches welcome.

I'm in much the same situation as well; fairly limited hack time at
the moment. 

So, not that this probably helps much, but: in order to make some
progress with this, you could commit your patch as-is, and also open
a wishlist bug recording the desired cleanups above.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Tue, 21 Feb 2012 22:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 21 Feb 2012 22:39:03 GMT) Full text and rfc822 format available.

Message #157 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Mühlenhoff <jmm@inutil.org>, 657853@bugs.debian.org, debian-perl@lists.debian.org, joeyh@debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Tue, 21 Feb 2012 22:37:48 +0000
Trying to pull a few of the subthreads together:

On Sun, Feb 12, 2012 at 09:24:40PM +0100, Moritz Mühlenhoff wrote:
> On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote:

> > That's a good point about the timeframe. So there's no real hurry with
> > the proposed debhelper changes in option A, they can be done after wheezy.
> 
> Yep. The release goal for Wheezy is "fix as many as possible, but make
> a concentrated effort for all packages of priority >= important and 
> which had a DSA since 2006. perl itself matches both conditions :-)

On Thu, Feb 16, 2012 at 06:46:36PM -0400, Joey Hess wrote:
> gregor herrmann wrote:
> > Assuming they are all uploaded and all arch:any (and only looking at
> > packages in the Debian perl Group):
> > 
> > % grep 9 */debian/compat | wc -l
> > 31
> 
> Well, it seems easy enough to test 30 packages. It would help if someone
> developed a patch before there are too many more.

On Fri, Feb 17, 2012 at 12:36:21PM +0200, Niko Tyni wrote:
> On Sun, Feb 12, 2012 at 09:24:40PM +0100, Moritz Mühlenhoff wrote:
> > On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote:
> > > > On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote:
> 
> > > > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
> > > > >    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
> > > > >    invocations (it currently passes only CFLAGS, starting with compat
> > > > >    level 9)
> > 
> > I would prefer this strategy.
> 
> I think it's my preferred alternative as well.
> 
> If we have consensus on that, the way forward as I see it:
> 
> - prepare a perl upload in unstable that is built with the hardened flags
>   but doesn't export them through Config.pm

(for which you've submitted a patch separately; thanks)

> - preferably fix #660195 (recursive Makefile.PL arguments) while at it

Yeah, this does looks like it needs to be fixed soon (otherwise the
release goal packages won't be completely hardened; it's also possible
that some of the dual-lived modules in perl itself are affected in this
way).

From a review of the upstream bug, it doesn't looks like it should
be very hard to fix...

> - find the optimal invocations of Makefile.PL and Build.PL
>   that honour all of CFLAGS, CPPFLAGS, and LDFLAGS
> - either 
>   + change the handful of release goal packages to use those invocations
>     instead of the debhelper v9 defaults, and make debhelper v10 to use
>     them by default after wheezy
>   or
>   + test the 30 or so affected packages and change debhelper v9
>     for wheezy

Given the messages I've quoted above, deferring debhelper changes until
v10 makes most sense. This means we can file bugs on the release goal
packages to use the invocations manually in the meantime, as well as
a wishlist bug on debhelper for v10 (so we don't forget).

> For reference, the invocations I came up earlier were
> 
>  perl Makefile.PL OPTIMIZE="$(dpkg-buildflags --get CFLAGS) $(dpkg-buildflags --get CPPFLAGS)" \
>                   LD="$(perl -V::ld:) $(dpkg-buildflags --get LDFLAGS)"
> 
>  perl Build.PL --config optimize="$(dpkg-buildflags --get CFLAGS) $(dpkg-buildflags --get CPPFLAGS)" \
>                --config ld="$(perl -V::ld:) $(dpkg-buildflags --get LDFLAGS)"
> 
> but I didn't dwell long on that and there might be better ways to do
> this. In particular, I think EU::CBuilder already honours some of the
> flags so they might end up being used twice in the Build.PL version?

That should be good enough to suggest a way forward for bug reporting
for the release goal packages and/or updating [1].

> I don't have much time to work on this myself, help welcome.

Ditto. I think we have a way forward now which allows to to move
forward just far enough. Hopefully pkg-perl and other module maintainers
will be in a position to take on the task of updating release goal
modules once a recipe has been sorted out.

Dominic.

[1] <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Tue, 21 Feb 2012 22:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 21 Feb 2012 22:54:03 GMT) Full text and rfc822 format available.

Message #162 received at 657853@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 657853@bugs.debian.org
Cc: Moritz Mühlenhoff <jmm@inutil.org>, debian-perl@lists.debian.org, joeyh@debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Tue, 21 Feb 2012 23:52:26 +0100
[Message part 1 (text/plain, inline)]
On Tue, 21 Feb 2012 22:37:48 +0000, Dominic Hargreaves wrote:

> Given the messages I've quoted above, deferring debhelper changes until
> v10 makes most sense. This means we can file bugs on the release goal
> packages to use the invocations manually in the meantime, as well as
> a wishlist bug on debhelper for v10 (so we don't forget).

[..]

> Ditto. I think we have a way forward now which allows to to move
> forward just far enough. Hopefully pkg-perl and other module maintainers
> will be in a position to take on the task of updating release goal
> modules once a recipe has been sorted out.

Sure, as soon as the dust settles, I (and probably others in the
team) will happily help.

Cheers,
gregor
 
-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Nick Cave And The Bad Seeds: Hiding All Away
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Wed, 22 Feb 2012 17:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 22 Feb 2012 17:21:03 GMT) Full text and rfc822 format available.

Message #167 received at 657853@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Dominic Hargreaves <dom@earth.li>
Cc: 657853@bugs.debian.org, debian-perl@lists.debian.org, joeyh@debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Wed, 22 Feb 2012 18:16:16 +0100
On Tue, Feb 21, 2012 at 10:37:48PM +0000, Dominic Hargreaves wrote:
> Trying to pull a few of the subthreads together:
> 
> On Sun, Feb 12, 2012 at 09:24:40PM +0100, Moritz Mühlenhoff wrote:
> > On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote:
> 
> > > That's a good point about the timeframe. So there's no real hurry with
> > > the proposed debhelper changes in option A, they can be done after wheezy.
> > 
> > Yep. The release goal for Wheezy is "fix as many as possible, but make
> > a concentrated effort for all packages of priority >= important and 
> > which had a DSA since 2006. perl itself matches both conditions :-)
> 
> On Thu, Feb 16, 2012 at 06:46:36PM -0400, Joey Hess wrote:
> > gregor herrmann wrote:
> > > Assuming they are all uploaded and all arch:any (and only looking at
> > > packages in the Debian perl Group):
> > > 
> > > % grep 9 */debian/compat | wc -l
> > > 31
> > 
> > Well, it seems easy enough to test 30 packages. It would help if someone
> > developed a patch before there are too many more.
> 
> On Fri, Feb 17, 2012 at 12:36:21PM +0200, Niko Tyni wrote:
> > On Sun, Feb 12, 2012 at 09:24:40PM +0100, Moritz Mühlenhoff wrote:
> > > On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote:
> > > > > On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote:
> > 
> > > > > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
> > > > > >    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
> > > > > >    invocations (it currently passes only CFLAGS, starting with compat
> > > > > >    level 9)
> > > 
> > > I would prefer this strategy.
> > 
> > I think it's my preferred alternative as well.
> > 
> > If we have consensus on that, the way forward as I see it:
> > 
> > - prepare a perl upload in unstable that is built with the hardened flags
> >   but doesn't export them through Config.pm
> 
> (for which you've submitted a patch separately; thanks)
> 
> > - preferably fix #660195 (recursive Makefile.PL arguments) while at it
> 
> Yeah, this does looks like it needs to be fixed soon (otherwise the
> release goal packages won't be completely hardened; it's also possible
> that some of the dual-lived modules in perl itself are affected in this
> way).
> 
> From a review of the upstream bug, it doesn't looks like it should
> be very hard to fix...
> 
> > - find the optimal invocations of Makefile.PL and Build.PL
> >   that honour all of CFLAGS, CPPFLAGS, and LDFLAGS
> > - either 
> >   + change the handful of release goal packages to use those invocations
> >     instead of the debhelper v9 defaults, and make debhelper v10 to use
> >     them by default after wheezy
> >   or
> >   + test the 30 or so affected packages and change debhelper v9
> >     for wheezy
> 
> Given the messages I've quoted above, deferring debhelper changes until
> v10 makes most sense. This means we can file bugs on the release goal
> packages to use the invocations manually in the meantime, as well as
> a wishlist bug on debhelper for v10 (so we don't forget).

If it's only 30 packages we should rather push it into debhelper 9 now
if that's okay with Joey. 

I'll make sure the 30 packages get rebuilt.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Thu, 23 Feb 2012 09:51:53 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Thu, 23 Feb 2012 09:51:58 GMT) Full text and rfc822 format available.

Message #172 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Thu, 23 Feb 2012 11:49:31 +0200
On Tue, Feb 21, 2012 at 10:21:04PM +0000, Dominic Hargreaves wrote:

> I'm in much the same situation as well; fairly limited hack time at
> the moment. 
> 
> So, not that this probably helps much, but: in order to make some
> progress with this, you could commit your patch as-is, and also open
> a wishlist bug recording the desired cleanups above.

Makes sense.

I've pushed a slightly refined version of the patch. I'll file such a
wishlist bug if/when this ends up in sid.
-- 
Niko




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Thu, 23 Feb 2012 22:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Thu, 23 Feb 2012 22:27:07 GMT) Full text and rfc822 format available.

Message #177 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Thu, 23 Feb 2012 22:24:50 +0000
On Thu, Feb 23, 2012 at 11:49:31AM +0200, Niko Tyni wrote:
> On Tue, Feb 21, 2012 at 10:21:04PM +0000, Dominic Hargreaves wrote:
> 
> > I'm in much the same situation as well; fairly limited hack time at
> > the moment. 
> > 
> > So, not that this probably helps much, but: in order to make some
> > progress with this, you could commit your patch as-is, and also open
> > a wishlist bug recording the desired cleanups above.
> 
> Makes sense.
> 
> I've pushed a slightly refined version of the patch. I'll file such a
> wishlist bug if/when this ends up in sid.

Thanks. I'm inclined to release the current package to sid this weekend.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Mon, 27 Feb 2012 21:51:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 27 Feb 2012 21:51:12 GMT) Full text and rfc822 format available.

Message #182 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Mühlenhoff <jmm@inutil.org>, 657853@bugs.debian.org
Cc: debian-perl@lists.debian.org, Niko Tyni <ntyni@debian.org>
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Mon, 27 Feb 2012 21:48:31 +0000
On Sun, Feb 12, 2012 at 09:27:24PM +0100, Moritz Mühlenhoff wrote:
> If the missing format string is variable and controlled externally (e.g. 
> if read from a file or from network communication), please file it 
> with RC severity and the security tag. (If it's a popular Perl module, 
> please contact  team@security.debian.org, so that we can coordinate with 
> other distros.)
> 
> Otherwise it's rather "normal" severity.

I didn't feel qualified to make judgements about the exploitablity,
but I thought it would be worth an initial filing in any case (I made
this clear in the text of my reports). You can see them at

<http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=hardening;users=debian-qa@lists.debian.org>

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Sat, 03 Mar 2012 06:57:27 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Sat, 03 Mar 2012 06:57:27 GMT) Full text and rfc822 format available.

Message #187 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Sat, 3 Mar 2012 08:47:32 +0200
On Thu, Feb 23, 2012 at 10:24:50PM +0000, Dominic Hargreaves wrote:
> On Thu, Feb 23, 2012 at 11:49:31AM +0200, Niko Tyni wrote:

> > I've pushed a slightly refined version of the patch. I'll file such a
> > wishlist bug if/when this ends up in sid.
> 
> Thanks. I'm inclined to release the current package to sid this weekend.

Reviewing the package, I noticed that -fstack-protector disappears from
ccflags with the current patch (compared against -7):

-    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
+    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN  -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',

I assume this is because the option is given twice to Configure,
which then purges one of them as a duplicate, and we later substitute
the other away.

As this affects all XS module packages not using dpkg-buildflags, I
don't think it's acceptable for sid. I've put a note on debian/changelog
and held off uploading for the time being. Will try to come up with
something better.
-- 
Niko Tyni   ntyni@debian.org





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#657853; Package perl. (Mon, 05 Mar 2012 16:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Mon, 05 Mar 2012 16:36:03 GMT) Full text and rfc822 format available.

Message #192 received at 657853@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Mon, 5 Mar 2012 18:32:41 +0200
On Tue, Feb 21, 2012 at 01:38:07PM +0200, Niko Tyni wrote:
> Problems/thoughts:

Most of this got addressed with the implementation that landed in
5.14.2-9, so I think we're fine now. Concluding notes:

> - we're invoking dpkg-buildflags in two places (debian/rules and
>   debian/config.debian), and if the invocations go out of sync we get
>   a silent failure.

Solved adequately enough.

> - not sure if we should blindly remove the dpkg-buildflags output
>   from every line in Config_heavy.pm or just the ones we care about
>   (i.e. ccflags, ld(dl?)flags)

I think just /^(cc|cpp)flags/ and /^ld(dl)?flags/ is OK.
In particular, I think it's good to keep it in config_args
so we aren't lying about the configuration.

> - should we be defensive against a situation where dpkg-buildflags
>   returns something short and generic (like " " or "-g")? 

Solved.

> - I'd love to delegate the -Doptimize handling to dpkg-buildflags
>   instead of doing it manually, but that way we end up stripping the
>   default optimize flags from Perl modules in the same way as the
>   hardening flags, which is probably not good.

As long as we support building on systems without dpkg-buildflags,
which I think we should for now, this isn't going to happen.
-- 
Niko




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Wed, 14 Mar 2012 23:09:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 14 Mar 2012 23:09:09 GMT) Full text and rfc822 format available.

Message #197 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Muehlenhoff <jmm@inutil.org>, 657853@bugs.debian.org
Cc: debian-perl@lists.debian.org, joeyh@debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Wed, 14 Mar 2012 23:04:16 +0000
On Wed, Feb 22, 2012 at 06:16:16PM +0100, Moritz Muehlenhoff wrote:

> If it's only 30 packages we should rather push it into debhelper 9 now
> if that's okay with Joey. 
> 
> I'll make sure the 30 packages get rebuilt.

I believe that debhelper 9.20120312 implements what we need.

Niko pointed out a reliable way of finding the packages which need to
be rebuilt at
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662666#40>.
I guess we need an email to the buildd maintainers asking them to
update debhelper, and then you can kick off the binNMUs and I can
upload the few packages I have queued to bump to compat level 9.

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Wed, 14 Mar 2012 23:09:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 14 Mar 2012 23:09:11 GMT) Full text and rfc822 format available.

Message #202 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Mühlenhoff <jmm@inutil.org>, 657853@bugs.debian.org
Cc: debian-perl@lists.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Wed, 14 Mar 2012 23:06:45 +0000
On Sun, Feb 12, 2012 at 09:28:48PM +0100, Moritz Mühlenhoff wrote:
> These four Perl modules had a DSA since 2006 and are not pure Perl:

So, once the fixed debhelper is installed on buildds:

> libhtml-parser-perl

Ready for upload

> libdbd-pg-perl

To be rebuilt by Moritz

> libimager-perl

Ready for upload

> libnet-dns-perl

Not a pkg-perl package; ready to file a bug

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Thu, 15 Mar 2012 06:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Thu, 15 Mar 2012 06:39:03 GMT) Full text and rfc822 format available.

Message #207 received at 657853@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Dominic Hargreaves <dom@earth.li>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, 657853@bugs.debian.org, debian-perl@lists.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Thu, 15 Mar 2012 07:36:03 +0100
[Message part 1 (text/plain, inline)]
Hi Dominic

On Wed, Mar 14, 2012 at 11:06:45PM +0000, Dominic Hargreaves wrote:
> > libdbd-pg-perl
> 
> To be rebuilt by Moritz

Maybe for this one, we could first wait one further day, to have the
2.19.0 upload in wheezy? It contains the fix for CVE-2012-1151.

To all involved, many thanks for your work on this!

Regrads,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Mon, 26 Mar 2012 17:48:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 26 Mar 2012 17:48:09 GMT) Full text and rfc822 format available.

Message #212 received at 657853@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Muehlenhoff <jmm@inutil.org>, 657853@bugs.debian.org
Cc: debian-perl@lists.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Mon, 26 Mar 2012 18:46:54 +0100
On Wed, Mar 14, 2012 at 11:04:16PM +0000, Dominic Hargreaves wrote:
> On Wed, Feb 22, 2012 at 06:16:16PM +0100, Moritz Muehlenhoff wrote:
> 
> > If it's only 30 packages we should rather push it into debhelper 9 now
> > if that's okay with Joey. 
> > 
> > I'll make sure the 30 packages get rebuilt.
> 
> I believe that debhelper 9.20120312 implements what we need.
> 
> Niko pointed out a reliable way of finding the packages which need to
> be rebuilt at
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662666#40>.
> I guess we need an email to the buildd maintainers asking them to
> update debhelper, and then you can kick off the binNMUs and I can
> upload the few packages I have queued to bump to compat level 9.

Hi Moritz,

Just wanted to check - are you happy to prod the buildd maintainers
into making sure that debhelper >= 9.20120312 is installed, or should
I? I'd like to make sure that the changes I've got queued up don't
get forgotten about.

(Is there even a way to get interrogate the buildds to get the current
set of installed packages, or a policy about how often they should
update from unstable?)

Thanks,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#657853; Package perl. (Mon, 26 Mar 2012 20:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 26 Mar 2012 20:39:06 GMT) Full text and rfc822 format available.

Message #217 received at 657853@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Dominic Hargreaves <dom@earth.li>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 657853@bugs.debian.org, debian-perl@lists.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
Date: Mon, 26 Mar 2012 22:34:01 +0200
[Message part 1 (text/plain, inline)]
On Mon, 26 Mar 2012 18:46:54 +0100, Dominic Hargreaves wrote:

> Just wanted to check - are you happy to prod the buildd maintainers
> into making sure that debhelper >= 9.20120312 is installed, or should
> I? I'd like to make sure that the changes I've got queued up don't
> get forgotten about.
> 
> (Is there even a way to get interrogate the buildds to get the current
> set of installed packages, or a policy about how often they should
> update from unstable?)

There's an un(der)documented wann-build command for that, similar to
dw but slightly different, and I neither remember nor find it now.
(We used that for binNMUs of some xs-packages that needed a specific
perl version.)

Ha, here it is: "extra-depends"!

Sources: 
http://article.gmane.org/gmane.linux.debian.devel.bugs.general/843972
-> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632467#20


Cheers,
gregor
 
-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Tanita Tikaram: Twist In My Sobriety [Tikaramp
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 24 Apr 2012 07:38:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:23:22 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.