control: tag -1 pending Hi, I've uploaded an nmu to delayed/5 enabling build-harding. Please see attached patch.
Best wishes, Mike
diff -u dash-0.5.7/debian/changelog dash-0.5.7/debian/changelog --- dash-0.5.7/debian/changelog +++ dash-0.5.7/debian/changelog @@ -1,3 +1,10 @@ +dash (0.5.7-3+nmu1) unstable; urgency=medium + + * Non-maintainer upload. + * Enable build-hardening flags (closes: #662721). + + -- Michael Gilbert <mgilb...@debian.org> Wed, 25 Dec 2013 13:46:03 -0500 + dash (0.5.7-3) unstable; urgency=low [ Christian Perrier ] diff -u dash-0.5.7/debian/control dash-0.5.7/debian/control --- dash-0.5.7/debian/control +++ dash-0.5.7/debian/control @@ -2,7 +2,7 @@ Section: shells Priority: optional Maintainer: Gerrit Pape <p...@smarden.org> -Build-Depends: po-debconf +Build-Depends: po-debconf, dpkg-dev (>= 1.16.1), Standards-Version: 3.9.3.0 Homepage: http://gondor.apana.org.au/~herbert/dash/ Vcs-Git: http://smarden.org/git/dash.git/ diff -u dash-0.5.7/debian/rules dash-0.5.7/debian/rules --- dash-0.5.7/debian/rules +++ dash-0.5.7/debian/rules @@ -1,9 +1,13 @@ #!/usr/bin/make -f CC =gcc -CFLAGS =-g -O2 -Wall STRIP =strip +OPTIONS=hardening=+all +CFLAGS=$(shell DEB_BUILD_MAINT_OPTIONS=$(OPTIONS) dpkg-buildflags --get CFLAGS) +LDFLAGS=$(shell DEB_BUILD_MAINT_OPTIONS=$(OPTIONS) dpkg-buildflags --get LDFLAGS) +CPPFLAGS=$(shell DEB_BUILD_MAINT_OPTIONS=$(OPTIONS) dpkg-buildflags --get CPPFLAGS) + DEB_HOST_GNU_TYPE =$(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE =$(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE)) @@ -12,7 +16,7 @@ ifneq (,$(findstring diet,$(DEB_BUILD_OPTIONS))) CC =diet -v -Os gcc - CFLAGS =-nostdinc -Wall + CFLAGS +=-nostdinc endif ifneq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) STRIP =: strip @@ -32,14 +36,14 @@ configure-stamp: patch-stamp mkdir -p build-tmp touch configure - (cd build-tmp && CC='$(CC)' CFLAGS='$(CFLAGS)' \ + (cd build-tmp && CC='$(CC)' CFLAGS='$(CFLAGS)' CPPFLAGS='$(CPPFLAGS)' LDFLAGS='$(LDFLAGS)' \ exec ../configure --host='$(DEB_HOST_GNU_TYPE)') touch configure-stamp build: deb-checkdir build-stamp build-stamp: configure-stamp -$(CC) -v - (cd build-tmp && exec $(MAKE) CFLAGS='$(CFLAGS)') || \ + (cd build-tmp && exec $(MAKE) CFLAGS='$(CFLAGS)' CPPFLAGS='$(CPPFLAGS)' LDFLAGS='$(LDFLAGS)') || \ (cat build-tmp/config.log; exit 1) || exit 1 touch build-stamp only in patch2: unchanged: --- dash-0.5.7.orig/debian/diff/0006-SECURITY-hardening.diff +++ dash-0.5.7/debian/diff/0006-SECURITY-hardening.diff @@ -0,0 +1,14 @@ +description: address format-security build error +author: Simon Ruderich <si...@ruderich.org> + +--- a/src/jobs.c 2013-12-25 14:20:37.932958436 -0500 ++++ b/src/jobs.c 2013-12-25 14:20:47.944958520 -0500 +@@ -427,7 +427,7 @@ + goto out; + #endif + } +- col = fmtstr(s, 32, strsignal(st)); ++ col = fmtstr(s, 32, "%s", strsignal(st)); + #ifdef WCOREDUMP + if (WCOREDUMP(status)) { + col += fmtstr(s + col, 16, " (core dumped)");
