Bug#652483: pythonmagick: FTBFS with hardening buildflags

Sat, 17 Dec 2011 09:45:18 -0800 

Source: pythonmagick
Version: 0.9.7-1
Severity: normal
User: debian...@lists.debian.org
Usertags:  hardening

pythonmagick fails to build with the hardening flags applied.
The reason is a missing quote in m4/ax_boost_python.m4:66:
CPPFLAGS=-I$PYTHON_INCLUDE_DIR $CPPFLAGS

this leads to configure not finding the boost python library
checking whether the Boost::Python library is available...
../../configure: line 15885: -D_FORTIFY_SOURCE=2: command not found
no

and a subsequent build failure due to an undefined variable later:
/bin/bash ./libtool --tag=CXX   --mode=link g++  -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -DBOOST_PYTHON_DYNAMIC_LIB -avoid-version
-module -L/usr/lib -Wl,-z,relro -o _PythonMagick.la -rpath
/usr/lib/python2.7/dist-packages/PythonMagick
pythonmagick_src/libpymagick.la helpers_src/libhelper.la -L/usr/lib -l
-lMagick++ -lMagickCore
libtool: link: g++  -fPIC -DPIC -shared -nostdlib
/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../x86_64-linux-gnu/crti.o
/usr/lib/gcc/x86_64-linux-gnu/4.6/crtbeginS.o  -Wl,--whole-archive
pythonmagick_src/.libs/libpymagick.a helpers_src/.libs/libhelper.a
-Wl,--no-whole-archive  -L/usr/lib -l /usr/lib/libMagick++.so
/usr/lib/libMagickCore.so -L/usr/lib/gcc/x86_64-linux-gnu/4.6
-L/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../x86_64-linux-gnu
-L/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../lib
-L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu
-L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.6/../../.. -lstdc++
-lm -lc -lgcc_s /usr/lib/gcc/x86_64-linux-gnu/4.6/crtendS.o
/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../x86_64-linux-gnu/crtn.o  -O2
-Wl,-z -Wl,relro   -fopenmp -pthread -Wl,-soname -Wl,_PythonMagick.so -o
.libs/_PythonMagick.so
/usr/bin/ld: cannot find -l/usr/lib/libMagick++.so

note the empty space after -l where boost_python should be.

quoting the CPPFLAGS appears to fix the issue.



The buildflags are not exported in debian, but can be enabled e.g. by
adding this to debian/rules:

 DPKG_EXPORT_BUILDFLAGS = 1
 include /usr/share/dpkg/buildflags.mk

or setting debian/compat to 9

Please fix the issues and maybe also enable the hardened build in debian.

[0] http://lists.debian.org/debian-devel-announce/2011/09/msg00001.html

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to