Bug#1124869: marked as done (libjpeg: please build using the default build flags)

Thu, 08 Jan 2026 19:21:20 -0800 

Your message dated Fri, 09 Jan 2026 03:19:41 +0000
with message-id <[email protected]>
and subject line Bug#1124869: fixed in libjpeg 0.0~git20250815.25f7128-2
has caused the Debian Bug report #1124869,
regarding libjpeg: please build using the default build flags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1124869: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124869
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: libjpeg
Version: 0.0~git20250815.25f7128-1
User: [email protected]
Usertags: hardening-buildflags

libjpeg is not currently using the default build flags set by 
dpkg-buildflags(1).
The default flags are chosen for multiple reasons including security,
performance, reproducibility, adherence to standards, and error handling.

Please make sure that libjpeg builds using the default build flags. blhc(1p)
and hardening-check(1) can be used to confirm that the issue is fixed.

In the general case, packages honoring CFLAGS, LDFLAGS, and other
similar environment variables get the default build flags for free
without the need for any work on the maintainer side. In the case of
libjpeg, the flags are either ignored or overridden.

The most common reasons for this are:

Hand-written Makefiles
----------------------
Some upstream Makefiles either override the values of variables such as
CFLAGS and similar or do not use them at all. See:
https://wiki.debian.org/HardeningWalkthrough#Handwritten_Makefiles

Misconfigured build systems
---------------------------
If the upstream code uses autotools, CMake, or other popular build
systems, it usually requires no further modifications. If might however
be that some variables are hardcoded in some way.

In this CMake snippet, the value of CXXFLAGS is overwritten with "-O2":

 set(CMAKE_CXX_FLAGS "-O2")

If the intention is to append to CXXFLAGS, one should use the following
instead:

 set(CMAKE_CXX_FLAGS "-O2 ${CMAKE_CXX_FLAGS}")

See #655870 for a similar autotools example. 

Very old debhelper usage
------------------------
Packages not using dh(1), or those using a debhelper compatibility level
less than 9, need to manually include /usr/share/dpkg/buildflags.mk in
order for the dpkg-buildflags variables to be set:
https://wiki.debian.org/Hardening#dpkg-buildflags

Flags hardcoded in debian/rules (either voluntarily or not)
-----------------------------------------------------------
Some packages voluntarily hardcode the values of CFLAGS and friends in
debian/rules, ignoring the defaults set by dpkg-buildflags(1).

Others attempt to append to the variables, but end up accidentally
overriding the defaults:

 #!/usr/bin/make -f
 export CFLAGS += -pipe -fPIC -Wall

 %:
        dh $@

Debhelper only sets CFLAGS if it is not set yet. In the example above,
when dh is invoked the value of CFLAGS is "-pipe -fPIC -Wall", hence the
hardened defaults are not used. The right way to append to CFLAGS is
using DEB_CFLAGS_MAINT_APPEND instead, as documented in
dpkg-buildflags(1).

For a detailed analysis of this issue, see https://hal.science/hal-05334704/

--- End Message ---
--- Begin Message --- 
Source: libjpeg
Source-Version: 0.0~git20250815.25f7128-2
Done: xiao sheng wen <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libjpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
xiao sheng wen <[email protected]> (supplier of updated libjpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Jan 2026 11:03:53 +0800
Source: libjpeg
Architecture: source
Version: 0.0~git20250815.25f7128-2
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers 
<[email protected]>
Changed-By: xiao sheng wen <[email protected]>
Closes: 1124869
Changes:
 libjpeg (0.0~git20250815.25f7128-2) unstable; urgency=medium
 .
   * Team upload.
   * Bump Standards-Version: 4.7.3
   * d/copyright: update year info to 2026
   * add d/p/Makefile_Settings.gcc-Hardening.patch, Closes: #1124869
   * d/rules:
       - add export DEB_BUILD_MAINT_OPTIONS = hardening=+all
       - change override_dh_installdocs target to execute_before_dh_installman
Checksums-Sha1:
 7e2ad4949cd839dfb2a7bd533f53baf33447a2ad 2089 
libjpeg_0.0~git20250815.25f7128-2.dsc
 473229cb3024ed0595a51a2ec0037b8366a8471f 19420 
libjpeg_0.0~git20250815.25f7128-2.debian.tar.xz
 5a022ee72772360a2bfdaa5210b008e23b58bcb5 6151 
libjpeg_0.0~git20250815.25f7128-2_source.buildinfo
Checksums-Sha256:
 4186bab4b4502d4cf4c0670a0f591e09aec4e875f038beb9dc04dd12d82159a8 2089 
libjpeg_0.0~git20250815.25f7128-2.dsc
 2162cd07238142b4509ec4e2a5344568022ba5165633f545f354b4c1468a3a07 19420 
libjpeg_0.0~git20250815.25f7128-2.debian.tar.xz
 37d2c303382dad76e4597ef80bf393b9272208cf0986b0578a3b51e882ded11a 6151 
libjpeg_0.0~git20250815.25f7128-2_source.buildinfo
Files:
 1b4b6352faf159548e28ba90fdd8a0b8 2089 graphics optional 
libjpeg_0.0~git20250815.25f7128-2.dsc
 ca17dad3cdfcd10366d707a8d0d5ce49 19420 graphics optional 
libjpeg_0.0~git20250815.25f7128-2.debian.tar.xz
 4e31420ff3777c7d51f6b63f2dbdb97d 6151 graphics optional 
libjpeg_0.0~git20250815.25f7128-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvGv7H5NUQYeSuhtTJ2Egg8PSprAFAmlgcJkACgkQJ2Egg8PS
prBFfQ/+MG2KLjO+HsjQrmTqwK2VyIKH+Tv+Qi4gvHnYw6qov4qwHKd6eaJiLmNL
RFSOImc9trDbWtmYOqyLrhpUgueeKcPJLZuxAN6JUL1AxJNzgP9OiRKuH3DaCVWR
vULVSNRffQr7r6u05Kr/fjakADGpxYbjD2rNNzDLTGqdvvVEkBZgNpnNpECTrlyW
gWfPJoO06KC8xZL6/y3b94+//xJeAS+EaG/fx8Z5j1cqNJEEXd4bgASoUpGWrwb8
SC3iEDY74y480eyFomINA+ff9VIu5kg4nmLrh9x7jX5J5vzPE3lahsmfQGf+J0lv
OqSLrRIPEzLj73MhCrWEThkVru/wcaueUnXusPSOrn133vbyB0iqcVKtShWWUhcl
z/wDUOUjvh/CWpb4qTlrF25qVKkrqI9Hur3JFQZBNnnpGj+UalQWLZ2mk2c6QX8S
UZybql7xX03yhJXYVDNv0VxJTLCy0/AnIJbhzUOytsmIADU0A2fNHBW9qbU30QvQ
tdNs2anqXUs9W3QFfekc11Aqt3IDfFOfvY74gVaUpZxNB6QeY7lZ45trgftI1wh8
UZr1vyAfLbBedO/wWLGlIq24Jfxy0iosQF+2CZs49S8tnjRpUUPWKMtnBVLHcnhe
9DtsMFZOEnJD7tzkp626rUj7lrUtqxtC22gRwB881fJml+qs4ro=
=6QBB
-----END PGP SIGNATURE-----

Attachment: pgpISz6bs_OsM.pgp
Description: PGP signature


--- End Message ---

Reply via email to