Bug#988046: bind9: does not honor CPPFLAGS
On 08/05/2021 20:43, Ondřej Surý wrote: Emilio, could you please post this to the upstream gitLab.isc.org? Ping me when you create the account, I will have to bump the project limit, so you can fork. I would be happy to merge this upstream. Thanks! Can you apply the attached patch? I'd prefer to not create that extra account if I don't have to, but if it's somehow required then I can do it. Fortunately, I’ve already changed the build system to use automake in the development branch, but it was quite an effort, so I didn’t make it in time for 9.16, but the next stable (9.18) will be pretty standard. Nice! Cheers, Emilio >From 6748327732af53ee2dd6660a34bac5f15f73f812 Mon Sep 17 00:00:00 2001 From: Emilio Pozuelo Monfort Date: Tue, 8 Jun 2021 12:16:41 +0200 Subject: [PATCH] Honor CPPFLAGS --- make/rules.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/make/rules.in b/make/rules.in index 5dd9130062..ac214fba17 100644 --- a/make/rules.in +++ b/make/rules.in @@ -105,6 +105,7 @@ install uninstall clean distclean maintainer-clean doc docclean man manclean:: CC = @CC@ CFLAGS = @CFLAGS@ +CPPFLAGS = @CPPFLAGS@ LDFLAGS = @LDFLAGS@ STD_CINCLUDES = @STD_CINCLUDES@ STD_CDEFINES = @STD_CDEFINES@ @@ -160,7 +161,7 @@ ALWAYS_DEFINES = @ALWAYS_DEFINES@ ALWAYS_WARNINGS = ALL_CPPFLAGS = \ - ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \ + ${CPPFLAGS} ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \ ${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES} ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \ -- 2.30.2
Bug#988046: bind9: does not honor CPPFLAGS
Emilio, could you please post this to the upstream gitLab.isc.org? Ping me when you create the account, I will have to bump the project limit, so you can fork. I would be happy to merge this upstream. Fortunately, I’ve already changed the build system to use automake in the development branch, but it was quite an effort, so I didn’t make it in time for 9.16, but the next stable (9.18) will be pretty standard. Ondřej -- Ondřej Surý (He/Him) > On 4. 5. 2021, at 11:21, Emilio Pozuelo Monfort wrote: > > Package: bind9 > Severity: normal > > Hi, > > While doing a bind9 update for stretch LTS, Anton Gladky added a salsa > pipeline which had a blhc (build log hardening check) test that was > failing. > > I have investigated it and found that bind9 is not using automake and while > it tries to honor most *FLAGS variables, it ignores CPPFLAGS. The attached > patch makes it honor CPPFLAGS, so that Debian's default flags (e.g. > -D_FORTIFY_SOURCE=2) get passed. A small diff from the build logs: > > -libtool: compile: gcc -include /build/bind9-9.16.13/config.h > -I/build/bind9-9.16.13 -I../../.. -I./include -I./../unix/include > -I./../pthreads/include -I../include -I./../include -I./.. > -I/usr/include/json-c -I/usr/include/libxml2 -g -O2 > -ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks > -DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith > -Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o > >/dev/null 2>&1 > +libtool: compile: gcc -Wdate-time -D_FORTIFY_SOURCE=2 -include > /build/bind9-9.16.13/config.h -I/build/bind9-9.16.13 -I../../.. -I./include > -I./../unix/include -I./../pthreads/include -I../include -I./../include > -I./.. -I/usr/include/json-c -I/usr/include/libxml2 -g -O2 > -ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks > -DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith > -Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o > >/dev/null 2>&1 > > I have not tested the resulting package, but it should probably be alright > to add this after the current freeze. > > Thanks, > Emilio > > -- System Information: > Debian Release: bullseye/sid > APT prefers testing-security > APT policy: (500, 'testing-security'), (200, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.10.0-5-amd64 (SMP w/12 CPU threads) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), > LANGUAGE=en_GB:en > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages bind9 depends on: > ii adduser3.118 > ii bind9-libs 1:9.16.13-1 > pn bind9-utils > ii debconf [debconf-2.0] 1.5.75 > ii dns-root-data 2021011101 > ii init-system-helpers1.60 > ii iproute2 5.10.0-4 > ii libc6 2.31-11 > ii libcap21:2.44-1 > ii libfstrm0 0.6.0-1+b1 > ii libjson-c5 0.15-2 > ii liblmdb0 0.9.24-1 > ii libmaxminddb0 1.5.2-1 > ii libprotobuf-c1 1.3.3-1+b2 > ii libssl1.1 1.1.1k-1 > ii libuv1 1.40.0-1 > ii libxml22.9.10+dfsg-6.3+b1 > ii lsb-base 11.1.0 > ii netbase6.2 > ii zlib1g 1:1.2.11.dfsg-2 > > bind9 recommends no packages. > > Versions of packages bind9 suggests: > pn bind-doc > ii bind9-dnsutils [dnsutils] 1:9.16.13-1 > ii dnsutils 1:9.16.13-1 > pn resolvconf > pn ufw >
Bug#988046: bind9: does not honor CPPFLAGS
Package: bind9 Severity: normal Hi, While doing a bind9 update for stretch LTS, Anton Gladky added a salsa pipeline which had a blhc (build log hardening check) test that was failing. I have investigated it and found that bind9 is not using automake and while it tries to honor most *FLAGS variables, it ignores CPPFLAGS. The attached patch makes it honor CPPFLAGS, so that Debian's default flags (e.g. -D_FORTIFY_SOURCE=2) get passed. A small diff from the build logs: -libtool: compile: gcc -include /build/bind9-9.16.13/config.h -I/build/bind9-9.16.13 -I../../.. -I./include -I./../unix/include -I./../pthreads/include -I../include -I./../include -I./.. -I/usr/include/json-c -I/usr/include/libxml2 -g -O2 -ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o >/dev/null 2>&1 +libtool: compile: gcc -Wdate-time -D_FORTIFY_SOURCE=2 -include /build/bind9-9.16.13/config.h -I/build/bind9-9.16.13 -I../../.. -I./include -I./../unix/include -I./../pthreads/include -I../include -I./../include -I./.. -I/usr/include/json-c -I/usr/include/libxml2 -g -O2 -ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o >/dev/null 2>&1 I have not tested the resulting package, but it should probably be alright to add this after the current freeze. Thanks, Emilio -- System Information: Debian Release: bullseye/sid APT prefers testing-security APT policy: (500, 'testing-security'), (200, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-5-amd64 (SMP w/12 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages bind9 depends on: ii adduser3.118 ii bind9-libs 1:9.16.13-1 pn bind9-utils ii debconf [debconf-2.0] 1.5.75 ii dns-root-data 2021011101 ii init-system-helpers1.60 ii iproute2 5.10.0-4 ii libc6 2.31-11 ii libcap21:2.44-1 ii libfstrm0 0.6.0-1+b1 ii libjson-c5 0.15-2 ii liblmdb0 0.9.24-1 ii libmaxminddb0 1.5.2-1 ii libprotobuf-c1 1.3.3-1+b2 ii libssl1.1 1.1.1k-1 ii libuv1 1.40.0-1 ii libxml22.9.10+dfsg-6.3+b1 ii lsb-base 11.1.0 ii netbase6.2 ii zlib1g 1:1.2.11.dfsg-2 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind-doc ii bind9-dnsutils [dnsutils] 1:9.16.13-1 ii dnsutils 1:9.16.13-1 pn resolvconf pn ufw diff -Nru bind9-9.16.13/debian/changelog bind9-9.16.13/debian/changelog --- bind9-9.16.13/debian/changelog 2021-03-18 14:23:49.0 +0100 +++ bind9-9.16.13/debian/changelog 2021-05-04 10:39:27.0 +0200 @@ -1,3 +1,10 @@ +bind9 (1:9.16.13-1.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Pass CPPFLAGS down to make. + + -- Emilio Pozuelo Monfort Tue, 04 May 2021 10:39:27 +0200 + bind9 (1:9.16.13-1) unstable; urgency=medium * New upstream version 9.16.13 diff -Nru bind9-9.16.13/debian/patches/preserve-cppflags.patch bind9-9.16.13/debian/patches/preserve-cppflags.patch --- bind9-9.16.13/debian/patches/preserve-cppflags.patch1970-01-01 01:00:00.0 +0100 +++ bind9-9.16.13/debian/patches/preserve-cppflags.patch2021-05-04 10:39:27.0 +0200 @@ -0,0 +1,23 @@ +Preserve CPPFLAGS + +Author: Emilio Pozuelo Monfort + +--- a/make/rules.in b/make/rules.in +@@ -105,6 +105,7 @@ install uninstall clean distclean mainta + + CC = @CC@ + CFLAGS = @CFLAGS@ ++CPPFLAGS =@CPPFLAGS@ + LDFLAGS = @LDFLAGS@ + STD_CINCLUDES = @STD_CINCLUDES@ + STD_CDEFINES =@STD_CDEFINES@ +@@ -160,7 +161,7 @@ ALWAYS_DEFINES = @ALWAYS_DEFINES@ + ALWAYS_WARNINGS = + + ALL_CPPFLAGS = \ +- ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \ ++ ${CPPFLAGS} ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \ + ${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES} + + ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \ diff -Nru bind9-9.16.13/debian/patches/series