Bug#988046: bind9: does not honor CPPFLAGS
On 08/05/2021 20:43, Ondřej Surý wrote:
Emilio,
could you please post this to the upstream gitLab.isc.org? Ping me when you
create the account, I will have to bump the project limit, so you can fork.
I would be happy to merge this upstream.
Thanks! Can you apply the attached patch? I'd prefer to not create that extra
account if I don't have to, but if it's somehow required then I can do it.
Fortunately, I’ve already changed the build system to use automake in the
development branch, but it was quite an effort, so I didn’t make it in time for
9.16, but the next stable (9.18) will be pretty standard.
Nice!
Cheers,
Emilio
>From 6748327732af53ee2dd6660a34bac5f15f73f812 Mon Sep 17 00:00:00 2001
From: Emilio Pozuelo Monfort
Date: Tue, 8 Jun 2021 12:16:41 +0200
Subject: [PATCH] Honor CPPFLAGS
---
make/rules.in | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/make/rules.in b/make/rules.in
index 5dd9130062..ac214fba17 100644
--- a/make/rules.in
+++ b/make/rules.in
@@ -105,6 +105,7 @@ install uninstall clean distclean maintainer-clean doc docclean man manclean::
CC = @CC@
CFLAGS = @CFLAGS@
+CPPFLAGS = @CPPFLAGS@
LDFLAGS = @LDFLAGS@
STD_CINCLUDES = @STD_CINCLUDES@
STD_CDEFINES = @STD_CDEFINES@
@@ -160,7 +161,7 @@ ALWAYS_DEFINES = @ALWAYS_DEFINES@
ALWAYS_WARNINGS =
ALL_CPPFLAGS = \
- ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
+ ${CPPFLAGS} ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \
--
2.30.2
Bug#988046: bind9: does not honor CPPFLAGS
Emilio, could you please post this to the upstream gitLab.isc.org? Ping me when you create the account, I will have to bump the project limit, so you can fork. I would be happy to merge this upstream. Fortunately, I’ve already changed the build system to use automake in the development branch, but it was quite an effort, so I didn’t make it in time for 9.16, but the next stable (9.18) will be pretty standard. Ondřej -- Ondřej Surý (He/Him) > On 4. 5. 2021, at 11:21, Emilio Pozuelo Monfort wrote: > > Package: bind9 > Severity: normal > > Hi, > > While doing a bind9 update for stretch LTS, Anton Gladky added a salsa > pipeline which had a blhc (build log hardening check) test that was > failing. > > I have investigated it and found that bind9 is not using automake and while > it tries to honor most *FLAGS variables, it ignores CPPFLAGS. The attached > patch makes it honor CPPFLAGS, so that Debian's default flags (e.g. > -D_FORTIFY_SOURCE=2) get passed. A small diff from the build logs: > > -libtool: compile: gcc -include /build/bind9-9.16.13/config.h > -I/build/bind9-9.16.13 -I../../.. -I./include -I./../unix/include > -I./../pthreads/include -I../include -I./../include -I./.. > -I/usr/include/json-c -I/usr/include/libxml2 -g -O2 > -ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks > -DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith > -Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o > >/dev/null 2>&1 > +libtool: compile: gcc -Wdate-time -D_FORTIFY_SOURCE=2 -include > /build/bind9-9.16.13/config.h -I/build/bind9-9.16.13 -I../../.. -I./include > -I./../unix/include -I./../pthreads/include -I../include -I./../include > -I./.. -I/usr/include/json-c -I/usr/include/libxml2 -g -O2 > -ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks > -DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith > -Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o > >/dev/null 2>&1 > > I have not tested the resulting package, but it should probably be alright > to add this after the current freeze. > > Thanks, > Emilio > > -- System Information: > Debian Release: bullseye/sid > APT prefers testing-security > APT policy: (500, 'testing-security'), (200, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.10.0-5-amd64 (SMP w/12 CPU threads) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), > LANGUAGE=en_GB:en > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages bind9 depends on: > ii adduser3.118 > ii bind9-libs 1:9.16.13-1 > pn bind9-utils > ii debconf [debconf-2.0] 1.5.75 > ii dns-root-data 2021011101 > ii init-system-helpers1.60 > ii iproute2 5.10.0-4 > ii libc6 2.31-11 > ii libcap21:2.44-1 > ii libfstrm0 0.6.0-1+b1 > ii libjson-c5 0.15-2 > ii liblmdb0 0.9.24-1 > ii libmaxminddb0 1.5.2-1 > ii libprotobuf-c1 1.3.3-1+b2 > ii libssl1.1 1.1.1k-1 > ii libuv1 1.40.0-1 > ii libxml22.9.10+dfsg-6.3+b1 > ii lsb-base 11.1.0 > ii netbase6.2 > ii zlib1g 1:1.2.11.dfsg-2 > > bind9 recommends no packages. > > Versions of packages bind9 suggests: > pn bind-doc > ii bind9-dnsutils [dnsutils] 1:9.16.13-1 > ii dnsutils 1:9.16.13-1 > pn resolvconf > pn ufw >
Bug#988046: bind9: does not honor CPPFLAGS
Package: bind9
Severity: normal
Hi,
While doing a bind9 update for stretch LTS, Anton Gladky added a salsa
pipeline which had a blhc (build log hardening check) test that was
failing.
I have investigated it and found that bind9 is not using automake and while
it tries to honor most *FLAGS variables, it ignores CPPFLAGS. The attached
patch makes it honor CPPFLAGS, so that Debian's default flags (e.g.
-D_FORTIFY_SOURCE=2) get passed. A small diff from the build logs:
-libtool: compile: gcc -include /build/bind9-9.16.13/config.h
-I/build/bind9-9.16.13 -I../../.. -I./include -I./../unix/include
-I./../pthreads/include -I../include -I./../include -I./..
-I/usr/include/json-c -I/usr/include/libxml2 -g -O2
-ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat
-Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks
-DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes
-Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith
-Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o
>/dev/null 2>&1
+libtool: compile: gcc -Wdate-time -D_FORTIFY_SOURCE=2 -include
/build/bind9-9.16.13/config.h -I/build/bind9-9.16.13 -I../../.. -I./include
-I./../unix/include -I./../pthreads/include -I../include -I./../include -I./..
-I/usr/include/json-c -I/usr/include/libxml2 -g -O2
-ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat
-Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks
-DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes
-Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith
-Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o
>/dev/null 2>&1
I have not tested the resulting package, but it should probably be alright
to add this after the current freeze.
Thanks,
Emilio
-- System Information:
Debian Release: bullseye/sid
APT prefers testing-security
APT policy: (500, 'testing-security'), (200, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-5-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bind9 depends on:
ii adduser3.118
ii bind9-libs 1:9.16.13-1
pn bind9-utils
ii debconf [debconf-2.0] 1.5.75
ii dns-root-data 2021011101
ii init-system-helpers1.60
ii iproute2 5.10.0-4
ii libc6 2.31-11
ii libcap21:2.44-1
ii libfstrm0 0.6.0-1+b1
ii libjson-c5 0.15-2
ii liblmdb0 0.9.24-1
ii libmaxminddb0 1.5.2-1
ii libprotobuf-c1 1.3.3-1+b2
ii libssl1.1 1.1.1k-1
ii libuv1 1.40.0-1
ii libxml22.9.10+dfsg-6.3+b1
ii lsb-base 11.1.0
ii netbase6.2
ii zlib1g 1:1.2.11.dfsg-2
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind-doc
ii bind9-dnsutils [dnsutils] 1:9.16.13-1
ii dnsutils 1:9.16.13-1
pn resolvconf
pn ufw
diff -Nru bind9-9.16.13/debian/changelog bind9-9.16.13/debian/changelog
--- bind9-9.16.13/debian/changelog 2021-03-18 14:23:49.0 +0100
+++ bind9-9.16.13/debian/changelog 2021-05-04 10:39:27.0 +0200
@@ -1,3 +1,10 @@
+bind9 (1:9.16.13-1.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Pass CPPFLAGS down to make.
+
+ -- Emilio Pozuelo Monfort Tue, 04 May 2021 10:39:27 +0200
+
bind9 (1:9.16.13-1) unstable; urgency=medium
* New upstream version 9.16.13
diff -Nru bind9-9.16.13/debian/patches/preserve-cppflags.patch
bind9-9.16.13/debian/patches/preserve-cppflags.patch
--- bind9-9.16.13/debian/patches/preserve-cppflags.patch1970-01-01
01:00:00.0 +0100
+++ bind9-9.16.13/debian/patches/preserve-cppflags.patch2021-05-04
10:39:27.0 +0200
@@ -0,0 +1,23 @@
+Preserve CPPFLAGS
+
+Author: Emilio Pozuelo Monfort
+
+--- a/make/rules.in
b/make/rules.in
+@@ -105,6 +105,7 @@ install uninstall clean distclean mainta
+
+ CC = @CC@
+ CFLAGS = @CFLAGS@
++CPPFLAGS =@CPPFLAGS@
+ LDFLAGS = @LDFLAGS@
+ STD_CINCLUDES = @STD_CINCLUDES@
+ STD_CDEFINES =@STD_CDEFINES@
+@@ -160,7 +161,7 @@ ALWAYS_DEFINES = @ALWAYS_DEFINES@
+ ALWAYS_WARNINGS =
+
+ ALL_CPPFLAGS = \
+- ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
++ ${CPPFLAGS} ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
+ ${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
+
+ ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \
diff -Nru bind9-9.16.13/debian/patches/series
