Package: gcc-6
Version: 6.2.1-7
Severity: important
The check introduced to ignore dpkg's PIE specs when PIE is not enabled
by default is wrong, and ends up ignoring them even when hardening=+all
or hardening=+pie is present in DEB_BUILD_MAINT_OPTIONS.
The current check is:
if (ignore_pie_specs_when_not_enabled("DEB_BUILD_MAINT_OPTIONS", arg)
|| ignore_pie_specs_when_not_enabled("DEB_BUILD_OPTIONS", arg))
but since only DEB_BUILD_MAINT_OPTIONS includes the hardening options,
the second call with DEB_BUILD_OPTIONS returns true and causes the file
to be ignored. I believe this should be && rather than ||.
I can reproduce this regression by building one of my packages
(src:polyml) on sparc64:
$ grep hardening debian/rules
export DEB_BUILD_MAINT_OPTIONS=hardening=+all
$ dpkg-buildpackage -us -uc
[...]
g++: note: pie specs /usr/share/dpkg/pie-compile.specs ignored when pie is not enabled
Regards,
James
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)