XPost: linux.debian.bugs.dist
From: schopin@ubuntu.com
This is a multi-part MIME message sent by reportbug.
Package: dpkg-dev
Version: 1.22.18ubuntu2
Severity: normal
Tags: patch
X-Debbugs-Cc: schopin@ubuntu.com
Hi,
We don't pass the branch hardening flags to LDFLAGS. However, this can
necessary for the linker to expose the relevant flags in the ELF notes,
notably on arm64. It's usually not too much of an issue since *most*
build scripts will also import CFLAGS, but that's not strictly
necessary. An example package that only use LDFLAGS for building is
src:db5.3.
Starting with GCC 15, this will become an issue as the linker will start
issuing warning when linking GCS-enabled executable to libraries that do
not have said GCS flag.
-- System Information:
Debian Release: trixie/sid
APT prefers plucky-updates
APT policy: (500, 'plucky-updates'), (500, 'plucky-security'), (500,
'plucky'), (100, 'plucky-proposed')
Architecture: amd64 (x86_64)
Kernel: Linux 6.14.0-29-generic (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dpkg-dev depends on:
ii binutils 2.44-3ubuntu1
ii bzip2 1.0.8-6
ii libdpkg-perl 1.22.18ubuntu2
ii lto-disabled-list 57
ii make 4.4.1-1
ii patch 2.7.6-7build3
ii perl 5.40.1-2ubuntu0.2
ii tar 1.35+dfsg-3.1
ii xz-utils 5.6.4-1ubuntu1
Versions of packages dpkg-dev recommends:
ii build-essential 12.12ubuntu1
ii clang-18 [c-compiler] 1:18.1.8-17
ii clang-19 [c-compiler] 1:19.1.7-3ubuntu1
ii clang-20 [c-compiler] 1:20.1.2-0ubuntu1
ii fakeroot 1.37.1-1
ii gcc [c-compiler] 4:14.2.0-1ubuntu1
ii gcc-13 [c-compiler] 13.3.0-13ubuntu1
ii gcc-14 [c-compiler] 14.2.0-19ubuntu2
ii gnupg 2.4.4-2ubuntu23.1
ii gpgv 2.4.4-2ubuntu23.1
ii libalgorithm-merge-perl 0.08-5
Versions of packages dpkg-dev suggests:
ii debian-keyring 2025.03.23
-- no debconf information
From b0afb5e50f653586d86374a3cd5fdd50b3f4d0a8 Mon Sep 17 00:00:00 2001
From: Simon Chopin
Date: Fri, 12 Sep 2025 15:43:45 +0200
Subject: [PATCH] dpkg-buildflags: add branch hardening flags to LDFLAGS (LP:
#2122602)
Some branch hardening features might need to also touch things up at
link time, at least to surface which features were enabled in the
module in the ELF notes.
This becomes an issue with GCC 15 which enables GCS, as the linker will
issue warning if trying to link objects with mixed GCS flags. In
essence, this would fail:
cc $(CFLAGS) -c foo.c -o foo.o
cc $(LDFLAGS) foo.o -o libfoo.so # Produces a lib without GCS bit
...
cc $(CFLAGS) $(LDFLAGS) -lfoo -o testexec test.c # Attempts to link
# testexec with GCS enabled
Output:
foo.so: warning: GCS is required by -z gcs, but this shared library
lacks the necessary property note. The dynamic loader might not enable
GCS or refuse to load the program unless all the shared library
dependencies have the GCS marking.
---
scripts/Dpkg/Vendor/Debian.pm | 1 +
scripts/Dpkg/Vendor/Ubuntu.pm | 1 +
2 files changed, 2 insertions(+)
diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index 2284e84d8..21edc713c 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -643,6 +643,7 @@ sub add_build_flags {
# be on derivatives.
if (defined $flag) {
$flags->append($_, $flag) foreach @compile_flags;
+ $flags->append('LDFLAGS', $flag);
}
}
diff --git a/scripts/Dpkg/Vendor/Ubuntu.pm b/scripts/Dpkg/Vendor/Ubuntu.pm
index c86eee9d2..37258748a 100644
--- a/scripts/Dpkg/Vendor/Ubuntu.pm
+++ b/scripts/Dpkg/Vendor/Ubuntu.pm
@@ -190,6 +190,7 @@ sub add_build_flags {
}
if (defined $flag) {
$flags->append($_, $flag) foreach @compile_flags;
+ $flags->append('LDFLAGS', $flag);
}
}
base-commit: e41dfb5eab1f03b5c3b35ef548862ba24a2aad41
--
2.48.1
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
