Add --debian to handle PIE flags like buildd mode

diff --git a/MANIFEST b/MANIFEST
index e6bf6513d104fb70d3a7e05166ebf5cc6f96798c..09932f45dd9f85f5bd09ca77e657423178839ecd 100644 (file)
--- a/MANIFEST
+++ b/MANIFEST
@@ -39,6 +39,7 @@ t/logs/debian
 t/logs/debian-cmake
 t/logs/debian-cmake-2
 t/logs/debian-cmake-ok
+t/logs/debian-gcc-pie
 t/logs/debian-hardening-wrapper
 t/logs/debian-hardening-wrapper-old-build-depends
 t/logs/debian-hardening-wrapper-pbuilder

diff --git a/NEWS b/NEWS
index f980c0780c784fd2f3e3d8da890d06ee91762ec8..62dd83b9292d8d481cbf4b941e65b44221e26764 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,10 @@ Version 0.XX
 - Add better support for Fortran (c.f. Debian Bug #853265).
 - Don't report missing PIE flags in buildd mode if GCC defaults to PIE (c.f.
   Debian Bug 845339).
+- Add new --debian option to handle PIE flags like buildd mode, thanks to
+  Eriberto Mota for the suggestion. This is not enabled per default to prevent
+  false negatives as the flags are missing from the build log and blhc can't
+  detect if the compiler applied PIE internally (c.f. Debian Bug 845339).
 
 
 Version 0.07

diff --git a/bin/blhc b/bin/blhc
index cfdcbba0fd103770b0b0a068d56fe0c1223083c5..daf5bd22c2bfa25212e87285247f5a57ea3792ad 100755 (executable)
--- a/bin/blhc
+++ b/bin/blhc
@@ -602,6 +602,7 @@ my @option_ignore_arch_line = ();
 my $option_all              = 0;
 my $option_arch             = undef;
 my $option_buildd           = 0;
+my $option_debian           = 0;
    $option_color            = 0;
 if (not Getopt::Long::GetOptions(
             'help|h|?'           => \$option_help,
@@ -620,6 +621,7 @@ if (not Getopt::Long::GetOptions(
             'color'              => \$option_color,
             'arch=s'             => \$option_arch,
             'buildd'             => \$option_buildd,
+            'debian'             => \$option_debian,
         )) {
     require Pod::Usage;
     Pod::Usage::pod2usage(2);
@@ -751,8 +753,11 @@ foreach my $file (@ARGV) {
     my $parallel = 10;
 
     # Don't check for PIE flags if automatically applied by the compiler. Only
-    # used in buildd mode.
+    # used in buildd and Debian mode.
     my $disable_harden_pie = 0;
+    if ($option_debian) {
+        $disable_harden_pie = 1;
+    }
 
     while (my $line = <$fh>) {
         # Detect architecture automatically unless overridden. For buildd logs
@@ -1488,6 +1493,12 @@ error).
 
 =back
 
+=item B<--debian>
+
+Apply Debian-specific settings. At the moment this only disables checking for
+PIE which is automatically applied by Debian's GCC and no longer requires a
+compiler command line argument.
+
 =item B<--color>
 
 Use colored (ANSI) output for warning messages.

diff --git a/t/logs/debian-gcc-pie b/t/logs/debian-gcc-pie
new file mode 100644 (file)
index 0000000..b804389
--- /dev/null
+++ b/t/logs/debian-gcc-pie
@@ -0,0 +1,5 @@
+dpkg-buildpackage: source package foo package
+dpkg-buildpackage: host architecture amd64
+
+gcc -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -Wformat -Werror=format-security -o test test.c
+gcc -fPIE -pie -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -Wformat -Werror=format-security -o test test.c

diff --git a/t/tests.t b/t/tests.t
index 4c6b5dcac129a4deb0e3e4c3a180fe5287cb9891..1ed4dd347d61da6a60c241ae649ca4eeb5f2d25e 100644 (file)
--- a/t/tests.t
+++ b/t/tests.t
@@ -19,7 +19,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 226;
+use Test::More tests => 228;
 
 
 sub is_blhc {
@@ -967,6 +967,11 @@ is_blhc 'debian-cmake', '--buildd', 0,
 ';
 
 
+# debian specific settings
+
+is_blhc 'debian-gcc-pie', '--debian', 0, '';
+
+
 # multiple files
 
 is_blhc ['good', 'good-pie', 'good-bindnow', 'good-all', 'good-multiline', 'good-library'], '', 0,