non_verbose_build => 1 << 2,
flags_missing => 1 << 3,
hardening_wrapper => 1 << 4,
+ invalid_cmake => 1 << 5,
);
# Statistics of missing flags and non-verbose build commands. Used for
error_color(':', 'yellow'),
$line;
}
+sub error_invalid_cmake {
+ my ($version) = @_;
+
+ printf "%s%s %s\n",
+ error_color('INVALID CMAKE', 'red'),
+ error_color(':', 'yellow'),
+ $version;
+}
sub error_hardening_wrapper {
printf "%s%s %s\n",
error_color('HARDENING WRAPPER', 'red'),
FILE: foreach my $file (@ARGV) {
open my $fh, '<', $file or die "$!: $file";
+ # Architecture of this file.
+ my $arch = $option_arch;
+
# Hardening options. Not all architectures support all hardening options.
my $harden_format = 1;
my $harden_fortify = 1;
# flags are not checked.
if ($option_buildd and $line =~ /^Toolchain package versions: /) {
require Dpkg::Version;
- if ($line !~ /dpkg-dev_(\S+)/
+ if ($line !~ /\bdpkg-dev_(\S+)/
or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
$harden_format = 0;
$harden_fortify = 0;
}
}
+ # The following two versions of CMake in Debian obeyed CPPFLAGS, but
+ # this was later dropped because upstream rejected the patch. Thus
+ # build logs with these versions will have fortify hardening flags
+ # enabled, even though they may be not correctly set and are missing
+ # when build with later CMake versions. Thanks to Aron Xu for letting
+ # me know.
+ if ($line =~ /^Package versions: /
+ and $line =~ /\bcmake_(\S+)/
+ and ($1 eq '2.8.7-1' or $1 eq '2.8.7-2')) {
+ if (not $option_buildd) {
+ error_invalid_cmake($1);
+ } else {
+ print "W-invalid-cmake-used $1\n";
+ }
+ $exit |= $exit_code{invalid_cmake};
+ }
+
# If hardening wrapper is used (wraps calls to gcc and adds hardening
# flags automatically) we can't perform any checks, abort.
if ($line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
last if $line =~ /^Build finished at \d{8}-\d{4}$/;
# Detect architecture automatically unless overridden.
- if (not $option_arch
+ if (not $arch
and $line =~ /^dpkg-buildpackage: host architecture (.+)$/) {
- $option_arch = $1;
+ $arch = $1;
}
# Ignore compiler warnings for now.
}
# Option or auto detected.
- if ($option_arch) {
+ if ($arch) {
# The following was partially copied from dpkg-dev 1.16.1.2
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, add_hardening_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Kees Cook
# later. Keep it in sync.
require Dpkg::Arch;
- my ($abi, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($option_arch);
+ my ($abi, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($arch);
# Disable unsupported hardening options.
- if ($cpu =~ /^(ia64|alpha|mips|mipsel|hppa)$/ or $option_arch eq 'arm') {
+ if ($cpu =~ /^(ia64|alpha|mips|mipsel|hppa)$/ or $arch eq 'arm') {
$harden_stack = 0;
}
if ($cpu =~ /^(ia64|hppa|avr32)$/) {
ruderich.org/simon / blhc / blhc.git / blobdiff