X-Git-Url: https://ruderich.org/simon/gitweb/?p=blhc%2Fblhc.git;a=blobdiff_plain;f=bin%2Fblhc;h=9ed648aa1a7be09fabffa22514b7cabb35a87166;hp=e2658ae9f329f96959ef5b229d8035a6fa1f5172;hb=22380d5ef99ff37e3c96070d65f01c34a8f0ba82;hpb=e3658a072c1a1b97147af5695b95817b4d5e4d9b diff --git a/bin/blhc b/bin/blhc index e2658ae..9ed648a 100755 --- a/bin/blhc +++ b/bin/blhc @@ -688,8 +688,13 @@ foreach my $file (@ARGV) { # only, doesn't use the dpkg-buildpackage header. Necessary to ignore # build logs which aren't built (wrong architecture, build error, # etc.). - if (not $arch and index($line, 'Architecture: ') == 0) { - $arch = substr $line, 14, -1; # -1 to ignore '\n' at the end + if (not $arch) { + if (index($line, 'Build Architecture: ') == 0) { + $arch = substr $line, 20, -1; # -1 to ignore '\n' at the end + # For old logs (sbuild << 0.63.0-1). + } elsif (index($line, 'Architecture: ') == 0) { + $arch = substr $line, 14, -1; # -1 to ignore '\n' at the end + } } # dpkg-buildflags only provides hardening flags since 1.16.1, don't @@ -729,9 +734,11 @@ foreach my $file (@ARGV) { } } - # Debian's build daemons use Build-Depends: for the build - # dependencies, but pbuilder just uses Depends:; support both. - if (index($line, 'Build-Depends: ') == 0 + # Debian's build daemons use "Filtered Build-Depends:" (or just + # "Build-Depends:" in older versions) for the build dependencies, but + # pbuilder uses "Depends:"; support both. + if (index($line, 'Filtered Build-Depends: ') == 0 + or index($line, 'Build-Depends: ') == 0 or index($line, 'Depends: ') == 0) { # If hardening wrapper is used (wraps calls to gcc and adds # hardening flags automatically) we can't perform any checks, @@ -920,7 +927,7 @@ foreach my $file (@ARGV) { # Option or auto detected. if ($arch) { - # The following was partially copied from dpkg-dev 1.16.4.3 + # The following was partially copied from dpkg-dev 1.17.1 # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, add_hardening_flags()), # copyright Raphaël Hertzog , Kees Cook # , Canonical, Ltd. licensed under GPL version 2 or @@ -930,7 +937,12 @@ foreach my $file (@ARGV) { my ($abi, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($arch); # Disable unsupported hardening options. - if ($cpu =~ /^(?:ia64|alpha|mips|mipsel|hppa)$/ or $arch eq 'arm') { + if ($os !~ /^(?:linux|knetbsd|hurd)$/ or + $cpu =~ /^(?:hppa|mips|mipsel|avr32)$/) { + $harden_pie = 0; + } + if ($cpu =~ /^(?:ia64|alpha|mips|mipsel|hppa|arm64)$/ + or $arch eq 'arm') { $harden_stack = 0; } if ($cpu =~ /^(?:ia64|hppa|avr32)$/) { @@ -972,8 +984,8 @@ foreach my $file (@ARGV) { # Stores normal CFLAGS when @cflags_ada are temporarily used. my @cflags_backup; - # Ada CFLAGS. - my @cflags_ada = @cflags; + # Ada CFLAGS, only set if ada is used. + my @cflags_ada; # Ada doesn't support format hardening flags, see #680117 for more # information. Filter them out if ada is used. if ($ada and $harden_format) {