don't check for source fortification in debug lines

Closes Debian bug #757683, reported by Matthias Klose.

diff --git a/NEWS b/NEWS
index 37b8fdb72e0a8e7c735c50146d80c2aac481ae78..ec4abe2a8ee50c98c25388a7cea397a9635e6a85 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -23,7 +23,9 @@ Version 0.XX
 - Check for -fstack-protector-strong on supported platforms (since dpkg
   1.17.11) (Debian bug #757885), reported by Markus Koschany.
 - Consider lines with -O0 or -Og debug builds and disable checks for -O2
-  (Debian bug #714628), reported by Matthias Klose.
+  (Debian bug #714628), reported by Matthias Klose. Also don't check for
+  fortification in those lines as it requires optimization (Debian bug
+  #757683), also reported by Matthias Klose.
 
 
 Version 0.04

diff --git a/bin/blhc b/bin/blhc
index be3fd3fb41c094d0612d8f2b4ffc2e147f2cc7df..6817a85aced0237d1ebdedb2086eaa69bb520023 100755 (executable)
--- a/bin/blhc
+++ b/bin/blhc
@@ -214,7 +214,8 @@ my @def_cxxflags = (
 my @def_cppflags = ();
 my @def_cppflags_fortify = (
     '-D_FORTIFY_SOURCE=2', # must be first, see cppflags_fortify_broken()
-    # If you add another flag fix hack below (search for "Hack to fix").
+    # If you add another flag fix hack below (search for "Hack to fix") and
+    # $def_cppflags_fortify[0].
 );
 my @def_cppflags_fortify_bad = (
     # These flags may overwrite -D_FORTIFY_SOURCE=2.
@@ -1213,6 +1214,7 @@ LINE:
         # for a debug build.
         if (any_flags_used($line, @def_cflags_debug)) {
             remove_flags([\@cflags], \%flag_renames, $def_cflags[1]);
+            remove_flags([\@cppflags], \%flag_renames, $def_cppflags_fortify[0]);
         }
 
         # Check hardening flags.

diff --git a/t/logs/debug-build b/t/logs/debug-build
index a5638d07bcbafc6c830302f8cf63e6cf5407efcb..20b495e6ef551d3dbbe241d69563ca36366248bb 100644 (file)
--- a/t/logs/debug-build
+++ b/t/logs/debug-build
@@ -6,6 +6,14 @@ gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-se
 gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.c
 gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
 
+# -D_FORTIFY_SOURCE=2 requires -O2 to work, therfore ignore it for debug
+# lines.
+gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-a.c
+gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-b.c
+gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-c.c
+gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-d.c
+gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
+
 gcc -g -Og -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
 gcc -g -Og -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
 gcc -g -Og -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c