Package: golang Version: 2:1.6.1-2 Severity: normal Tags: patch Dear Maintainer,
Please consider adding the following patch, which builds an optional package containing the compiled standard library for PIE build mode. This is a prerequisite for building position-independent executables for the purpose of hardening Go binaries against memory corruption vulnerabilities [1]. [1] https://bugs.debian.org/821454 A package maintainer who wishes to ship hardened binaries shall add a Build-Depends: golang-std-pie, and a debian/rules stanza such as override_dh_auto_build: dh_auto_build -O--buildsystem=golang -- -buildmode=pie -ldflags -extldflags=-Wl,-z,now,-z,relro In the future dh-golang could be extended to pass the above flags. Regards, Peter
>From 8622c71c744b7099d1a8b5ddd553cdb736351dcc Mon Sep 17 00:00:00 2001 From: Peter Colberg <[email protected]> Date: Fri, 29 Apr 2016 08:01:02 -0400 Subject: [PATCH] Package compiled stdlib for PIE build mode --- debian/control | 17 +++++++++++++++++ debian/golang-std-pie.install | 1 + debian/rules | 3 +++ 3 files changed, 21 insertions(+) create mode 100644 debian/golang-std-pie.install diff --git a/debian/control b/debian/control index d08c525..c51864b 100644 --- a/debian/control +++ b/debian/control @@ -86,6 +86,23 @@ Description: Go programming language - source files This package provides the Go programming language source files needed for cross-compilation. +Package: golang-std-pie +Depends: golang-go (>= ${source:Version}), ${misc:Depends}, ${shlibs:Depends} +Architecture: amd64 arm64 armel armhf i386 ppc64 ppc64el +Build-Profiles: <!cross> +Description: Go programming language - compiled stdlib for PIE build mode + The Go programming language is an open source project to make programmers more + productive. Go is expressive, concise, clean, and efficient. Its concurrency + mechanisms make it easy to write programs that get the most out of multicore + and networked machines, while its novel type system enables flexible and + modular program construction. Go compiles quickly to machine code yet has the + convenience of garbage collection and the power of run-time reflection. It's a + fast, statically typed, compiled language that feels like a dynamically typed, + interpreted language. + . + This package provides the compiled standard library for the Go programming + language for the purpose of building position-independent executables (PIE). + Package: golang-doc Depends: golang-go, ${misc:Depends} Architecture: all diff --git a/debian/golang-std-pie.install b/debian/golang-std-pie.install new file mode 100644 index 0000000..ef62e13 --- /dev/null +++ b/debian/golang-std-pie.install @@ -0,0 +1 @@ +pkg/*_*_shared /usr/lib/go/pkg/ diff --git a/debian/rules b/debian/rules index cb30d52..1e17ee1 100755 --- a/debian/rules +++ b/debian/rules @@ -76,6 +76,9 @@ override_dh_auto_build-arch: && cd src \ && $(CURDIR)/debian/helpers/goenv.sh \ bash ./make.bash --no-banner +ifeq (,$(filter cross,$(DEB_BUILD_PROFILES))) + $(GOROOT)/bin/go install -v -buildmode=pie std +endif opt_no_act := ifneq (,$(findstring n,$(MAKEFLAGS))) -- 2.8.1
