reassign 834044 sks
tags 834044 + patch
thanks
On 11/08/2016 17:52, Daniel Kahn Gillmor wrote:
In particular, i see errors like the following:
[…]
ocamlopt -o sks -I lib -I bdb -I +cryptokit -ccopt -g -ccopt -O2 -ccopt
-fdebug-prefix-map=/home/dkg/src/sks/sks=. -ccopt -fPIE -ccopt
-fstack-protector-strong -ccopt -Wformat -ccopt -Werror=format-security
-ccopt -O3 -ccopt -Werror-implicit-function-declaration -ccopt -I`ocamlc
-ccopt -where` -ccopt -I -ccopt . -ccopt -fPIE -ccopt -pie -ccopt
-Wl,-z,relro -ccopt -Wl,-z,now -ccopt -Lbdb -dtypes -inline 40 unix.cmxa
str.cmxa bdb.cmxa nums.cmxa bigarray.cmxa cryptokit.cmxa crc.o pSet.cmx
pMap.cmx utils.cmx heap.cmx mList.cmx mTimer.cmx mArray.cmx settings.cmx
pstyle.cmx getfileopts.cmx common.cmx channel.cmx eventloop.cmx ehandlers.cmx
bitstring.cmx meteredChannel.cmx number.cmx prime.cmx zZp.cmx rMisc.cmx
linearAlg.cmx poly.cmx decode.cmx fqueue.cmx prefixTree.cmx msgContainer.cmx
nbMsgContainer.cmx cMarshal.cmx reconMessages.cmx server.cmx client.cmx
reconCS.cmx number_test.cmx decode_test.cmx poly_test.cmx Unique_time.cmx
version.cmx packet.cmx parsePGP.cmx sS
tream.cmx bdbwrap.cmx key.cmx keyHash.cmx keyMerge.cmx fixkey.cmx
fingerprint.cmx keydb.cmx armor.cmx dbMessages.cmx htmlTemplates.cmx
wserver.cmx membership.cmx tester.cmx request.cmx stats.cmx index.cmx
mRindex.cmx pTreeDB.cmx sendmail.cmx recvmail.cmx mailsync.cmx clean_keydb.cmx
build.cmx fastbuild.cmx pbuild.cmx merge_keyfiles.cmx sksdump.cmx incdump.cmx
dbserver.cmx reconComm.cmx recoverList.cmx catchup.cmx reconserver.cmx
update_subkeys.cmx sks_do.cmx unit_tests.cmx sks.cmx
/usr/bin/ld: cannot find .: File format not recognized
/usr/bin/ld: cannot find .: File format not recognized
/usr/bin/ld: cannot find .: File format not recognized
/usr/bin/ld: /usr/lib/ocaml/libasmrun.a(startup.o): relocation R_X86_64_32
against `.rodata.str1.1' can not be used when making a shared object; recompile
with -fPIC
/usr/lib/ocaml/libasmrun.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
File "caml_startup", line 1:
Error: Error during linking
Makefile:180: recipe for target 'sks' failed
I don't know where the report "ld: cannot find ." comes from (or what
it means) at all.
This error comes from the snippet:
-ccopt -I`ocamlc -ccopt -where` -ccopt -I -ccopt .
which expands to:
-I -I .
i.e. -I takes as argument "-I", and the following "." is interpreted as
a file.
And interestingly, ocaml ships a /usr/lib/ocaml/libasmrun_pic.a, which
it seems like should be chosen instead of /usr/lib/ocaml/libasmrun.a
if the goal is to link a position-independent executable.
/usr/lib/ocaml/libasmrun_pic.a can be selected with the option
"-runtime-variant _pic".
If you'd like to reproduce these errors, you can try from the sks git
repo:
git clone https://anonscm.debian.org/git/pkg-sks/pkg-sks.git -b
try-hardening sks
cd sks
dpkg-buildpackage -uc -us
If you see a way to resolve the issue in sks directly, feel free to
note it here and reassign this bug report to sks.
Attached is a simple patch that fixes compilation of sks. I don't
believe something is to be done in ocaml, therefore I am reassigning to sks.
Cheers,
--
Stéphane
From: Stephane Glondu <st...@glondu.net>
Date: Fri, 12 Aug 2016 10:25:34 +0200
Subject: Fix hardened build
---
Makefile | 4 ++--
bdb/Makefile | 2 +-
sks_build.sh | 0
3 files changed, 3 insertions(+), 3 deletions(-)
mode change 100644 => 100755 sks_build.sh
diff --git a/Makefile b/Makefile
index 3411370..186f466 100644
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,7 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA
#
-CINCLUDES=-I`ocamlc -where`
+CINCLUDES=-I$(shell ocamlc -where)
CC=gcc
CXX=g++
CFLAGS+=-O3 -Werror-implicit-function-declaration $(CINCLUDES) -I .
@@ -45,7 +45,7 @@ else
OCAMLLIB= -ccopt $(BDBLIB)
endif
-CAMLLDFLAGS=$(foreach x, $(LDFLAGS), -ccopt $(x))
+CAMLLDFLAGS=$(foreach x, $(LDFLAGS), -ccopt $(x)) -runtime-variant _pic
CAMLCFLAGS=$(foreach x, $(CFLAGS), -ccopt $(x))
SKSVS=$(shell grep 'version_suffix = "+"' common.ml)
diff --git a/bdb/Makefile b/bdb/Makefile
index 3818fe2..52fbbfe 100644
--- a/bdb/Makefile
+++ b/bdb/Makefile
@@ -14,7 +14,7 @@
# $Id: Makefile,v 1.6 2003/07/05 15:16:29 yminsky Exp $
include ../Makefile.local
-CINCLUDES=-I`ocamlc -where` $(BDBINCLUDE)
+CINCLUDES=-I$(shell ocamlc -where) $(BDBINCLUDE)
CC=gcc
CXX=g++
CFLAGS+=-O3 -Werror-implicit-function-declaration $(CINCLUDES) $(BDBLIB) -I .
diff --git a/sks_build.sh b/sks_build.sh
old mode 100644
new mode 100755
