Source: ocaml Version: 4.02.3-7 Severity: important User: bal...@balintreczey.hu Usertags: pie-bindnow-20160906 Justification: makes other ocaml packages FTBFS with extra hardening Tags: patch Affects: advi alt-ergo approx ara atdgen ben biniou bin-prot caml2html caml-crush camlimages camlmix camlp5 camomile cduce coccinelle coinst comparelib confluence coq cppo cryptokit cudf custom-printf dochelp dose3 eliom enumerate extlib fieldslib freetennis geneweb gmetadom haxe herelib janest-core janest-core-extended janest-core-kernel js-build-tools js-of-ocaml jsonm kalzium laby lambda-term libguestfs liquidsoap marionnet matita menhir mingw-ocaml misery mlpost monotone-viz mtasc oasis obus ocaml-atd ocaml-base64 ocaml-batteries ocaml-benchmark ocamlbricks ocamlcreal ocaml-csv ocaml-data-notation ocaml-deriving-ocsigen ocamldsort ocaml-estring ocaml-expect ocaml-extunix ocaml-fileutils ocaml-gettext ocamlgraph ocamlgsl ocaml-ipaddr ocaml-libvirt ocaml-melt ocamlmod ocaml-re ocaml-re2 ocaml-reins ocaml-res ocamlrss ocaml-sqlexpr ocaml-sqlite3 ocaml-textutils ocaml-usb ocamlviz ocaml-zarith ocp-indent ocsigenserver opam optcomp orpie ounit pa-bench pagodacf pa-ounit pa-structural-sexp pa-test pcre-ocaml pdfsandwich perl4caml pgocaml pipebang postgresql-ocaml ppx-core ppx-deriving ppx-driver ppx-optcomp ppx-sexp-conv ppx-type-conv prooftree scilab sexplib310 spamoracle supermin type-conv typerep tyxml unison utop uuidm variantslib virt-top why3 wyrd xml-light xmlm yojson zed
Dear Maintainers, During a rebuild of all packages in sid, many ocaml packages failed to build on amd64 with patched GCC and dpkg. The root cause seems to be that libasmrun.a is shipped as a non-PIC library. The rebuild tested if packages are ready for a transition enabling PIE and bindnow for amd64. For more information about the changes to sid's dpkg and GCC please visit: https://wiki.debian.org/Hardening/PIEByDefaultTransitio Relevant part of advi's build log: ... /usr/bin/ocamlopt -o advi \ -I /usr/lib/ocaml/camlimages \ events.o grwm.o grY11.o /usr/lib/ocaml/camlimages/camlimages_core.cmxa /usr/lib/ocaml/graphics .cmxa /usr/lib/ocaml/camlimages/camlimages_graphics.cmxa /usr/lib/ocaml/camlimages/camlimages_ps.cmxa /usr/lib/ocaml/camlimages/camlimages_freetype.cmxa unix.cmxa str.cmxa config.cmx misc.cmx timeout.cmx ageometry.cmx options.cmx rc.cmx userfile.cmx graphicsY11.cmx global_options.cmx busy.cmx gradient.cmx gterm.cmx launch.cmx dvicolor.cmx shot.cmx laser_pointer.cmx symbol.cmx input.cmx table.cmx pkfont.cmx ttfont.cmx jfm.cmx search.cmx font.cmx glyph.cmx devfont.cmx adviUnits.cmx dimension.cmx dvi.cmx drawimage.cmx gs.cmx transimpl.cmx embed.cmx grdev.cmx addons.cmx scratch.cmx cdvi.cmx driver.cmx thumbnails.cmx dviview.cmx main.cmx \ -cclib -lXinerama -cclib -lcamlimages_freetype /usr/bin/ld: /usr/lib/ocaml/libasmrun.a(startup.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: /usr/lib/ocaml/libasmrun.a(fail.o): relocation R_X86_64_32 against symbol `caml_exn_Failure' can not be used when making a shared object; recompile with -fPIC ... The full build log is available from: https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/advi_1.10.2-2_amd64.build.gz The attached patch fixed the problem. Thanks, Balint
diff -Nru ocaml-4.02.3/debian/patches/0012-Use-pic.patch ocaml-4.02.3/debian/patches/0012-Use-pic.patch --- ocaml-4.02.3/debian/patches/0012-Use-pic.patch 1970-01-01 01:00:00.000000000 +0100 +++ ocaml-4.02.3/debian/patches/0012-Use-pic.patch 2016-09-10 13:38:10.000000000 +0200 @@ -0,0 +1,17 @@ +Description: Generate Position Independent Code + This is needed for building Position Independent Executables +Author: Balint Reczey <bal...@balintreczey.hu> + +--- ocaml-4.02.3.orig/configure ++++ ocaml-4.02.3/configure +@@ -1015,6 +1015,10 @@ fi + bytecccompopts="$bytecccompopts -D_FILE_OFFSET_BITS=64" + nativecccompopts="$nativecccompopts -D_FILE_OFFSET_BITS=64" + ++# Use PIC ++ ++nativecccompopts="$nativecccompopts -fPIC" ++ + # Check the semantics of signal handlers + + if sh ./hasgot sigaction sigprocmask; then diff -Nru ocaml-4.02.3/debian/patches/series ocaml-4.02.3/debian/patches/series --- ocaml-4.02.3/debian/patches/series 2016-07-15 22:20:10.000000000 +0200 +++ ocaml-4.02.3/debian/patches/series 2016-09-10 13:36:09.000000000 +0200 @@ -9,3 +9,4 @@ 0010-Enable-ocamldoc-to-build-reproducible-manpages.patch 0010-Add-a-.file-directive-to-generated-.s-files.patch 0011-Compatibility-with-x32-architecture.patch +0012-Use-pic.patch
