Package: mpv Version: 0.10.0-1 Severity: important Tags: patch Hello,
in the last upload all additional hardening options were dropped.
Please re-enable them. As video player mpv is prone to
vulnerabilities in its libraries and the additional hardening
flags make exploits more difficult.
The source of the build problem is a PIE vs. PIC conflict.
Libraries must be built with PIC, binaries with PIE. When passed
the PIE flag via CFLAGS/LDFLAGS, the build system must filter it
out when it's linking shared libraries, however waf is apparently
not doing that.
The attached hacky patch fixes this issue for mpv, please apply
it for now. If possible waf should be improved to handle that
conflict on its own. With the patch, all hardening options can be
enabled again:
export DEB_BUILD_MAINT_OPTIONS := hardening=+all
Regards
Simon
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Index: mpv-0.10.0/waflib/Context.py
===================================================================
--- mpv-0.10.0.orig/waflib/Context.py
+++ mpv-0.10.0/waflib/Context.py
@@ -140,6 +140,10 @@ class Context(ctx):
def exec_command(self,cmd,**kw):
subprocess=Utils.subprocess
kw['shell']=isinstance(cmd,str)
+ # FIXME: hacky solution to fix PIC-PIE-conflict
+ if '-shared' in cmd:
+ Logs.debug('runner: old %r'%(cmd,))
+ cmd = [x for x in cmd if x != '-fPIE' and x != '-pie']
Logs.debug('runner: %r'%(cmd,))
Logs.debug('runner_env: kw=%s'%kw)
if self.logger:
signature.asc
Description: PGP signature
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
