Bug#799738: marked as done (mpv: Please re-enable all hardening options)

Debian Bug Tracking System Thu, 24 Sep 2015 12:22:20 -0700

Your message dated Thu, 24 Sep 2015 19:18:59 +0000
with message-id <e1zfc2l-0005ok...@franck.debian.org>
and subject line Bug#799738: fixed in mpv 0.11.0-1
has caused the Debian Bug report #799738,
regarding mpv: Please re-enable all hardening options
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799738: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799738
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: mpv
Version: 0.10.0-1
Severity: important
Tags: patch

Hello,

in the last upload all additional hardening options were dropped.
Please re-enable them. As video player mpv is prone to
vulnerabilities in its libraries and the additional hardening
flags make exploits more difficult.

The source of the build problem is a PIE vs. PIC conflict.
Libraries must be built with PIC, binaries with PIE. When passed
the PIE flag via CFLAGS/LDFLAGS, the build system must filter it
out when it's linking shared libraries, however waf is apparently
not doing that.

The attached hacky patch fixes this issue for mpv, please apply
it for now. If possible waf should be improved to handle that
conflict on its own. With the patch, all hardening options can be
enabled again:

    export DEB_BUILD_MAINT_OPTIONS := hardening=+all

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Index: mpv-0.10.0/waflib/Context.py
===================================================================
--- mpv-0.10.0.orig/waflib/Context.py
+++ mpv-0.10.0/waflib/Context.py
@@ -140,6 +140,10 @@ class Context(ctx):
 	def exec_command(self,cmd,**kw):
 		subprocess=Utils.subprocess
 		kw['shell']=isinstance(cmd,str)
+		# FIXME: hacky solution to fix PIC-PIE-conflict
+		if '-shared' in cmd:
+			Logs.debug('runner: old %r'%(cmd,))
+			cmd = [x for x in cmd if x != '-fPIE' and x != '-pie']
 		Logs.debug('runner: %r'%(cmd,))
 		Logs.debug('runner_env: kw=%s'%kw)
 		if self.logger:

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: mpv
Source-Version: 0.11.0-1

We believe that the bug you reported is fixed in the latest version of
mpv, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 799...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <gh...@debian.org> (supplier of updated mpv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 24 Sep 2015 21:04:07 +0200
Source: mpv
Binary: mpv mpv-dbg libmpv1 libmpv-dev libmpv-dbg
Architecture: source amd64
Version: 0.11.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alessandro Ghedini <gh...@debian.org>
Description:
 libmpv-dbg - video player based on MPlayer/mplayer2 (client library debug)
 libmpv-dev - video player based on MPlayer/mplayer2 (client library dev files)
 libmpv1    - video player based on MPlayer/mplayer2 (client library)
 mpv        - video player based on MPlayer/mplayer2
 mpv-dbg    - video player based on MPlayer/mplayer2 (debug)
Closes: 798985 799738
Changes:
 mpv (0.11.0-1) unstable; urgency=medium
 .
   * New upstream release
   * Drop ladspa-sdk and libbs2b-dev from Build-Depends
   * Enable sndio audio output (Closes: #798985)
   * Re-enable PIE.
     Thanks to Simon Ruderich for the patch (Closes: #799738)
Checksums-Sha1:
 c94260919de128105510e034ca3560ce54b63949 2808 mpv_0.11.0-1.dsc
 8b1c220999cd4a426c0985259b1816211bf2c528 2689655 mpv_0.11.0.orig.tar.gz
 1255679711268948250d767375d5e7348ace116c 97224 mpv_0.11.0-1.debian.tar.xz
 4176e0fa3f005c9971cc48fc3773c4b8ae8d77ae 2096288 libmpv-dbg_0.11.0-1_amd64.deb
 1ed894843d9d8b49618b04fe66b0fe56e9c1e497 64330 libmpv-dev_0.11.0-1_amd64.deb
 609dfcd4d0a381fb50363541294e1427c717d7a0 611916 libmpv1_0.11.0-1_amd64.deb
 8f423fa8706d6c5622a6738108e93ad100b49ad5 2112438 mpv-dbg_0.11.0-1_amd64.deb
 80b17d8a1aee8deb927ff6fe236967abd824c3b5 796614 mpv_0.11.0-1_amd64.deb
Checksums-Sha256:
 5023b6928cee08789523cd577b264bf2e69909b9012026a5715b8370f50953ad 2808 
mpv_0.11.0-1.dsc
 a2157174e46db46dad5deb1fde94283e72ebe922fd15447cb16a2a243fae5bda 2689655 
mpv_0.11.0.orig.tar.gz
 c01599461cc8f9214d835aacf0f01543dfc959a9d140b754df1e0c7b2b5b2ee1 97224 
mpv_0.11.0-1.debian.tar.xz
 c5bed59eca412e4353eec9a223556909f993f0b8b91df1950cef9caa66892488 2096288 
libmpv-dbg_0.11.0-1_amd64.deb
 5a52fe46f3d966dbf360119798752fa82008c55c21fd37ba6107ab5b0eb7a24b 64330 
libmpv-dev_0.11.0-1_amd64.deb
 6ceb45a9f7c289874e85fdf84c3e2c75c64741d6fe7f726e7f883bff8346c488 611916 
libmpv1_0.11.0-1_amd64.deb
 77dc96333984dd3eb780d4352330ee50eded874ce84fe432c9156dac697c9fc0 2112438 
mpv-dbg_0.11.0-1_amd64.deb
 0254f5ba9190054e425558af143aaae182ca8337be31dd80e57826f8082bcbd1 796614 
mpv_0.11.0-1_amd64.deb
Files:
 ade2f92351ccce7b4a4ea4421b812f8c 2808 video optional mpv_0.11.0-1.dsc
 988bec97a4057beecc2f6a8a2c18e342 2689655 video optional mpv_0.11.0.orig.tar.gz
 b585721c48da4ffc73f8e1072bc8c546 97224 video optional 
mpv_0.11.0-1.debian.tar.xz
 6494bbf082eb2427a7d9e958f803495d 2096288 debug extra 
libmpv-dbg_0.11.0-1_amd64.deb
 8483fbd8ac93630c1f3c596273f454f1 64330 libdevel optional 
libmpv-dev_0.11.0-1_amd64.deb
 ba9af6bc38d4ab55424afb2b425f1d2b 611916 libs optional 
libmpv1_0.11.0-1_amd64.deb
 aad19135864d4a199c7e24631aa49c6e 2112438 debug extra mpv-dbg_0.11.0-1_amd64.deb
 5b7091b43c28c00348ac5a63d1200c87 796614 video optional mpv_0.11.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJWBEmRAAoJEK+lG9bN5XPLkoQP/2XkWVdSp1DulXN3U56bZu8w
g38DhRF52oWG55gPwoczjAWm5CRoNbGxj4dfQd3j3rJDT22JQCld+wkKY42TkWIR
DrU5Z/t7KUdbUmsxJw3pYHC/QRXleT/wTAOuab6AdCWieyFXICsF2nOUpnBn9D9W
aRL9pjskmuhaepcujpzGKD3oeq/SweAXQXN06TIiNxOp/0B1F0XzlT0fmcAjGbkJ
MBnyhjyIeTOvN0rEVDDcc6BVdgKus+6Fv5QSigq0HfVJ6CtxqfaPjkrwCC0XBYe2
l3QU1f2SCYMgfgnyrWuG1DvHz7VBSOg/Wb02a2WvOnQzqsopKxHsoFA2WNU+DI+C
bvL9Waf4cYgDkbg4yGu616s78YEzKVOUkkNGFDK0joabsXUdrML6TnBW1P4c4jyn
y48U9mUbEsqkf/mh/SCLPYlcaQdidvmGRM+pRNyUdKMrhBgv2cg3iEp7dmr3TLhr
8IuaQsp8LsfLQuKE2QZ/FElxAfcL/i4MyKY8NLvVkFsW/CqC9Ow6uM3Dk49eB/0p
IxQwlx28Fmv1uQvuMFUwRk1G6eEbYaiX0KrXEagQ97tKh2GFGZC1VHcMXFHCjjqS
dbc+cbXpCu+Fv4Ekfnb1t2AEepE0Qm1CWIo22RqLJM8tGqd4E6C1GJJzXj4utAEH
5GuQF1ysX8kqFXY8PAaI
=9B/o
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#799738: marked as done (mpv: Please re-enable all hardening options)

Reply via email to