hardening-no-pie
This package provides an ELF executable that was not compiled as a position independent executable (PIE).
In Debian, since version 6.2.0-7 of the gcc-6 package GCC will compile ELF binaries with PIE by default. In most cases a simple rebuild will be sufficient to remove this tag.
PIE is required for fully enabling Address Space Layout Randomization (ASLR), which makes "Return-oriented" attacks more difficult.
Historically, PIE has been associated with noticeable performance overhead on i386. However, GCC >= 5 has implemented an optimization that can reduce the overhead significantly.
If you use dpkg-buildflags
with hardening=+all,-pie
in DEB_BUILD_MAINT_OPTIONS
, remove the -pie
.
Severity: | warning |
Experimental: | false |