PND4

/dev/notes

Creating a PKGBUILD for lzo-2.08 on ArchLinuxARM

Using ArchLinuxARM with OpenVPN broke on my PogoPlug e02 after lzo2 was updated from 2.06-3 to 2.07-2 a few days ago. After another ALARM user confirmed the issue, a couple days passed without a solution and downgrading to 2.06-3 not only is bad practice due to "CVE-2014-4607" but paper-thin, since its disappearing from repos and its likely it won't be in your local package cache forever.. Fueled by boredom, I decided to fix the problem myself.

Using 2.07-2 as a base

Copied PKGBUILD for lzo2-2.07-2 from ABS.
Changed 'arch' to suit ALARM.
Deleted the stuff regarding 2.07 (patch: src, checksums).
Changed pkg version and release values from '2.07-2' to make '2.08-1' respectively.

Making it work

Seems like adding CFLAGS="-DLZO_DEBUG" before ./configure .. made the difference whether it built or not.

Maintaining Security?

However setting the CFLAGS environment variable showed a warning that if not using at least "-O" ("-O2" being the default makepkg.conf optimization CFLAG) then it would not use "-DFORTIFYSOURCE=2" which sounds important from a security-minded perspective.

After some light reading about GCC's flags:
Security Related Flags
-O option flag
Relationship: FORTIFY_SOURCE & O-Flag

Looks like the best option would be to disable 'FORTIFYSOURCE' but still maintain the highest level of security otherwise and retain the ability to protect from stack-smashing attacks by setting 'stack-protector-all'. It seems with 2.08 we have only two choices: "-O0" or no optimizations at all. Personally, I'd gladly sacrifice runtime-speed optimizations for security, when having both is not an option and since ARM devices don't have much memory, why not use "-O0" if we can.

This equates to CFLAGS="-Wall -O0 -U_FORTIFY_SOURCE -fstack-protector-all"
(seen on line #21)

Full PKGBUILD

(PKGBUILD) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#### PND4 - 07/02/14 07:30
# http://pnd4.github.io/downloads/code/lzo-2.08-1-arm/PKGBUILD

pkgname=lzo2
pkgver=2.08
pkgrel=1
pkgdesc="Portable lossless data compression library"
arch=('arm')
url="http://www.oberhumer.com/opensource/lzo"
license=('GPL')
depends=('glibc')
source=(http://www.oberhumer.com/opensource/lzo/download/lzo-${pkgver}.tar.gz)
md5sums=('fcec64c26a0f4f4901468f360029678f')

prepare() {
  cd "${srcdir}/lzo-${pkgver}"
}

build() {
  cd "${srcdir}/lzo-${pkgver}"
  CFLAGS="-Wall -O0 -U_FORTIFY_SOURCE -fstack-protector-all" ./configure --prefix=/usr --enable-shared

  make

  # build minilzo
  gcc $CFLAGS -fpic -Iinclude/lzo -o minilzo/minilzo.o -c minilzo/minilzo.c
  gcc $LDFLAGS -shared -o libminilzo.so.0 -Wl,-soname,libminilzo.so.0 minilzo/minilzo.o

}

check() {
  cd "${srcdir}/lzo-${pkgver}"
  make test # Larger test
  make check
}

package() {
  cd "${srcdir}/lzo-${pkgver}"
  make DESTDIR=${pkgdir} install

  # install minilzo
  install -m 755 libminilzo.so.0 ${pkgdir}/usr/lib
  install -p -m 644 minilzo/minilzo.h ${pkgdir}/usr/include/lzo
  cd ${pkgdir}/usr/lib
  ln -s libminilzo.so.0 libminilzo.so
}

TO-DO

  • Have someone proof/verify the PKGBUILD.