Merge commit 'a323570a264da96a0b0bcc1c9aa017794acdc752'

1 files changed, 4 insertions, 3 deletions

diff --git a/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh b/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh
index 8e2fe6c407ea..e5d296f6c9c5 100644
--- a/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/nixpkgs/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -45,11 +45,12 @@ for flag in "${!hardeningEnableMap[@]}"; do
       hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
       ;;
     pie)
+      # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
-      hardeningCFlags+=('-fPIE')
-      if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
+      hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
+      if [[ ! (" $* " =~ " -shared " || " $* " =~ " -static ") ]]; then
         if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-        hardeningCFlags+=('-pie')
+        hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
       fi
       ;;
     pic)