[Gluster-devel] Fwd: [Fedora-packaging] [HEADS UP] libtool + %global _hardened_build 1 = no full hardening

Kaleb KEITHLEY kkeithle at redhat.com
Thu Jun 27 11:04:16 UTC 2013 

Yes, it applies to us. Good catch.


On 06/26/2013 07:26 PM, Joe Julian wrote:
> This applies to us, does it not?
>
>
> -------- Original Message --------
> Subject: 	[Fedora-packaging] [HEADS UP] libtool + %global
> _hardened_build 1 = no full hardening
> Date: 	Wed, 26 Jun 2013 17:39:07 +0200
> From: 	Björn Esser <bjoern.esser at gmail.com>
> Reply-To: 	Discussion of RPM packaging standards and practices for
> Fedora <packaging at lists.fedoraproject.org>
> To: 	packaging at lists.fedoraproject.org, devel at lists.fedoraproject.org
>
>
>
> Hello list!
>
> As discussed a few days ago [1] there's a _severe_ bug in autotool's
> libtool known for ages [2] preventing libs not to be build fully
> hardened (partial RELRO), even if you have included `%global
> _hardened_build 1` into you rpm-spec.
>
> There was some LDFLAGS-hack [3] mentioned by me during review of
> bz# 977446 nbdkit, which turned out to block proper exporting of LDFLAGS
> during `%configure`-invocation.  So I did some experiments how to get a
> proper working and future aware solution for this.
>
> I recommend EVERYBODY, who maintains pkgs meeting the above criteria
> (libtool + hardening) to re-check their build pkg's proper hardening
> invoking `hardening-check --color --verbose $path_to_lib` and if it's
> report reveals
>
>        ...
>        Read-only relocations: yes
> --->  Immediate binding: no, not found!  <---
>
> to apply the following lines immediatly AFTER invoking `%configure` to
> their affected pkg's spec:
>
> # dirty hack to force immediate binding with hardenend build having
> # autocrap's libtool pass the need gcc-specs to linker.
> sed -i -e 's! \\\$compiler_flags !&\\\$CFLAGS \\\$LDFLAGS !' libtool
>
> This simple (but effective) hack makes sure ALL hardening-relevant flags
> are passed to the linker.
>
> I just filed a ticket for FESCo-meeting [4] to have this workaround
> included in `%configure`-macro provided by rpm-package.
>
> If you are unsure whether your package is affected this feel free to ask
> me and please provide a build.log, so I can check.
>
> Cheers,
>    Björn
>
> [1]https://lists.fedoraproject.org/pipermail/devel/2013-June/184429.html
> [2]http://lists.gnu.org/archive/html/bug-libtool/2005-10/msg00003.html
> [3]https://bugzilla.redhat.com/show_bug.cgi?id=977446#c13
> [4]https://fedorahosted.org/fesco/ticket/1132
>
>
>
>
>
>
> _______________________________________________
> Gluster-devel mailing list
> Gluster-devel at nongnu.org
> https://lists.nongnu.org/mailman/listinfo/gluster-devel
>

More information about the Gluster-devel mailing list