<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
This applies to us, does it not?<br>
<div class="moz-forward-container"><br>
<br>
-------- Original Message --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
</th>
<td>[Fedora-packaging] [HEADS UP] libtool + %global
_hardened_build 1 = no full hardening</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
<td>Wed, 26 Jun 2013 17:39:07 +0200</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
<td>Björn Esser <a class="moz-txt-link-rfc2396E" href="mailto:bjoern.esser@gmail.com"><bjoern.esser@gmail.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Reply-To:
</th>
<td>Discussion of RPM packaging standards and practices for
Fedora <a class="moz-txt-link-rfc2396E" href="mailto:packaging@lists.fedoraproject.org"><packaging@lists.fedoraproject.org></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:packaging@lists.fedoraproject.org">packaging@lists.fedoraproject.org</a>,
<a class="moz-txt-link-abbreviated" href="mailto:devel@lists.fedoraproject.org">devel@lists.fedoraproject.org</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<pre>Hello list!
As discussed a few days ago [1] there's a _severe_ bug in autotool's
libtool known for ages [2] preventing libs not to be build fully
hardened (partial RELRO), even if you have included `%global
_hardened_build 1` into you rpm-spec.
There was some LDFLAGS-hack [3] mentioned by me during review of
bz# 977446 nbdkit, which turned out to block proper exporting of LDFLAGS
during `%configure`-invocation. So I did some experiments how to get a
proper working and future aware solution for this.
I recommend EVERYBODY, who maintains pkgs meeting the above criteria
(libtool + hardening) to re-check their build pkg's proper hardening
invoking `hardening-check --color --verbose $path_to_lib` and if it's
report reveals
...
Read-only relocations: yes
---> Immediate binding: no, not found! <---
to apply the following lines immediatly AFTER invoking `%configure` to
their affected pkg's spec:
# dirty hack to force immediate binding with hardenend build having
# autocrap's libtool pass the need gcc-specs to linker.
sed -i -e 's! \\\$compiler_flags !&\\\$CFLAGS \\\$LDFLAGS !' libtool
This simple (but effective) hack makes sure ALL hardening-relevant flags
are passed to the linker.
I just filed a ticket for FESCo-meeting [4] to have this workaround
included in `%configure`-macro provided by rpm-package.
If you are unsure whether your package is affected this feel free to ask
me and please provide a build.log, so I can check.
Cheers,
Björn
[1]<a class="moz-txt-link-freetext" href="https://lists.fedoraproject.org/pipermail/devel/2013-June/184429.html">https://lists.fedoraproject.org/pipermail/devel/2013-June/184429.html</a>
[2]<a class="moz-txt-link-freetext" href="http://lists.gnu.org/archive/html/bug-libtool/2005-10/msg00003.html">http://lists.gnu.org/archive/html/bug-libtool/2005-10/msg00003.html</a>
[3]<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=977446#c13">https://bugzilla.redhat.com/show_bug.cgi?id=977446#c13</a>
[4]<a class="moz-txt-link-freetext" href="https://fedorahosted.org/fesco/ticket/1132">https://fedorahosted.org/fesco/ticket/1132</a>
</pre>
<br>
</div>
<br>
</body>
</html>