[nss/f17] Resolves: Bug 805723 - Library needs partial RELRO support added

[Elio Maldonado]

commit 41064271a8b87addf3d5af499b3b29a013713e2a
Author: Elio Maldonado <emaldona at redhat.com>
Date:   Sun Apr 8 11:13:29 2012 -0700

    Resolves: Bug 805723 - Library needs partial RELRO support added
    
    - Patch coreconf/Linux.mk as done on RHEL 6.2

 add-relro-linker-option.patch |   16 ++++++++++++++++
 nss.spec                      |   12 +++++++-----
 2 files changed, 23 insertions(+), 5 deletions(-)
---
diff --git a/add-relro-linker-option.patch b/add-relro-linker-option.patch
new file mode 100644
index 0000000..05758f7
--- /dev/null
+++ b/add-relro-linker-option.patch
@@ -0,0 +1,16 @@
+diff -up mozilla/security/coreconf/Linux.mk.relro mozilla/security/coreconf/Linux.mk
+--- mozilla/security/coreconf/Linux.mk.relro	2010-08-12 18:32:29.000000000 -0700
++++ mozilla/security/coreconf/Linux.mk	2011-09-27 16:12:22.234743170 -0700
+@@ -179,6 +179,12 @@ FREEBL_NO_DEPEND = 1
+ endif
+ endif
+ 
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS	+= -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+ 
diff --git a/nss.spec b/nss.spec
index 5443482..8f5e35b 100644
--- a/nss.spec
+++ b/nss.spec
@@ -7,7 +7,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.13.4
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -54,6 +54,7 @@ Source9:          setup-nsssysinit.sh
 Source10:         PayPalEE.cert
 Source12:         %{name}-pem-20120402.tar.bz2
 
+Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
 Patch6:           nss-enable-pem.patch
 Patch16:          nss-539183.patch
@@ -151,6 +152,7 @@ low level services.
 %{__cp} %{SOURCE10} -f ./mozilla/security/nss/tests/libpkix/certs
 %setup -q -T -D -n %{name}-%{version} -a 12
 
+%patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
 %patch6 -p0 -b .libpem
 %patch16 -p0 -b .539183
@@ -168,10 +170,6 @@ low level services.
 
 %build
 
-# partial RELRO support as a security enhancement
-LDFLAGS+=-Wl,-z,relro
-export LDFLAGS
-
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
@@ -582,6 +580,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 
 
 %changelog
+* Sun Apr 08 2012 Elio Maldonado <emaldona at redhat.com> - 3.13.4-2
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+- Patch coreconf/Linux.mk as done on RHEL 6.2
+
 * Fri Apr 06 2012 Elio Maldonado <emaldona at redhat.com> - 3.13.4-1
 - Update to NSS_3_13_4_RTM
 - Update the nss-pem source archive to the latest version