[Fedora-packaging] [HEADS UP] libtool + %global _hardened_build 1 = no full hardening
Björn Esser
bjoern.esser at gmail.com
Wed Jun 26 15:27:40 UTC 2013
Hello list!
As discussed a few days ago [1] there's a _severe_ bug in autotool's
libtool known for ages [2] preventing libs not to be build fully
hardened (partial RELRO), even if you have included `%global
_hardened_build 1` into you rpm-spec.
There was some LDFLAGS-hack [3] mentioned by me during review of
bz# 977446 nbdkit, which turned out to block proper exporting of LDFLAGS
during `%configure`-invocation. So I did some experiments how to get a
proper working and future aware solution for this.
I recommend EVERYBODY, who maintains pkgs meeting the above criteria
(libtool + hardening) to re-check their build pkg's proper hardening
invoking `hardening-check --color --verbose $path_to_lib` and if it's
report reveals
...
Read-only relocations: yes
---> Immediate binding: no, not found! <---
to apply the following lines immediatly AFTER invoking `%configure` to
their affected pkg's spec:
# dirty hack to force immediate binding with hardenend build having
# autocrap's libtool pass the need gcc-specs to linker.
sed -i -e 's! \\\$compiler_flags !&\\\$CFLAGS \\\$LDFLAGS !' libtool
This simple (but effective) hack makes sure ALL hardening-relevant flags
are passed to the linker.
I just filed a ticket for FESCo-meeting [4] to have this workaround
included in `%configure`-macro provided by rpm-package.
If you are unsure whether your package is affected this feel free to ask
me and please provide a build.log, so I can check.
Cheers,
Björn
[1]https://lists.fedoraproject.org/pipermail/devel/2013-June/184429.html
[2]http://lists.gnu.org/archive/html/bug-libtool/2005-10/msg00003.html
[3]https://bugzilla.redhat.com/show_bug.cgi?id=977446#c13
[4]https://fedorahosted.org/fesco/ticket/1132
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/packaging/attachments/20130626/ea1d8c8a/attachment.sig>
More information about the packaging
mailing list