[Fedora-packaging] [HEADS UP] libtool + %global _hardened_build 1 = no full hardening

Björn Esser bjoern.esser at gmail.com
Wed Jun 26 15:27:40 UTC 2013

Hello list!

As discussed a few days ago [1] there's a _severe_ bug in autotool's
libtool known for ages [2] preventing libs not to be build fully
hardened (partial RELRO), even if you have included `%global
_hardened_build 1` into you rpm-spec.

There was some LDFLAGS-hack [3] mentioned by me during review of
bz# 977446 nbdkit, which turned out to block proper exporting of LDFLAGS
during `%configure`-invocation.  So I did some experiments how to get a
proper working and future aware solution for this.

I recommend EVERYBODY, who maintains pkgs meeting the above criteria
(libtool + hardening) to re-check their build pkg's proper hardening
invoking `hardening-check --color --verbose $path_to_lib` and if it's
report reveals

      Read-only relocations: yes
--->  Immediate binding: no, not found!  <---

to apply the following lines immediatly AFTER invoking `%configure` to
their affected pkg's spec:

# dirty hack to force immediate binding with hardenend build having
# autocrap's libtool pass the need gcc-specs to linker.
sed -i -e 's! \\\$compiler_flags !&\\\$CFLAGS \\\$LDFLAGS !' libtool

This simple (but effective) hack makes sure ALL hardening-relevant flags
are passed to the linker.

I just filed a ticket for FESCo-meeting [4] to have this workaround
included in `%configure`-macro provided by rpm-package.

If you are unsure whether your package is affected this feel free to ask
me and please provide a build.log, so I can check.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/packaging/attachments/20130626/ea1d8c8a/attachment.sig>

More information about the packaging mailing list