[krb5] - also link binaries with -Wl, -z, relro, -z, now (part of #629950)
Nalin Dahyabhai
nalin at fedoraproject.org
Fri Sep 3 17:50:51 UTC 2010
commit a7376e1a41e36955e468f1f595c364d0dd935b90
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Fri Sep 3 13:08:45 2010 -0400
- also link binaries with -Wl,-z,relro,-z,now (part of #629950)
krb5-1.7-buildconf.patch | 9 +++++----
krb5.spec | 5 ++++-
2 files changed, 9 insertions(+), 5 deletions(-)
---
diff --git a/krb5-1.7-buildconf.patch b/krb5-1.7-buildconf.patch
index 874df87..754962e 100644
--- a/krb5-1.7-buildconf.patch
+++ b/krb5-1.7-buildconf.patch
@@ -1,5 +1,5 @@
-Build binaries in this package as PIEs and install shared libraries with the
-execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS
+Build binaries in this package as RELRO PIEs and install shared libraries with
+the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS
where they might leak out and affect apps which just want to link with the
libraries. FIXME: needs to check and not just assume that the compiler supports
using these flags.
@@ -11,7 +11,7 @@ diff -up krb5-1.7/src/config/shlib.conf krb5-1.7/src/config/shlib.conf
RPATH_FLAG='-Wl,-rpath -Wl,'
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
-+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie $(LDFLAGS)'
++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
@@ -19,7 +19,7 @@ diff -up krb5-1.7/src/config/shlib.conf krb5-1.7/src/config/shlib.conf
diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in
--- krb5-1.7/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
+++ krb5-1.7/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
-@@ -187,8 +187,13 @@ if test -n "$do_libs"; then
+@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
-e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
@@ -30,6 +30,7 @@ diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
+ fi
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
+
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
diff --git a/krb5.spec b/krb5.spec
index 4dd8e6a..9af0a74 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -5,7 +5,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.8.3
-Release: 2%{?dist}
+Release: 3%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.3-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -637,6 +637,9 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Fri Sep 3 2010 Nalin Dahyabhai <nalin at redhat.com> 1.8.3-3
+- also link binaries with -Wl,-z,relro,-z,now (part of #629950)
+
* Tue Aug 24 2010 Nalin Dahyabhai <nalin at redhat.com> 1.8.3-2
- fix a logic bug in computing key expiration times (RT#6762, #627022)
More information about the scm-commits
mailing list