[krb5] - build shared libraries with partial RELRO support (#723995) - filter out potentially multiple inst

Nalin Dahyabhai nalin at fedoraproject.org
Fri Jul 22 20:58:13 UTC 2011 

commit 2202e378de8d7c6dcd752ceb3b546591b14c2be6
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Fri Jul 22 16:29:06 2011 -0400

    - build shared libraries with partial RELRO support (#723995)
    - filter out potentially multiple instances of -Wl,-z,relro from krb5-config
      output, now that it's in the buildroot's default LDFLAGS

 ...9-buildconf.patch => krb5-1.9.1-buildconf.patch |   28 +++++++++++++------
 krb5.spec                                          |    9 +++++-
 2 files changed, 26 insertions(+), 11 deletions(-)
---
diff --git a/krb5-1.9-buildconf.patch b/krb5-1.9.1-buildconf.patch
similarity index 62%
rename from krb5-1.9-buildconf.patch
rename to krb5-1.9.1-buildconf.patch
index 8641a24..85173cf 100644
--- a/krb5-1.9-buildconf.patch
+++ b/krb5-1.9.1-buildconf.patch
@@ -1,18 +1,27 @@
-Build binaries in this package as RELRO PIEs and install shared libraries with
-the execute bit set on them.  Prune out the -L/usr/lib*, PIE flags, and CFLAGS
-where they might leak out and affect apps which just want to link with the
-libraries. FIXME: needs to check and not just assume that the compiler supports
-using these flags.
+Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
+and install shared libraries with the execute bit set on them.  Prune out
+the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect
+apps which just want to link with the libraries. FIXME: needs to check and
+not just assume that the compiler supports using these flags.
 
 diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
 --- krb5-1.9/src/config/shlib.conf	2008-12-08 17:33:07.000000000 -0500
 +++ krb5-1.9/src/config/shlib.conf	2009-06-04 14:01:28.000000000 -0400
+@@ -419,7 +419,7 @@ mips-*-netbsd*)
+ 	SHLIBEXT=.so
+ 	# Linux ld doesn't default to stuffing the SONAME field...
+ 	# Use objdump -x to examine the fields of the library
+-	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
++	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro'
+ 	# 
+ 	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
+ 	SHLIB_EXPORT_FILE_DEP=binutils.versions
 @@ -430,7 +430,8 @@
  	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
  	PROFFLAGS=-pg
  	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
 -	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
-+	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
++	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
 +	INSTALL_SHLIB='${INSTALL} -m755'
  	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
  	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
@@ -20,7 +29,7 @@ diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
 diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
 --- krb5-1.9/src/krb5-config.in	2009-06-04 14:01:28.000000000 -0400
 +++ krb5-1.9/src/krb5-config.in	2009-06-04 14:01:28.000000000 -0400
-@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
+@@ -187,8 +187,15 @@ if test -n "$do_libs"; then
  	    -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
  	    -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
  	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
@@ -30,8 +39,9 @@ diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
 +    if test `dirname $libdir` = /usr ; then
 +        lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
 +    fi
-+    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
-+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
++    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
++    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
++    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
 +
      if test $library = 'kdb'; then
  	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
diff --git a/krb5.spec b/krb5.spec
index 2929fba..4f5bda9 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -35,7 +35,7 @@ Source35: kdb_check_weak.c
 Patch5: krb5-1.8-ksu-access.patch
 Patch6: krb5-1.9-ksu-path.patch
 Patch12: krb5-1.7-ktany.patch
-Patch16: krb5-1.9-buildconf.patch
+Patch16: krb5-1.9.1-buildconf.patch
 Patch23: krb5-1.3.1-dns.patch
 Patch29: krb5-1.9-kprop-mktemp.patch
 Patch30: krb5-1.3.4-send-pr-tempfile.patch
@@ -666,6 +666,11 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Fri Jul 22 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-8
+- build shared libraries with partial RELRO support (#723995)
+- filter out potentially multiple instances of -Wl,-z,relro from krb5-config
+  output, now that it's in the buildroot's default LDFLAGS
+
 * Wed Jul 20 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-7
 - kadmind.init: drop the attempt to detect no-database-present errors (#723723)

More information about the scm-commits mailing list