Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package grub2 for openSUSE:Factory checked in at 2021-02-23 20:18:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grub2 (Old) and /work/SRC/openSUSE:Factory/.grub2.new.2378 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2" Tue Feb 23 20:18:02 2021 rev:233 rq:874453 version:2.04 Changes: -------- --- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2021-02-07 15:13:54.721379579 +0100 +++ /work/SRC/openSUSE:Factory/.grub2.new.2378/grub2.changes 2021-02-23 20:19:43.263619427 +0100 @@ -1,0 +2,16 @@ +Mon Feb 22 12:49:48 UTC 2021 - Michael Chang <mch...@suse.com> + +- Fix build error in binutils 2.36 (bsc#1181741) + * 0001-Fix-build-error-in-binutils-2.36.patch +- Fix executable stack in grub-emu (bsc#1181696) + * 0001-emu-fix-executable-stack-marking.patch + +------------------------------------------------------------------- +Thu Feb 18 05:21:29 UTC 2021 - Michael Chang <mch...@suse.com> + +- Restore compatibilty sym-links + * grub2.spec +- Use rpmlintrc to filter out rpmlint 2.0 error (bsc#1179044) + * grub2.rpmlintrc + +------------------------------------------------------------------- New: ---- 0001-Fix-build-error-in-binutils-2.36.patch 0001-emu-fix-executable-stack-marking.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grub2.spec ++++++ --- /var/tmp/diff_new_pack.73QH9m/_old 2021-02-23 20:19:45.427621341 +0100 +++ /var/tmp/diff_new_pack.73QH9m/_new 2021-02-23 20:19:45.431621344 +0100 @@ -346,6 +346,8 @@ Patch736: 0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch Patch737: 0008-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch Patch738: 0009-squash-Add-support-for-linuxefi.patch +Patch739: 0001-Fix-build-error-in-binutils-2.36.patch +Patch740: 0001-emu-fix-executable-stack-marking.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -468,10 +470,6 @@ %endif Provides: %{name}-efi = %{version}-%{release} Obsoletes: %{name}-efi < %{version}-%{release} -%ifarch x86_64 -Conflicts: python2-kiwi < 9.17.12 -Conflicts: python3-kiwi < 9.17.12 -%endif %description %{grubefiarch} The GRand Unified Bootloader (GRUB) is a highly configurable and customizable @@ -504,7 +502,6 @@ Provides: %{name}-xen = %{version}-%{release} Obsoletes: %{name}-xen < %{version}-%{release} BuildArch: noarch -Conflicts: xen < 4.12.0_03 %description %{grubxenarch} The GRand Unified Bootloader (GRUB) is a highly configurable and customizable @@ -685,6 +682,8 @@ %patch736 -p1 %patch737 -p1 %patch738 -p1 +%patch739 -p1 +%patch740 -p1 %build # collect evidence to debug spurious build failure on SLE15 @@ -866,6 +865,14 @@ cd build-xen %make_install install -m 644 grub.xen %{buildroot}/%{_datadir}/%{name}/%{grubxenarch}/. +# provide compatibility sym-link for VM definitions pointing to old location +install -d %{buildroot}%{_libdir}/%{name}/%{grubxenarch} +ln -srf %{buildroot}%{_datadir}/%{name}/%{grubxenarch}/grub.xen %{buildroot}%{_libdir}/%{name}/%{grubxenarch}/grub.xen +cat <<-EoM >%{buildroot}%{_libdir}/%{name}/%{grubxenarch}/DEPRECATED + This directory and its contents was moved to %{_datadir}/%{name}/%{grubxenarch}. + Individual symbolic links are provided for a smooth transition. + Please update your VM definition files to use the new location! +EoM cd .. %endif @@ -883,6 +890,16 @@ %define sysefidir %{sysefibasedir}/%{_target_cpu} install -d %{buildroot}/%{sysefidir} ln -sr %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/grub.efi %{buildroot}%{sysefidir}/grub.efi +%ifarch x86_64 +# provide compatibility sym-link for previous shim-install and the like +install -d %{buildroot}/usr/lib64/efi +ln -srf %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/grub.efi %{buildroot}/usr/lib64/efi/grub.efi +cat <<-EoM >%{buildroot}/usr/lib64/efi/DEPRECATED + This directory and its contents was moved to %{_datadir}/efi/x86_64. + Individual symbolic links are provided for a smooth transition and + may vanish at any point in time. Please use the new location! +EoM +%endif %ifarch x86_64 aarch64 %if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110 @@ -1310,6 +1327,12 @@ %dir %{sysefidir} %{sysefidir}/grub.efi %if 0%{?suse_version} < 1600 +%ifarch x86_64 +# provide compatibility sym-link for previous shim-install and kiwi +%dir /usr/lib64/efi +/usr/lib64/efi/DEPRECATED +/usr/lib64/efi/grub.efi +%endif %endif %ifarch x86_64 aarch64 @@ -1338,6 +1361,9 @@ %defattr(-,root,root,-) %dir %{_datadir}/%{name}/%{grubxenarch} %{_datadir}/%{name}/%{grubxenarch}/* +# provide compatibility sym-link for VM definitions pointing to old location +%dir %{_libdir}/%{name} +%{_libdir}/%{name}/%{grubxenarch} %endif %if 0%{?has_systemd:1} ++++++ 0001-Fix-build-error-in-binutils-2.36.patch ++++++ >From 7801d671905329d28e789082225570fc54fe5784 Mon Sep 17 00:00:00 2001 From: Michael Chang <mch...@suse.com> Date: Fri, 19 Feb 2021 17:40:43 +0800 Subject: [PATCH] Fix build error in binutils 2.36 The build fails in binutils 2.36 [ 520s] cat kernel_syms.lst > syminfo.lst.new [ 520s] /usr/lib64/gcc/x86_64-suse-linux/10/../../../../x86_64-suse-linux/bin/ld: section .note.gnu.property VMA [0000000000400158,0000000000400187] overlaps section .bss VMA [000000000000f000,000000000041e1af] It is caused by assembler now generates the GNU property notes section by default. Use the assmbler option -mx86-used-note=no to disable the section from being generated to workaround the ensuing linker issue. Signed-off-by: Michael Chang <mch...@suse.com> --- configure.ac | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/configure.ac b/configure.ac index c39e8379f..a3fb713ad 100644 --- a/configure.ac +++ b/configure.ac @@ -827,6 +827,20 @@ if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ) && test "x$p TARGET_CFLAGS="$TARGET_CFLAGS -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow" fi +if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ); then + AC_CACHE_CHECK([whether -Wa,-mx86-used-note works], [grub_cv_cc_mx86_used_note], [ + CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no -Werror" + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])], + [grub_cv_cc_mx86_used_note=yes], + [grub_cv_cc_mx86_used_note=no]) + ]) + + if test "x$grub_cv_cc_mx86_used_note" = xyes; then + TARGET_CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no" + TARGET_CCASFLAGS="$TARGET_CCASFLAGS -Wa,-mx86-used-note=no" + fi +fi + # GRUB doesn't use float or doubles at all. Yet some toolchains may decide # that floats are a good fit to run instead of what's written in the code. # Given that floating point unit is disabled (if present to begin with) -- 2.30.0 ++++++ 0001-emu-fix-executable-stack-marking.patch ++++++ >From 4cc06bef26c3573309086bec4472cc9151b0379e Mon Sep 17 00:00:00 2001 From: Michael Chang <mch...@suse.com> Date: Mon, 1 Feb 2021 20:14:12 +0800 Subject: [PATCH] emu: fix executable stack marking The gcc by default assumes executable stack is required if the source object file doesn't have .note.GNU-stack section in place. If any of the source objects doesn't incorporate the GNU-stack note, the resulting program will have executable stack flag set in PT_GNU_STACK program header to instruct program loader or kernel to set up the exeutable stack when program loads to memory. Usually the .note.GNU-stack section will be generated by gcc automatically if it finds that executable stack is not required. However it doesn't take care of generating .note.GNU-stack section for those object files built from assembler sources. This leads to unnecessary risk of security of exploiting the executable stack because those assembler sources don't actually require stack to be executable to work. The grub-emu and grub-emu-lite are found to flag stack as executable revealed by execstack tool. $ mkdir -p build-emu && cd build-emu $ ../configure --with-platform=emu && make $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite X grub-core/grub-emu X grub-core/grub-emu-lite This patch will add the missing GNU-stack note to the assembler source used by both utilities, therefore the result doesn't count on gcc default behavior and the executable stack is disabled. $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite - grub-core/grub-emu - grub-core/grub-emu-lite Signed-off-by: Michael Chang <mch...@suse.com> --- grub-core/kern/emu/cache_s.S | 5 +++++ grub-core/lib/setjmp.S | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/grub-core/kern/emu/cache_s.S b/grub-core/kern/emu/cache_s.S index 7bb1e1441..fca85c69e 100644 --- a/grub-core/kern/emu/cache_s.S +++ b/grub-core/kern/emu/cache_s.S @@ -2,6 +2,11 @@ #error "This source is only meant for grub-emu platform" #endif +/* An executable stack is not required for these functions */ +#if defined (__linux__) && defined (__ELF__) +.section .note.GNU-stack,"",@progbits +#endif + #if defined(__i386__) || defined(__x86_64__) /* Nothing is necessary. */ #elif defined(__sparc__) diff --git a/grub-core/lib/setjmp.S b/grub-core/lib/setjmp.S index a37467760..16f676368 100644 --- a/grub-core/lib/setjmp.S +++ b/grub-core/lib/setjmp.S @@ -1,3 +1,7 @@ +/* An executable stack is not required for these functions */ +#if defined (__linux__) && defined (__ELF__) +.section .note.GNU-stack,"",@progbits +#endif #if defined(__i386__) #include "./i386/setjmp.S" #elif defined(__x86_64__) -- 2.30.0 ++++++ grub2.rpmlintrc ++++++ --- /var/tmp/diff_new_pack.73QH9m/_old 2021-02-23 20:19:45.971621821 +0100 +++ /var/tmp/diff_new_pack.73QH9m/_new 2021-02-23 20:19:45.975621825 +0100 @@ -7,7 +7,8 @@ addFilter("unstripped-binary-or-object .*/grub2/*/.*.mod") # TODO: s390 Experts: is this sensible?! addFilter("s390x: W: executable-stack") -# +# We need to provide compatibility sym-links in noarch package addFilter("suse-filelist-forbidden-noarch") +addFilter("filelist-forbidden-noarch") # addFilter('arch-independent-package-contains-binary-or-object')