Hello list!
As discussed a few days ago [1] there's a _severe_ bug in autotool's
libtool known for ages [2] preventing libs not to be build fully
hardened (partial RELRO), even if you have included `%global
_hardened_build 1` into you rpm-spec.
There was some LDFLAGS-hack [3] mentioned by me during review of
bz# 977446 nbdkit, which turned out to block proper exporting of LDFLAGS
during `%configure`-invocation. So I did some experiments how to get a
proper working and future aware solution for this.
I recommend EVERYBODY, who maintains pkgs meeting the above criteria
(libtool + hardening) to re-check their build pkg's proper hardening
invoking `hardening-check --color --verbose $path_to_lib` and if it's
report reveals
...
Read-only relocations: yes
--- Immediate binding: no, not found! ---
to apply the following lines immediatly AFTER invoking `%configure` to
their affected pkg's spec:
# dirty hack to force immediate binding with hardenend build having
# autocrap's libtool pass the need gcc-specs to linker.
sed -i -e 's! \\\$compiler_flags !\\\$CFLAGS \\\$LDFLAGS !' libtool
This simple (but effective) hack makes sure ALL hardening-relevant flags
are passed to the linker.
I just filed a ticket for FESCo-meeting [4] to have this workaround
included in `%configure`-macro provided by rpm-package.
If you are unsure whether your package is affected this feel free to ask
me and please provide a build.log, so I can check.
Cheers,
Björn
[1]https://lists.fedoraproject.org/pipermail/devel/2013-June/184429.html
[2]http://lists.gnu.org/archive/html/bug-libtool/2005-10/msg3.html
[3]https://bugzilla.redhat.com/show_bug.cgi?id=977446#c13
[4]https://fedorahosted.org/fesco/ticket/1132
signature.asc
Description: This is a digitally signed message part
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
