From 1d280500b5af8d273048a0f24fd3d4acf4aa0302 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 29 Mar 2022 07:44:38 -0400 Subject: [PATCH] import annobin-10.29-3.el8 --- .annobin.metadata | 2 +- .gitignore | 2 +- SOURCES/annobin-gaps-test.patch | 17 +++ SOURCES/annobin-nop.patch | 12 ++ SOURCES/annobin-skip-stack-prot.patch | 31 ------ SPECS/annobin.spec | 151 ++++++++++++++++++++++++-- 6 files changed, 173 insertions(+), 42 deletions(-) create mode 100644 SOURCES/annobin-gaps-test.patch create mode 100644 SOURCES/annobin-nop.patch delete mode 100644 SOURCES/annobin-skip-stack-prot.patch diff --git a/.annobin.metadata b/.annobin.metadata index 59080ac..9cbd4e4 100644 --- a/.annobin.metadata +++ b/.annobin.metadata @@ -1 +1 @@ -8f065c03bd8a5b86e99a66cfc9caa28ea362793f SOURCES/annobin-9.65.tar.xz +cb5a3c922fa3018c7df177d27357a04cfc9085e5 SOURCES/annobin-10.29.tar.xz diff --git a/.gitignore b/.gitignore index 2fcb5e5..913d4cc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/annobin-9.65.tar.xz +SOURCES/annobin-10.29.tar.xz diff --git a/SOURCES/annobin-gaps-test.patch b/SOURCES/annobin-gaps-test.patch new file mode 100644 index 0000000..b19ab99 --- /dev/null +++ b/SOURCES/annobin-gaps-test.patch @@ -0,0 +1,17 @@ +--- annobin.orig/tests/gaps-test 2021-11-22 16:02:17.449655455 +0000 ++++ annobin-10.27/tests/gaps-test 2021-11-22 16:06:37.296680446 +0000 +@@ -40,12 +40,13 @@ fi + # Run annocheck + + SKIPS="--skip-property-note --skip-dynamic-tags --skip-not-dynamic-tags --skip-branch-protection --skip-not-branch-protection --skip-lto" ++SKIPS+=" --skip-stack-clash --skip-cf-protection --skip-stack-realign" + $ANNOCHECK main.exe $SKIPS > main.out + grep -e "PASS" main.out + if [ $? != 0 ]; + then + echo "gaps-test: FAIL: using rpm build macros did not produce an executable that passes annocheck" +- $ANNOCHECK main.exe $SKIPS --verbose --enable-notes ++ $ANNOCHECK main.exe $SKIPS --verbose + echo $GCC $OPTS $srcdir/main.c -o main.exe + end_test + exit 1 diff --git a/SOURCES/annobin-nop.patch b/SOURCES/annobin-nop.patch new file mode 100644 index 0000000..0478c64 --- /dev/null +++ b/SOURCES/annobin-nop.patch @@ -0,0 +1,12 @@ +diff -rup annobin.orig/gcc-plugin/annobin.cc annobin-9.72/gcc-plugin/annobin.cc +--- annobin.orig/gcc-plugin/annobin.cc 2021-05-17 17:25:32.693441649 +0100 ++++ annobin-9.72/gcc-plugin/annobin.cc 2021-05-17 17:25:50.176331776 +0100 +@@ -1722,7 +1722,7 @@ annobin_emit_start_sym_and_version_note + Ensure that we do not have empty special text sections so that the + annobin start symbols are never beyond the end of the sections. */ + if (* suffix && enable_ppc64_nops) +- annobin_emit_asm (".nop", "Inserted by the annobin plugin. Disable with -fplugin-arg-annobin-no-ppc64-nops"); ++ annobin_emit_asm ("nop", "Inserted by the annobin plugin. Disable with -fplugin-arg-annobin-no-ppc64-nops"); + } + else + fprintf (asm_out_file, "\t.equiv %s%s, .\n", annobin_output_filesym, suffix); diff --git a/SOURCES/annobin-skip-stack-prot.patch b/SOURCES/annobin-skip-stack-prot.patch deleted file mode 100644 index 2536c63..0000000 --- a/SOURCES/annobin-skip-stack-prot.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/annocheck/hardened.c b/annocheck/hardened.c -index d41c740..83645a7 100644 ---- a/annocheck/hardened.c -+++ b/annocheck/hardened.c -@@ -3523,8 +3523,12 @@ finish (annocheck_data * data) - case TEST_STACK_PROT: - if (per_file.current_tool == TOOL_GO) - skip (data, i, SOURCE_FINAL_SCAN, "GO is stack safe"); -+ else if (per_file.seen_tools == TOOL_GAS -+ || (per_file.gcc_from_comment && per_file.seen_tools == (TOOL_GAS | TOOL_GCC))) -+ skip (data, i, SOURCE_FINAL_SCAN, "no compiled code found"); - else if (is_C_compiler (per_file.seen_tools)) -- maybe (data, i, SOURCE_FINAL_SCAN, "no valid notes found regarding this test"); -+ /* The skip is necessary because some glibc code is built this way. */ -+ skip (data, i, SOURCE_FINAL_SCAN, "no notes found regarding this feature"); - else - skip (data, i, SOURCE_FINAL_SCAN, "not compiled code"); - break; -diff --git a/tests/glibc-notes-test b/tests/glibc-notes-test -index ab9e639..8496af8 100755 ---- a/tests/glibc-notes-test -+++ b/tests/glibc-notes-test -@@ -31,7 +31,7 @@ $GCC -pie -Wl,-z,now hello.o hello2.o hello3.o -L. -lhello -o glibc-notes.exe - - # Run annocheck - --$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --ignore-gaps > glibc-notes.out -+$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --skip-stack-realign --ignore-gaps > glibc-notes.out - grep -e "PASS" glibc-notes.out - if [ $? != 0 ]; - then diff --git a/SPECS/annobin.spec b/SPECS/annobin.spec index 4f510c6..45aa502 100644 --- a/SPECS/annobin.spec +++ b/SPECS/annobin.spec @@ -1,8 +1,8 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.65 -Release: 1%{?dist} +Version: 10.29 +Release: 3%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark # Maintainer: nickc@redhat.com @@ -55,7 +55,8 @@ Source: annobin-%{version}.tar.xz # For the latest sources use: git clone git://sourceware.org/git/annobin.git # Insert patches here, if needed. -Patch01: annobin-skip-stack-prot.patch +Patch01: annobin-nop.patch +Patch02: annobin-gaps-test.patch #--------------------------------------------------------------------------------- @@ -154,11 +155,11 @@ of the resulting files. %package annocheck Summary: A tool for checking the security hardening status of binaries -BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel +BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel make %if %{with debuginfod} BuildRequires: elfutils-debuginfod-client-devel -BuildRequires: make %endif +Requires: cpio rpm %description annocheck Installs the annocheck program which uses the notes generated by annobin to @@ -278,6 +279,7 @@ make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS" # Change the following line to "make check || :" on RHEL7 or if you need to see the # test suite logs in order to diagnose a test failure. make check + if [ -f tests/test-suite.log ]; then cat tests/test-suite.log fi @@ -296,10 +298,10 @@ fi %doc %{_datadir}/doc/annobin-plugin/annotation.proposal.txt %doc %{_infodir}/annobin.info.gz %doc %{_mandir}/man1/annobin.1.gz -%doc %{_mandir}/man1/built-by.1.gz -%doc %{_mandir}/man1/check-abi.1.gz -%doc %{_mandir}/man1/hardened.1.gz -%doc %{_mandir}/man1/run-on-binaries-in.1.gz +%exclude %{_mandir}/man1/built-by.1* +%exclude %{_mandir}/man1/check-abi.1* +%exclude %{_mandir}/man1/hardened.1* +%exclude %{_mandir}/man1/run-on-binaries-in.1* %if %{with clangplugin} %{ANNOBIN_CLANG_PLUGIN_DIR} @@ -317,6 +319,137 @@ fi #--------------------------------------------------------------------------------- %changelog +* Tue Feb 08 2022 Nick Clifton - 10.29-3 +- NVR bump in order to allow rebuilding against latest gcc. (#2052060) + +* Mon Jan 24 2022 Nick Clifton - 10.29-2 +- Spec File: Add "Requires: rpm cpio" to annocheck sub-package. (#2043474) + +* Tue Nov 30 2021 Nick Clifton - 10.28-1 +- gcc-plugin: Fix bug creating empty attachments. (#2026944) +- Annocheck: Change MAYB result to SKIP for DT_RPATH. (#2026300) + +* Mon Nov 22 2021 Nick Clifton - 10.27-1 +- Annocheck: Skip missing fortify/warning notes for ARM32. +- gcc-plugin: Try another fix for ppc64le section grouping. (#2023437) +- gcc-plugin: Revert 10.22 change. (#2023437) +- Annocheck: Add exception for /usr/sbin/ldconfig. (#2022973) + +* Mon Nov 08 2021 Nick Clifton - 10.23-1 +- Annocheck: Add a test for unicode characters in identifiers. (#2017363) +- gcc-plugin: Default to link-order grouping for PPC64LE. (#2016458) + +* Wed Oct 27 2021 Nick Clifton - 10.21-3 +- annocheck: Disable LTO test when checking ldconfig (attempt 3). (#2017039) + +* Tue Oct 26 2021 Nick Clifton - 10.21-2 +- annocheck: Disable LTO test when checking ldconfig (attempt 2). (#2017039) + +* Tue Oct 26 2021 Nick Clifton - 10.21-1 +- annocheck: Disable LTO test when checking ldconfig. (#2017039) + +* Mon Oct 25 2021 Nick Clifton - 10.20-1 +- annocheck: Add more glibc function names. (#2017039) +- gcc-plugin: Fix attaching the .text section to the .text.group section. +- Complain about DT_RPATH for Fedora binaries. +- Better reporting of problems in object files. (#2013708) +- Add a requirement on llvm-libs for clang and llvm plugins. (#2014573) +- Fix configuring annocheck without gcc-plugin. +- Annocheck: Better reporting of debuginfod problems. +- Tests: Fix bugs in debuginfod test. + +* Mon Oct 18 2021 Nick Clifton - 10.15-2 +- Exclude man pages for uninstalled scripts. (#2013565) + +* Wed Oct 13 2021 Nick Clifton - 10.15-1 +- Annocheck: Add tests based upon recent bug fixes. +- Annocheck: Another tweak to glibc detection code. + +* Mon Oct 11 2021 Nick Clifton - 10.13-1 +- Annocheck: Fix memory corruptions when using --debug-path and when a corrupt note is found. (#20011438) +- Annocheck: Fix MAYB results for mixed GO/C files. +- Annocheck: Move some messages from VERBOSE to VERBOSE2. +- Annocheck: Scan zero-length tool notes. (#2011818) + +* Wed Oct 06 2021 Nick Clifton - 10.11-1 +- Annocheck: Fix covscan detected flaws. (#201129) +- plugins: Add more required build options. (#2011163) + +* Tue Oct 05 2021 Nick Clifton - 10.10-1 +- Annocheck: Fix cf-prot test to fail if the CET notes are missing. (#2010671) +- Annocheck: Skip gaps in the .plt section. (#2010675) +- Plugins: Add -g option when building LLVM and Clang. (#2010675) + +* Mon Oct 04 2021 Nick Clifton - 10.09-1 +- Annocheck: Add more cases of glibc startup functions. (#1981410) +- Annocheck: Fix covscan detected problems. +- Annocheck: Add --profile=el8. +- gcc-plugin: Conditionalize generation of branch protection note. +- Annocheck: Ignore gaps containing NOP instructions. + +* Wed Sep 29 2021 Nick Clifton - 10.06-1 +- Rebase to 10.06. (#2002351) +- GCC Plugin: Fix detection of running inside the LTO compiler. (#2004917) +- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries. +- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result. +- Annocheck: Do not set CFLAGS/LDFLAGS when building. Take from environment instead. +- Annocheck: Fix exit code when tests PASS. +- Documentation: Add node for each hardening test. +- Documentation: Install online. +- Annocheck: Annote FAIL and MAYB results with URL to documentation +- Annocheck: Add --no-urls and --provide-urls options +- Annocheck: Add --help- option. +- Annocheck: Fix fuzzing detected failures. +- Annocheck: Add --profile option. +- Docs: Document --profile option and rpminspect.yaml. +- Annocheck: Skip GO/CET checks. Fix fuzzing detected failures. +- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444) +- Annocheck: Fix memory corruption. (#1996963) +- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection. +- Annocheck: Add linker generated function for ppc64le exceptions. (#1981410) +- LLVM Plugin: Allow checks to be selected from the command line. +- Annocheck: Examine DW_AT_producer for -flto. +- Annocheck: Conditionalize detection of AArch64's PAC+BTI protection. +- Annocheck: Add linker generated function for s390x exceptions. (#1981410) +- Annocheck: Generate MAYB results for gaps in notes covering the .text section. (#1991943) +- Annocheck: Close DWARF file descriptors once the debug info is no longer needed. (#1981410) +- LLVM Plugin: Update to build with Clang v13. (Thanks to: Tom Stellard ) +- Annocheck: Fix memory corruption. (#1988715) +- Annocheck: Skip certain tests for kernel modules. +- Annocheck: Detect a missing CET note. (#1991931) +- Annocheck: Do not report future fails for AArch64 notes. +- Annocheck: Warn about multiple --debug-file, --debug-rpm and --debug-dir options. +- Annocheck: Process files in command line order. (#1988714) +- Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled. (#1984995) +- Annocheck: Add another test exceptions. +- Annocheck: Add some more test exceptions. +- Tests: Skip glibc-notes test if the assembler does not support --generate-missing-build-notes. (#1978573) +- Tests: Skip objcopy test if objcopy does not support --merge-notes. +- Annocheck: Fix spelling mistake in -mstack-realign failure message. (#1977349) +- gcc-plugin: Do not record global versions of stack protection settings in LTO mode, if not set. (#1958954) +- Annocheck: Remove limit on number of input files. +- clang/llvm plugins: Build with correct security options. +- Annocheck: Better detection of GO compiler version. +- Annocheck: Better support for symbolic links. +- Annocheck: In verbose mode, report the reason for skipping specific tests. (#1969584) +- Annocheck: Improve detection of shared libraries. (#1958954) + +* Mon May 17 2021 Nick Clifton - 9.72-1 +- Rebase to 9.72. (#1960299) +- annocheck: Accept 0 as a valid number for gcc minor versions and release numbers. +- gcc-plugin: Add support for ARM and RISCV targets. +- timing: do not initialise the clock if the timing tool is disabled. +- gcc-plugin: Replace ICE messsages with verbose messages. +- Fix the testsuite so that it can be run in parallel. +- Annocheck: WARN if the annobin plugin was built for a newer version of the compiler than the one on which it was run. (#1950657) +- Annocheck: Improve detection of missing GNU-stack support. +- Correct a package rename (bug #1949570) +- Require docs subpackage by the other ones because of a license +- Build-requiring perl-interpreter is enough +- Fix bz1949570 +- Fix anomolies reported by covscan. +- Move documentation into a sub-package. + * Wed Mar 17 2021 Nick Clifton - 9.65-1 - gcc-plugin: Use a fixed filename when running in LTO mode.