|
|
|
@ -1,8 +1,8 @@
|
|
|
|
|
|
|
|
|
|
Name: annobin
|
|
|
|
|
Summary: Annotate and examine compiled binary files
|
|
|
|
|
Version: 9.65
|
|
|
|
|
Release: 1%{?dist}
|
|
|
|
|
Version: 10.29
|
|
|
|
|
Release: 3%{?dist}
|
|
|
|
|
License: GPLv3+
|
|
|
|
|
# ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark
|
|
|
|
|
# Maintainer: nickc@redhat.com
|
|
|
|
@ -55,7 +55,8 @@ Source: annobin-%{version}.tar.xz
|
|
|
|
|
# For the latest sources use: git clone git://sourceware.org/git/annobin.git
|
|
|
|
|
|
|
|
|
|
# Insert patches here, if needed.
|
|
|
|
|
Patch01: annobin-skip-stack-prot.patch
|
|
|
|
|
Patch01: annobin-nop.patch
|
|
|
|
|
Patch02: annobin-gaps-test.patch
|
|
|
|
|
|
|
|
|
|
#---------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
@ -154,11 +155,11 @@ of the resulting files.
|
|
|
|
|
%package annocheck
|
|
|
|
|
Summary: A tool for checking the security hardening status of binaries
|
|
|
|
|
|
|
|
|
|
BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel
|
|
|
|
|
BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel make
|
|
|
|
|
%if %{with debuginfod}
|
|
|
|
|
BuildRequires: elfutils-debuginfod-client-devel
|
|
|
|
|
BuildRequires: make
|
|
|
|
|
%endif
|
|
|
|
|
Requires: cpio rpm
|
|
|
|
|
|
|
|
|
|
%description annocheck
|
|
|
|
|
Installs the annocheck program which uses the notes generated by annobin to
|
|
|
|
@ -278,6 +279,7 @@ make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS"
|
|
|
|
|
# Change the following line to "make check || :" on RHEL7 or if you need to see the
|
|
|
|
|
# test suite logs in order to diagnose a test failure.
|
|
|
|
|
make check
|
|
|
|
|
|
|
|
|
|
if [ -f tests/test-suite.log ]; then
|
|
|
|
|
cat tests/test-suite.log
|
|
|
|
|
fi
|
|
|
|
@ -296,10 +298,10 @@ fi
|
|
|
|
|
%doc %{_datadir}/doc/annobin-plugin/annotation.proposal.txt
|
|
|
|
|
%doc %{_infodir}/annobin.info.gz
|
|
|
|
|
%doc %{_mandir}/man1/annobin.1.gz
|
|
|
|
|
%doc %{_mandir}/man1/built-by.1.gz
|
|
|
|
|
%doc %{_mandir}/man1/check-abi.1.gz
|
|
|
|
|
%doc %{_mandir}/man1/hardened.1.gz
|
|
|
|
|
%doc %{_mandir}/man1/run-on-binaries-in.1.gz
|
|
|
|
|
%exclude %{_mandir}/man1/built-by.1*
|
|
|
|
|
%exclude %{_mandir}/man1/check-abi.1*
|
|
|
|
|
%exclude %{_mandir}/man1/hardened.1*
|
|
|
|
|
%exclude %{_mandir}/man1/run-on-binaries-in.1*
|
|
|
|
|
|
|
|
|
|
%if %{with clangplugin}
|
|
|
|
|
%{ANNOBIN_CLANG_PLUGIN_DIR}
|
|
|
|
@ -317,6 +319,137 @@ fi
|
|
|
|
|
#---------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
|
|
* Tue Feb 08 2022 Nick Clifton <nickc@redhat.com> - 10.29-3
|
|
|
|
|
- NVR bump in order to allow rebuilding against latest gcc. (#2052060)
|
|
|
|
|
|
|
|
|
|
* Mon Jan 24 2022 Nick Clifton <nickc@redhat.com> - 10.29-2
|
|
|
|
|
- Spec File: Add "Requires: rpm cpio" to annocheck sub-package. (#2043474)
|
|
|
|
|
|
|
|
|
|
* Tue Nov 30 2021 Nick Clifton <nickc@redhat.com> - 10.28-1
|
|
|
|
|
- gcc-plugin: Fix bug creating empty attachments. (#2026944)
|
|
|
|
|
- Annocheck: Change MAYB result to SKIP for DT_RPATH. (#2026300)
|
|
|
|
|
|
|
|
|
|
* Mon Nov 22 2021 Nick Clifton <nickc@redhat.com> - 10.27-1
|
|
|
|
|
- Annocheck: Skip missing fortify/warning notes for ARM32.
|
|
|
|
|
- gcc-plugin: Try another fix for ppc64le section grouping. (#2023437)
|
|
|
|
|
- gcc-plugin: Revert 10.22 change. (#2023437)
|
|
|
|
|
- Annocheck: Add exception for /usr/sbin/ldconfig. (#2022973)
|
|
|
|
|
|
|
|
|
|
* Mon Nov 08 2021 Nick Clifton <nickc@redhat.com> - 10.23-1
|
|
|
|
|
- Annocheck: Add a test for unicode characters in identifiers. (#2017363)
|
|
|
|
|
- gcc-plugin: Default to link-order grouping for PPC64LE. (#2016458)
|
|
|
|
|
|
|
|
|
|
* Wed Oct 27 2021 Nick Clifton <nickc@redhat.com> - 10.21-3
|
|
|
|
|
- annocheck: Disable LTO test when checking ldconfig (attempt 3). (#2017039)
|
|
|
|
|
|
|
|
|
|
* Tue Oct 26 2021 Nick Clifton <nickc@redhat.com> - 10.21-2
|
|
|
|
|
- annocheck: Disable LTO test when checking ldconfig (attempt 2). (#2017039)
|
|
|
|
|
|
|
|
|
|
* Tue Oct 26 2021 Nick Clifton <nickc@redhat.com> - 10.21-1
|
|
|
|
|
- annocheck: Disable LTO test when checking ldconfig. (#2017039)
|
|
|
|
|
|
|
|
|
|
* Mon Oct 25 2021 Nick Clifton <nickc@redhat.com> - 10.20-1
|
|
|
|
|
- annocheck: Add more glibc function names. (#2017039)
|
|
|
|
|
- gcc-plugin: Fix attaching the .text section to the .text.group section.
|
|
|
|
|
- Complain about DT_RPATH for Fedora binaries.
|
|
|
|
|
- Better reporting of problems in object files. (#2013708)
|
|
|
|
|
- Add a requirement on llvm-libs for clang and llvm plugins. (#2014573)
|
|
|
|
|
- Fix configuring annocheck without gcc-plugin.
|
|
|
|
|
- Annocheck: Better reporting of debuginfod problems.
|
|
|
|
|
- Tests: Fix bugs in debuginfod test.
|
|
|
|
|
|
|
|
|
|
* Mon Oct 18 2021 Nick Clifton <nickc@redhat.com> - 10.15-2
|
|
|
|
|
- Exclude man pages for uninstalled scripts. (#2013565)
|
|
|
|
|
|
|
|
|
|
* Wed Oct 13 2021 Nick Clifton <nickc@redhat.com> - 10.15-1
|
|
|
|
|
- Annocheck: Add tests based upon recent bug fixes.
|
|
|
|
|
- Annocheck: Another tweak to glibc detection code.
|
|
|
|
|
|
|
|
|
|
* Mon Oct 11 2021 Nick Clifton <nickc@redhat.com> - 10.13-1
|
|
|
|
|
- Annocheck: Fix memory corruptions when using --debug-path and when a corrupt note is found. (#20011438)
|
|
|
|
|
- Annocheck: Fix MAYB results for mixed GO/C files.
|
|
|
|
|
- Annocheck: Move some messages from VERBOSE to VERBOSE2.
|
|
|
|
|
- Annocheck: Scan zero-length tool notes. (#2011818)
|
|
|
|
|
|
|
|
|
|
* Wed Oct 06 2021 Nick Clifton <nickc@redhat.com> - 10.11-1
|
|
|
|
|
- Annocheck: Fix covscan detected flaws. (#201129)
|
|
|
|
|
- plugins: Add more required build options. (#2011163)
|
|
|
|
|
|
|
|
|
|
* Tue Oct 05 2021 Nick Clifton <nickc@redhat.com> - 10.10-1
|
|
|
|
|
- Annocheck: Fix cf-prot test to fail if the CET notes are missing. (#2010671)
|
|
|
|
|
- Annocheck: Skip gaps in the .plt section. (#2010675)
|
|
|
|
|
- Plugins: Add -g option when building LLVM and Clang. (#2010675)
|
|
|
|
|
|
|
|
|
|
* Mon Oct 04 2021 Nick Clifton <nickc@redhat.com> - 10.09-1
|
|
|
|
|
- Annocheck: Add more cases of glibc startup functions. (#1981410)
|
|
|
|
|
- Annocheck: Fix covscan detected problems.
|
|
|
|
|
- Annocheck: Add --profile=el8.
|
|
|
|
|
- gcc-plugin: Conditionalize generation of branch protection note.
|
|
|
|
|
- Annocheck: Ignore gaps containing NOP instructions.
|
|
|
|
|
|
|
|
|
|
* Wed Sep 29 2021 Nick Clifton <nickc@redhat.com> - 10.06-1
|
|
|
|
|
- Rebase to 10.06. (#2002351)
|
|
|
|
|
- GCC Plugin: Fix detection of running inside the LTO compiler. (#2004917)
|
|
|
|
|
- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries.
|
|
|
|
|
- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result.
|
|
|
|
|
- Annocheck: Do not set CFLAGS/LDFLAGS when building. Take from environment instead.
|
|
|
|
|
- Annocheck: Fix exit code when tests PASS.
|
|
|
|
|
- Documentation: Add node for each hardening test.
|
|
|
|
|
- Documentation: Install online.
|
|
|
|
|
- Annocheck: Annote FAIL and MAYB results with URL to documentation
|
|
|
|
|
- Annocheck: Add --no-urls and --provide-urls options
|
|
|
|
|
- Annocheck: Add --help-<tool> option.
|
|
|
|
|
- Annocheck: Fix fuzzing detected failures.
|
|
|
|
|
- Annocheck: Add --profile option.
|
|
|
|
|
- Docs: Document --profile option and rpminspect.yaml.
|
|
|
|
|
- Annocheck: Skip GO/CET checks. Fix fuzzing detected failures.
|
|
|
|
|
- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444)
|
|
|
|
|
- Annocheck: Fix memory corruption. (#1996963)
|
|
|
|
|
- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection.
|
|
|
|
|
- Annocheck: Add linker generated function for ppc64le exceptions. (#1981410)
|
|
|
|
|
- LLVM Plugin: Allow checks to be selected from the command line.
|
|
|
|
|
- Annocheck: Examine DW_AT_producer for -flto.
|
|
|
|
|
- Annocheck: Conditionalize detection of AArch64's PAC+BTI protection.
|
|
|
|
|
- Annocheck: Add linker generated function for s390x exceptions. (#1981410)
|
|
|
|
|
- Annocheck: Generate MAYB results for gaps in notes covering the .text section. (#1991943)
|
|
|
|
|
- Annocheck: Close DWARF file descriptors once the debug info is no longer needed. (#1981410)
|
|
|
|
|
- LLVM Plugin: Update to build with Clang v13. (Thanks to: Tom Stellard <tstellar@redhat.com>)
|
|
|
|
|
- Annocheck: Fix memory corruption. (#1988715)
|
|
|
|
|
- Annocheck: Skip certain tests for kernel modules.
|
|
|
|
|
- Annocheck: Detect a missing CET note. (#1991931)
|
|
|
|
|
- Annocheck: Do not report future fails for AArch64 notes.
|
|
|
|
|
- Annocheck: Warn about multiple --debug-file, --debug-rpm and --debug-dir options.
|
|
|
|
|
- Annocheck: Process files in command line order. (#1988714)
|
|
|
|
|
- Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled. (#1984995)
|
|
|
|
|
- Annocheck: Add another test exceptions.
|
|
|
|
|
- Annocheck: Add some more test exceptions.
|
|
|
|
|
- Tests: Skip glibc-notes test if the assembler does not support --generate-missing-build-notes. (#1978573)
|
|
|
|
|
- Tests: Skip objcopy test if objcopy does not support --merge-notes.
|
|
|
|
|
- Annocheck: Fix spelling mistake in -mstack-realign failure message. (#1977349)
|
|
|
|
|
- gcc-plugin: Do not record global versions of stack protection settings in LTO mode, if not set. (#1958954)
|
|
|
|
|
- Annocheck: Remove limit on number of input files.
|
|
|
|
|
- clang/llvm plugins: Build with correct security options.
|
|
|
|
|
- Annocheck: Better detection of GO compiler version.
|
|
|
|
|
- Annocheck: Better support for symbolic links.
|
|
|
|
|
- Annocheck: In verbose mode, report the reason for skipping specific tests. (#1969584)
|
|
|
|
|
- Annocheck: Improve detection of shared libraries. (#1958954)
|
|
|
|
|
|
|
|
|
|
* Mon May 17 2021 Nick Clifton <nickc@redhat.com> - 9.72-1
|
|
|
|
|
- Rebase to 9.72. (#1960299)
|
|
|
|
|
- annocheck: Accept 0 as a valid number for gcc minor versions and release numbers.
|
|
|
|
|
- gcc-plugin: Add support for ARM and RISCV targets.
|
|
|
|
|
- timing: do not initialise the clock if the timing tool is disabled.
|
|
|
|
|
- gcc-plugin: Replace ICE messsages with verbose messages.
|
|
|
|
|
- Fix the testsuite so that it can be run in parallel.
|
|
|
|
|
- Annocheck: WARN if the annobin plugin was built for a newer version of the compiler than the one on which it was run. (#1950657)
|
|
|
|
|
- Annocheck: Improve detection of missing GNU-stack support.
|
|
|
|
|
- Correct a package rename (bug #1949570)
|
|
|
|
|
- Require docs subpackage by the other ones because of a license
|
|
|
|
|
- Build-requiring perl-interpreter is enough
|
|
|
|
|
- Fix bz1949570
|
|
|
|
|
- Fix anomolies reported by covscan.
|
|
|
|
|
- Move documentation into a sub-package.
|
|
|
|
|
|
|
|
|
|
* Wed Mar 17 2021 Nick Clifton <nickc@redhat.com> - 9.65-1
|
|
|
|
|
- gcc-plugin: Use a fixed filename when running in LTO mode.
|
|
|
|
|
|
|
|
|
|