rpms/annobin
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import annobin-10.29-3.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-05-10 03:00:22 -04:00 committed by Stepan Oksanichenko
parent 0838e4a573
commit 85d44d953e
5 changed files with 142 additions and 428 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.annobin.metadata
View File

@ -1 +1 @@
ef2dd2da3cf83071af47dfa2fd95309e18317dd4 SOURCES/annobin-9.72.tar.xz
cb5a3c922fa3018c7df177d27357a04cfc9085e5 SOURCES/annobin-10.29.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/annobin-9.72.tar.xz
SOURCES/annobin-10.29.tar.xz

17
SOURCES/annobin-gaps-test.patch Normal file
View File

@ -0,0 +1,17 @@
--- annobin.orig/tests/gaps-test 2021-11-22 16:02:17.449655455 +0000
+++ annobin-10.27/tests/gaps-test 2021-11-22 16:06:37.296680446 +0000
@@ -40,12 +40,13 @@ fi
# Run annocheck
SKIPS="--skip-property-note --skip-dynamic-tags --skip-not-dynamic-tags --skip-branch-protection --skip-not-branch-protection --skip-lto"
+SKIPS+=" --skip-stack-clash --skip-cf-protection --skip-stack-realign"
$ANNOCHECK main.exe $SKIPS > main.out
grep -e "PASS" main.out
if [ $? != 0 ];
then
echo "gaps-test: FAIL: using rpm build macros did not produce an executable that passes annocheck"
- $ANNOCHECK main.exe $SKIPS --verbose --enable-notes
+ $ANNOCHECK main.exe $SKIPS --verbose
echo $GCC $OPTS $srcdir/main.c -o main.exe
end_test
exit 1

412
SOURCES/annobin.unicode.patch
View File

@ -1,412 +0,0 @@
--- /dev/null 2021-10-25 08:23:06.499675237 +0100
+++ annobin-9.85/tests/unicode-test 2021-10-26 17:50:14.620383879 +0100
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright (c) 2021 Red Hat.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published
+# by the Free Software Foundation; either version 3, or (at your
+# option) any later version.
+#
+# It is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+TEST_NAME=unicode
+. $srcdir/common.sh
+
+OPTS="-O2 -g -Wl,-z,now -pie -fpie"
+
+start_test
+
+$GCC $OPTS $srcdir/trick-hello.s -o trick-hello.exe
+if [ $? != 0 ];
+then
+ echo "unicode-test: FAIL: Could not compile test source file"
+ end_test
+ exit 1
+fi
+
+# Run annocheck
+
+OPTS="--ignore-gaps --skip-all --test-unicode"
+
+$ANNOCHECK trick-hello.exe $OPTS > unicode.out
+grep -e "FAIL: unicode" unicode.out
+if [ $? != 0 ];
+then
+ echo "unicode-test: FAIL: annocheck did not detect suspicious symbol names"
+ $ANNOCHECK trick-hello.exe $OPTS --verbose
+ end_test
+ exit 1
+fi
+
+end_test
+
--- /dev/null 2021-10-25 08:23:06.499675237 +0100
+++ annobin-9.85/tests/trick-hello.s 2021-10-26 17:15:25.803197562 +0100
@@ -0,0 +1,33 @@
+ .file "trick-hello.c"
+ .text
+ .section .rodata
+.LC0:
+ .string "hah, gotcha!"
+ .text
+ .globl heoll
+ .type heoll, @function
+heoll:
+.LFB0:
+ nop
+.LFE0:
+ .size heoll, .-heoll
+ .section .rodata
+.LC1:
+ .string "Hello world"
+ .text
+ .globl hello
+ .type hello, @function
+hello:
+.LFB1:
+ nop
+.LFE1:
+ .size hello, .-hello
+ .globl main
+ .type main, @function
+main:
+.LFB2:
+ nop
+.LFE2:
+ .size main, .-main
+ .ident "GCC: (GNU) 11.2.1 20210728 (Red Hat 11.2.1-1)"
+ .section .note.GNU-stack,"",@progbits
diff -rup annobin.orig/Makefile.in annobin-9.72/Makefile.in
--- annobin.orig/Makefile.in 2021-10-27 17:34:09.438721166 +0100
+++ annobin-9.72/Makefile.in 2021-10-27 17:34:19.226658425 +0100
@@ -323,6 +323,7 @@ plugindir = @plugindir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
diff -rup annobin.orig/annocheck/Makefile.in annobin-9.72/annocheck/Makefile.in
--- annobin.orig/annocheck/Makefile.in 2021-10-27 17:34:09.443721134 +0100
+++ annobin-9.72/annocheck/Makefile.in 2021-10-27 17:34:19.227658419 +0100
@@ -314,6 +314,7 @@ plugindir = @plugindir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
diff -rup annobin.orig/annocheck/hardened.c annobin-9.72/annocheck/hardened.c
--- annobin.orig/annocheck/hardened.c 2021-10-27 17:34:09.443721134 +0100
+++ annobin-9.72/annocheck/hardened.c 2021-10-27 17:35:14.200306024 +0100
@@ -37,7 +37,8 @@
#define SOURCE_SEGMENT_CONTENTS "segment contents"
#define SOURCE_SEGMENT_HEADERS "segment headers"
#define SOURCE_STRING_SECTION "string section"
-#define SOURCE_COMMENT_SECTION "comment section"
+#define SOURCE_COMMENT_SECTION "comment section"
+#define SOURCE_SYMBOL_SECTION "symbol section"
#define GOLD_COLOUR "\e[33;40m"
#define RED_COLOUR "\x1B[31;47m"
@@ -199,6 +200,7 @@ enum test_index
TEST_STACK_REALIGN,
TEST_TEXTREL,
TEST_THREADS,
+ TEST_UNICODE,
TEST_WARNINGS,
TEST_WRITEABLE_GOT,
@@ -243,6 +245,7 @@ static test tests [TEST_MAX] =
TEST (stack-realign, STACK_REALIGN, "Compiled with -mstackrealign (i686 only)"),
TEST (textrel, TEXTREL, "There are no text relocations in the binary"),
TEST (threads, THREADS, "Compiled with -fexceptions"),
+ TEST (unicode, UNICODE, "No unicode symbol names"),
TEST (warnings, WARNINGS, "Compiled with -Wall"),
TEST (writeable-got, WRITEABLE_GOT, "The .got section is not writeable"),
};
@@ -1099,6 +1102,11 @@ interesting_sec (annocheck_data * da
if (streq (sec->secname, ".gdb_index"))
per_file.debuginfo_file = true;
+ if (tests[TEST_UNICODE].enabled
+ && (sec->shdr.sh_type == SHT_SYMTAB
+ || sec->shdr.sh_type == SHT_DYNSYM))
+ return true;
+
if (streq (sec->secname, ".text"))
{
/* Separate debuginfo files have a .text section with a non-zero
@@ -2829,6 +2837,64 @@ check_code_section (annocheck_data *
}
static bool
+contains_suspicious_characters (const unsigned char * name)
+{
+ uint i;
+ uint len = strlen ((const char *) name);
+
+ /* FIXME: Test that locale is UTF-8. */
+
+ for (i = 0; i < len; i++)
+ {
+ unsigned char c = name[i];
+
+ if (isgraph (c))
+ continue;
+
+ /* Control characters are always suspect. So are spaces and DEL */
+ if (iscntrl (c) || c == ' ' || c == 0x7f)
+ return true;
+
+ if (c < 0x7f) /* This test is probably redundant. */
+ continue;
+
+ return true;
+ }
+
+ return false;
+}
+
+static bool
+check_symbol_section (annocheck_data * data, annocheck_section * sec)
+{
+ if (! tests[TEST_UNICODE].enabled)
+ return true;
+
+ /* Scan the symbols looking for non-ASCII characters in their names
+ that might cause problems. Note - we do not examine the string
+ tables directly as there are perfectly legitimate reasons why these
+ characters might appear in strings. But when they are used for
+ identifier names, their use is ... problematic. */
+ GElf_Sym sym;
+ uint symndx;
+
+ for (symndx = 1; gelf_getsym (sec->data, symndx, & sym) != NULL; symndx++)
+ {
+ const char * symname = elf_strptr (data->elf, sec->shdr.sh_link, sym.st_name);
+
+ if (contains_suspicious_characters ((const unsigned char *) symname))
+ {
+ fail (data, TEST_UNICODE, SOURCE_SYMBOL_SECTION, "suspicious characters were found in a symbol name");
+ einfo (VERBOSE, "%s: info: symname: '%s', (%lu bytes long) in section: %s",
+ get_filename (data), symname, (unsigned long) strlen (symname), sec->secname);
+ if (!BE_VERBOSE)
+ break;
+ }
+ }
+ return true;
+}
+
+static bool
check_sec (annocheck_data * data,
annocheck_section * sec)
{
@@ -2839,6 +2905,8 @@ check_sec (annocheck_data * data,
selected in interesting_sec(). */
switch (sec->shdr.sh_type)
{
+ case SHT_SYMTAB:
+ case SHT_DYNSYM: return check_symbol_section (data, sec);
case SHT_NOTE: return check_note_section (data, sec);
case SHT_STRTAB: return check_string_section (data, sec);
case SHT_DYNAMIC: return check_dynamic_section (data, sec);
@@ -3526,6 +3594,7 @@ finish (annocheck_data * data)
case TEST_RWX_SEG:
case TEST_TEXTREL:
case TEST_THREADS:
+ case TEST_UNICODE:
case TEST_WRITEABLE_GOT:
/* The absence of a result for these tests actually means that they have passed. */
pass (data, i, SOURCE_FINAL_SCAN, NULL);
Only in annobin-9.72/annocheck: hardened.c.orig
Only in annobin-9.72/annocheck: hardened.c.rej
diff -rup annobin.orig/configure annobin-9.72/configure
--- annobin.orig/configure 2021-10-27 17:34:09.438721166 +0100
+++ annobin-9.72/configure 2021-10-27 17:34:19.229658406 +0100
@@ -763,6 +763,7 @@ infodir
docdir
oldincludedir
includedir
+runstatedir
localstatedir
sharedstatedir
sysconfdir
@@ -860,6 +861,7 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1112,6 +1114,15 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
+ -runstatedir | --runstatedir | --runstatedi | --runstated \
+ | --runstate | --runstat | --runsta | --runst | --runs \
+ | --run | --ru | --r)
+ ac_prev=runstatedir ;;
+ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+ | --run=* | --ru=* | --r=*)
+ runstatedir=$ac_optarg ;;
+
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1249,7 +1260,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir
+ libdir localedir mandir runstatedir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@@ -1402,6 +1413,7 @@ Fine tuning of the installation director
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
+ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
Only in annobin-9.72: configure.orig
diff -rup annobin.orig/doc/Makefile.in annobin-9.72/doc/Makefile.in
--- annobin.orig/doc/Makefile.in 2021-10-27 17:34:09.439721160 +0100
+++ annobin-9.72/doc/Makefile.in 2021-10-27 17:34:19.229658406 +0100
@@ -329,6 +329,7 @@ plugindir = @plugindir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
diff -rup annobin.orig/doc/annobin.info annobin-9.72/doc/annobin.info
--- annobin.orig/doc/annobin.info 2021-10-27 17:34:09.440721153 +0100
+++ annobin-9.72/doc/annobin.info 2021-10-27 17:34:19.230658399 +0100
@@ -737,6 +737,7 @@ File: annobin.info, Node: Hardened, Ne
[-skip-stack-realign]
[-skip-textrel]
[-skip-threads]
+ [-skip-unicode]
[-skip-warnings]
[-skip-writeable-got]
[-test-NAME]
@@ -863,6 +864,10 @@ code to support the test.
Check that the program was built by a production-ready compiler.
Disabled by '--skip-production'.
+'Unicode'
+ This test checks for the presence of multibyte characters in symbol
+ names, which are unusual and potentially dangerous.
+
The tool does support a couple of other command line options as well:
'--skip-future'
Only in annobin-9.72/doc: annobin.info.orig
Only in annobin-9.72/doc: annobin.info.rej
diff -rup annobin.orig/doc/annobin.texi annobin-9.72/doc/annobin.texi
--- annobin.orig/doc/annobin.texi 2021-10-27 17:34:09.439721160 +0100
+++ annobin-9.72/doc/annobin.texi 2021-10-27 17:34:19.230658399 +0100
@@ -842,6 +842,7 @@ annocheck
[@b{--skip-stack-realign}]
[@b{--skip-textrel}]
[@b{--skip-threads}]
+ [@b{--skip-unicode}]
[@b{--skip-warnings}]
[@b{--skip-writeable-got}]
[@b{--test-@var{name}}]
@@ -983,6 +984,11 @@ Check that the program makes consistent
@item Production Ready Compiler
Check that the program was built by a production-ready compiler.
Disabled by @option{--skip-production}.
+
+@item Unicode
+This test checks for the presence of multibyte characters in symbol
+names, which are unusual and potentially dangerous.
+
@end table
The tool does support a couple of other command line options as well:
Only in annobin-9.72/doc: annobin.texi.orig
diff -rup annobin.orig/gcc-plugin/Makefile.in annobin-9.72/gcc-plugin/Makefile.in
--- annobin.orig/gcc-plugin/Makefile.in 2021-10-27 17:34:09.443721134 +0100
+++ annobin-9.72/gcc-plugin/Makefile.in 2021-10-27 17:34:19.230658399 +0100
@@ -333,6 +333,7 @@ plugindir = @plugindir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
diff -rup annobin.orig/scripts/Makefile.in annobin-9.72/scripts/Makefile.in
--- annobin.orig/scripts/Makefile.in 2021-10-27 17:34:09.441721146 +0100
+++ annobin-9.72/scripts/Makefile.in 2021-10-27 17:34:19.230658399 +0100
@@ -284,6 +284,7 @@ plugindir = @plugindir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
diff -rup annobin.orig/tests/Makefile.am annobin-9.72/tests/Makefile.am
--- annobin.orig/tests/Makefile.am 2021-10-27 17:34:09.444721127 +0100
+++ annobin-9.72/tests/Makefile.am 2021-10-27 17:34:19.230658399 +0100
@@ -22,6 +22,7 @@ TESTS=compile-test \
missing-notes-test \
active-checks-test \
property-note-test \
+ unicode-test \
hardening-fail-test
if HAVE_DEBUGINFOD
diff -rup annobin.orig/tests/Makefile.in annobin-9.72/tests/Makefile.in
--- annobin.orig/tests/Makefile.in 2021-10-27 17:34:09.444721127 +0100
+++ annobin-9.72/tests/Makefile.in 2021-10-27 17:34:19.230658399 +0100
@@ -459,6 +459,7 @@ plugindir = @plugindir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
@@ -479,7 +480,7 @@ TESTS = compile-test abi-test active-che
hardening-test instrumentation-test lto-test \
missing-notes-test objcopy-test section-size-test \
missing-notes-test active-checks-test property-note-test \
- hardening-fail-test $(am__append_1)
+ unicode-test hardening-fail-test $(am__append_1)
all: all-am
.SUFFIXES:
@@ -764,6 +765,13 @@ property-note-test.log: property-note-te
$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
--log-file $$b.log --trs-file $$b.trs \
$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+unicode-test.log: unicode-test
+ @p='unicode-test'; \
+ b='unicode-test'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
"$$tst" $(AM_TESTS_FD_REDIRECT)
debuginfod-test.log: debuginfod-test
@p='debuginfod-test'; \
Only in annobin-9.72/tests: trick-hello.s
Only in annobin-9.72/tests: unicode-test

137
SPECS/annobin.spec
View File

@ -1,8 +1,8 @@
Name: annobin
Summary: Annotate and examine compiled binary files
Version: 9.72
Release: 1%{?dist}.2
Version: 10.29
Release: 3%{?dist}
License: GPLv3+
# ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark
# Maintainer: nickc@redhat.com
@ -56,7 +56,7 @@ Source: annobin-%{version}.tar.xz
# Insert patches here, if needed.
Patch01: annobin-nop.patch
Patch02: annobin.unicode.patch
Patch02: annobin-gaps-test.patch
#---------------------------------------------------------------------------------
@ -155,11 +155,11 @@ of the resulting files.
%package annocheck
Summary: A tool for checking the security hardening status of binaries
BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel
BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel make
%if %{with debuginfod}
BuildRequires: elfutils-debuginfod-client-devel
BuildRequires: make
%endif
Requires: cpio rpm
%description annocheck
Installs the annocheck program which uses the notes generated by annobin to
@ -193,7 +193,6 @@ fi
echo "Requires: (gcc >= %{gcc_major} and gcc < %{gcc_next})"
%autosetup -p1
chmod +x tests/unicode-test
# The plugin has to be configured with the same arcane configure
# scripts used by gcc. Hence we must not allow the Fedora build
@ -280,6 +279,7 @@ make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS"
# Change the following line to "make check || :" on RHEL7 or if you need to see the
# test suite logs in order to diagnose a test failure.
make check
if [ -f tests/test-suite.log ]; then
cat tests/test-suite.log
fi
@ -298,10 +298,10 @@ fi
%doc %{_datadir}/doc/annobin-plugin/annotation.proposal.txt
%doc %{_infodir}/annobin.info.gz
%doc %{_mandir}/man1/annobin.1.gz
%doc %{_mandir}/man1/built-by.1.gz
%doc %{_mandir}/man1/check-abi.1.gz
%doc %{_mandir}/man1/hardened.1.gz
%doc %{_mandir}/man1/run-on-binaries-in.1.gz
%exclude %{_mandir}/man1/built-by.1*
%exclude %{_mandir}/man1/check-abi.1*
%exclude %{_mandir}/man1/hardened.1*
%exclude %{_mandir}/man1/run-on-binaries-in.1*
%if %{with clangplugin}
%{ANNOBIN_CLANG_PLUGIN_DIR}
@ -319,11 +319,120 @@ fi
#---------------------------------------------------------------------------------
%changelog
* Mon Nov 1 2021 Siddhesh Poyarekar <siddhesh@redhat.com> - 9.72-1.2
- Bump NVR and rebuild to use the new gcc. (#2017362)
* Tue Feb 08 2022 Nick Clifton <nickc@redhat.com> - 10.29-3
- NVR bump in order to allow rebuilding against latest gcc. (#2052060)
* Wed Oct 27 2021 Nick Clifton <nickc@redhat.com> - 9.72-1.1
- Annocheck: Add test for multibyte characters in symbol names. (#2017362)
* Mon Jan 24 2022 Nick Clifton <nickc@redhat.com> - 10.29-2
- Spec File: Add "Requires: rpm cpio" to annocheck sub-package. (#2043474)
* Tue Nov 30 2021 Nick Clifton <nickc@redhat.com> - 10.28-1
- gcc-plugin: Fix bug creating empty attachments. (#2026944)
- Annocheck: Change MAYB result to SKIP for DT_RPATH. (#2026300)
* Mon Nov 22 2021 Nick Clifton <nickc@redhat.com> - 10.27-1
- Annocheck: Skip missing fortify/warning notes for ARM32.
- gcc-plugin: Try another fix for ppc64le section grouping. (#2023437)
- gcc-plugin: Revert 10.22 change. (#2023437)
- Annocheck: Add exception for /usr/sbin/ldconfig. (#2022973)
* Mon Nov 08 2021 Nick Clifton <nickc@redhat.com> - 10.23-1
- Annocheck: Add a test for unicode characters in identifiers. (#2017363)
- gcc-plugin: Default to link-order grouping for PPC64LE. (#2016458)
* Wed Oct 27 2021 Nick Clifton <nickc@redhat.com> - 10.21-3
- annocheck: Disable LTO test when checking ldconfig (attempt 3). (#2017039)
* Tue Oct 26 2021 Nick Clifton <nickc@redhat.com> - 10.21-2
- annocheck: Disable LTO test when checking ldconfig (attempt 2). (#2017039)
* Tue Oct 26 2021 Nick Clifton <nickc@redhat.com> - 10.21-1
- annocheck: Disable LTO test when checking ldconfig. (#2017039)
* Mon Oct 25 2021 Nick Clifton <nickc@redhat.com> - 10.20-1
- annocheck: Add more glibc function names. (#2017039)
- gcc-plugin: Fix attaching the .text section to the .text.group section.
- Complain about DT_RPATH for Fedora binaries.
- Better reporting of problems in object files. (#2013708)
- Add a requirement on llvm-libs for clang and llvm plugins. (#2014573)
- Fix configuring annocheck without gcc-plugin.
- Annocheck: Better reporting of debuginfod problems.
- Tests: Fix bugs in debuginfod test.
* Mon Oct 18 2021 Nick Clifton <nickc@redhat.com> - 10.15-2
- Exclude man pages for uninstalled scripts. (#2013565)
* Wed Oct 13 2021 Nick Clifton <nickc@redhat.com> - 10.15-1
- Annocheck: Add tests based upon recent bug fixes.
- Annocheck: Another tweak to glibc detection code.
* Mon Oct 11 2021 Nick Clifton <nickc@redhat.com> - 10.13-1
- Annocheck: Fix memory corruptions when using --debug-path and when a corrupt note is found. (#20011438)
- Annocheck: Fix MAYB results for mixed GO/C files.
- Annocheck: Move some messages from VERBOSE to VERBOSE2.
- Annocheck: Scan zero-length tool notes. (#2011818)
* Wed Oct 06 2021 Nick Clifton <nickc@redhat.com> - 10.11-1
- Annocheck: Fix covscan detected flaws. (#201129)
- plugins: Add more required build options. (#2011163)
* Tue Oct 05 2021 Nick Clifton <nickc@redhat.com> - 10.10-1
- Annocheck: Fix cf-prot test to fail if the CET notes are missing. (#2010671)
- Annocheck: Skip gaps in the .plt section. (#2010675)
- Plugins: Add -g option when building LLVM and Clang. (#2010675)
* Mon Oct 04 2021 Nick Clifton <nickc@redhat.com> - 10.09-1
- Annocheck: Add more cases of glibc startup functions. (#1981410)
- Annocheck: Fix covscan detected problems.
- Annocheck: Add --profile=el8.
- gcc-plugin: Conditionalize generation of branch protection note.
- Annocheck: Ignore gaps containing NOP instructions.
* Wed Sep 29 2021 Nick Clifton <nickc@redhat.com> - 10.06-1
- Rebase to 10.06. (#2002351)
- GCC Plugin: Fix detection of running inside the LTO compiler. (#2004917)
- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries.
- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result.
- Annocheck: Do not set CFLAGS/LDFLAGS when building. Take from environment instead.
- Annocheck: Fix exit code when tests PASS.
- Documentation: Add node for each hardening test.
- Documentation: Install online.
- Annocheck: Annote FAIL and MAYB results with URL to documentation
- Annocheck: Add --no-urls and --provide-urls options
- Annocheck: Add --help-<tool> option.
- Annocheck: Fix fuzzing detected failures.
- Annocheck: Add --profile option.
- Docs: Document --profile option and rpminspect.yaml.
- Annocheck: Skip GO/CET checks. Fix fuzzing detected failures.
- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444)
- Annocheck: Fix memory corruption. (#1996963)
- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection.
- Annocheck: Add linker generated function for ppc64le exceptions. (#1981410)
- LLVM Plugin: Allow checks to be selected from the command line.
- Annocheck: Examine DW_AT_producer for -flto.
- Annocheck: Conditionalize detection of AArch64's PAC+BTI protection.
- Annocheck: Add linker generated function for s390x exceptions. (#1981410)
- Annocheck: Generate MAYB results for gaps in notes covering the .text section. (#1991943)
- Annocheck: Close DWARF file descriptors once the debug info is no longer needed. (#1981410)
- LLVM Plugin: Update to build with Clang v13. (Thanks to: Tom Stellard <tstellar@redhat.com>)
- Annocheck: Fix memory corruption. (#1988715)
- Annocheck: Skip certain tests for kernel modules.
- Annocheck: Detect a missing CET note. (#1991931)
- Annocheck: Do not report future fails for AArch64 notes.
- Annocheck: Warn about multiple --debug-file, --debug-rpm and --debug-dir options.
- Annocheck: Process files in command line order. (#1988714)
- Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled. (#1984995)
- Annocheck: Add another test exceptions.
- Annocheck: Add some more test exceptions.
- Tests: Skip glibc-notes test if the assembler does not support --generate-missing-build-notes. (#1978573)
- Tests: Skip objcopy test if objcopy does not support --merge-notes.
- Annocheck: Fix spelling mistake in -mstack-realign failure message. (#1977349)
- gcc-plugin: Do not record global versions of stack protection settings in LTO mode, if not set. (#1958954)
- Annocheck: Remove limit on number of input files.
- clang/llvm plugins: Build with correct security options.
- Annocheck: Better detection of GO compiler version.
- Annocheck: Better support for symbolic links.
- Annocheck: In verbose mode, report the reason for skipping specific tests. (#1969584)
- Annocheck: Improve detection of shared libraries. (#1958954)
* Mon May 17 2021 Nick Clifton <nickc@redhat.com> - 9.72-1
- Rebase to 9.72. (#1960299)