diff --git a/.annobin.metadata b/.annobin.metadata index 3349890..9cbd4e4 100644 --- a/.annobin.metadata +++ b/.annobin.metadata @@ -1 +1 @@ -35001808b4ad6fd3f9f88301adf78d987a0a02ce SOURCES/annobin-9.90.tar.xz +cb5a3c922fa3018c7df177d27357a04cfc9085e5 SOURCES/annobin-10.29.tar.xz diff --git a/.gitignore b/.gitignore index 19ba6ab..913d4cc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/annobin-9.90.tar.xz +SOURCES/annobin-10.29.tar.xz diff --git a/SPECS/annobin.spec b/SPECS/annobin.spec index 6802d60..887acf4 100644 --- a/SPECS/annobin.spec +++ b/SPECS/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.90 +Version: 10.29 Release: 1%{?dist} License: GPLv3+ # Maintainer: nickc@redhat.com @@ -37,7 +37,7 @@ License: GPLv3+ # checking logic or when building on RHEL-7 or earlier. %global with_hard_gcc_version_requirement 1 -%bcond_with plugin_rebuild +%bcond_without plugin_rebuild # Allow the building of annobin without using annobin itself. # This is because if we are bootstrapping a new build environment we can have # a new version of gcc installed, but without a new of annobin installed. @@ -54,9 +54,13 @@ License: GPLv3+ #--------------------------------------------------------------------------------- -Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz +%global annobin_sources annobin-%{version}.tar.xz +Source: https://nickc.fedorapeople.org/%{annobin_sources} # For the latest sources use: git clone git://sourceware.org/git/annobin.git +# This is where a copy of the sources will be installed. +%global annobin_source_dir %{_usrsrc}/annobin + # Insert patches here, if needed. Eg: # Patch01: annobin-foo.patch @@ -174,14 +178,19 @@ hardening options. %global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin) -%if %{with clangplugin} || %{with llvmplugin} -# FIXME: We currently assume that the first directory listed in clang's -# search directory output is the one that we should use for plugins. -# This might not be correct. -# The gensub() below is because without it $2 would look like: -# " =/usr/lib64/clang/8.0.0" -# Note - we install LLVM plugins into the same directory as Clang plugins. -%global ANNOBIN_CLANG_PLUGIN_DIR %(clang --print-search-dirs | gawk -e'BEGIN { FS = ":" } /libraries/ { print gensub(" =","",1,$2) } END { }') +%{!?llvm_version:%global llvm_version 12.0.1} +%{!?llvm_plugin_dir:%global llvm_plugin_dir %{_libdir}/llvm/%{llvm_version}} +%{!?clang_plugin_dir:%global clang_plugin_dir %{_libdir}/clang/%{llvm_version}} + +%if %{with gccplugin} +# The next line has been stolen from redhat-rpm-config.spec. +# We install a version info file into this directory, rather than gcc's plugin +# directory, because there is no reliable way for redhat-rpm-config to +# determine the name of gcc's plugin directory. +%global rrcdir /usr/lib/rpm/redhat + +# Information about the gcc plugin is recorded in this file. +%global aver %{rrcdir}/annobin-plugin-version-info %endif #--------------------------------------------------------------------------------- @@ -232,18 +241,20 @@ CONFIG_ARGS="$CONFIG_ARGS --with-llvm" CONFIG_ARGS="$CONFIG_ARGS --without-test" %endif -%configure ${CONFIG_ARGS} || cat config.log - -%ifarch %{ix86} x86_64 -# FIXME: There should be a better way to do this. -export CLANG_TARGET_OPTIONS="-fcf-protection" -%endif +%set_build_flags # Fedora supports AArch64's -mbranch-protection=bti, RHEL does not. %if 0%{?fedora} != 0 export CFLAGS="$CFLAGS -DAARCh64_BRANCH_PROTECTION_SUPPORTED=1" %endif +CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" CXXFLAGS="$CFLAGS" %configure ${CONFIG_ARGS} || cat config.log + +%ifarch %{ix86} x86_64 +# FIXME: There should be a better way to do this. +export CLANG_TARGET_OPTIONS="-fcf-protection" +%endif + %make_build %if %{with plugin_rebuild} @@ -289,7 +300,29 @@ make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS" # PLUGIN_INSTALL_DIR is used by the Clang and LLVM makefiles... %install -%make_install PLUGIN_INSTALL_DIR=$RPM_BUILD_ROOT%{ANNOBIN_CLANG_PLUGIN_DIR} +%make_install PLUGIN_INSTALL_DIR=%{buildroot}/%{llvm_plugin_dir} + +%if %{with clangplugin} +# Move the clang plugin to a seperate directory. +mkdir -p %{buildroot}/%{clang_plugin_dir} +mv %{buildroot}/%{llvm_plugin_dir}/annobin-for-clang.so %{buildroot}/%{clang_plugin_dir} +%endif + +%if %{with gccplugin} +# Record the version of gcc that built this plugin. +mkdir -p %{buildroot}%{rrcdir} +rm -f %{buildroot}%{aver} +# Note - the comparison logic in redhat-rpm-config's %%triggger macros require +# that the plugin builder information appear as the first three numbers in the file. +echo %{gcc_vr} > %{buildroot}%{aver} +# Provide a more complete version information string on the second line. +echo "%{ANNOBIN_GCC_PLUGIN_DIR}/annobin.so.0.0.0 was built by gcc version %{gcc_vr} from the %{version} sources" >> %{buildroot}%{aver} + +# Also install a copy of the sources into the build tree. +mkdir -p %{buildroot}%{annobin_source_dir} +cp %{_sourcedir}/%{annobin_sources} %{buildroot}%{annobin_source_dir}/latest-annobin.tar.xz +%endif + rm -f %{buildroot}%{_infodir}/dir #--------------------------------------------------------------------------------- @@ -313,17 +346,23 @@ fi %doc %{_datadir}/doc/annobin-plugin/annotation.proposal.txt %{_infodir}/annobin.info* %{_mandir}/man1/annobin.1* -%{_mandir}/man1/built-by.1* -%{_mandir}/man1/check-abi.1* -%{_mandir}/man1/hardened.1* -%{_mandir}/man1/run-on-binaries-in.1* +%exclude %{_mandir}/man1/built-by.1* +%exclude %{_mandir}/man1/check-abi.1* +%exclude %{_mandir}/man1/hardened.1* +%exclude %{_mandir}/man1/run-on-binaries-in.1* -%if %{with clangplugin} || %{with llvmplugin} -%{ANNOBIN_CLANG_PLUGIN_DIR} +%if %{with clangplugin} +%{clang_plugin_dir}/annobin-for-clang.so +%endif + +%if %{with llvmplugin} +%{llvm_plugin_dir}/annobin-for-llvm.so %endif %if %{with gccplugin} %{ANNOBIN_GCC_PLUGIN_DIR} +%{aver} +%{annobin_source_dir}/latest-annobin.tar.xz %endif %if %{with annocheck} @@ -335,6 +374,87 @@ fi #--------------------------------------------------------------------------------- %changelog +* Thu Nov 25 2021 Nick Clifton - 10.29-1 +- gcc-plugin: Fix bug creating empty attachments. +- Annocheck: Change MAYB result to SKIP for DT_RPATH. (#2026300) +- Annocheck: Skip missing fortify/warning notes for ARM32. + +* Thu Nov 18 2021 Nick Clifton - 10.26-1 +- gcc-plugin: Another attempt at fixing ppc64le section grouping. (#2016458) + +* Tue Nov 16 2021 Nick Clifton - 10.25-1 +- gcc-plugin: Revert 10.22 change. (#2023437) +- Annocheck: Add exception for /usr/sbin/ldconfig. (#2022973) + +* Mon Nov 08 2021 Nick Clifton - 10.23-1 +- Annocheck: Add a test for unicode characters in identifiers. (#2009287) + +* Wed Oct 27 2021 Nick Clifton - 10.22-1 +- gcc-plugin: Default to link-order grouping for PPC64LE. (#2016458) +- Annocheck: Do not fail if a --skip- option does not match a known test. +- ldconfig-test: Skip the LTO check. + +* Tue Oct 26 2021 Nick Clifton - 10.20-1 +- annocheck: Add more glibc functions. +- gcc-plugin: Attach the .text section to the .text.group. (#2016458) + +* Tue Oct 19 2021 Nick Clifton - 10.17-1 +- Better reporting of problems in object files. (#2013708) + +* Mon Oct 18 2021 Nick Clifton - 10.16-1 +- Fix -mstackrealign test for non-GCC compiled files. (#2013658) + +* Thu Oct 14 2021 Nick Clifton - 10.15-2 +- Re-enable use of annobin plugin when building annobin. (#2013658) +- Exclude man pages for uninstalled scripts. (#2013562) + +* Wed Oct 13 2021 Nick Clifton - 10.15-1 +- Annocheck: Add tests based upon recent bug fixes. +- Annocheck: Another tweak to glibc detection code. + +* Fri Oct 08 2021 Nick Clifton - 10.13-1 +- Annocheck: Fix memory corruptions when using --debug-path and when a corrupt note is found. (#20011438) +- Annocheck: Fix MAYB results for mixed GO/C files. +- Annocheck: Move some messages from VERBOSE to VERBOSE2. +- Annocheck: Scan zero-length tool notes. + +* Wed Oct 06 2021 Nick Clifton - 10.11-1 +- Annocheck: Fix covscan detected flaws. +- plugins: Add more required build options. (#2011163) + +* Tue Oct 05 2021 Nick Clifton - 10.10-1 +- Annocheck: Fix cf-prot test to fail if the CET notes are missing. (#2010671) +- Annocheck: Skip gaps in the .plt section. (#2010675) +- Plugins: Add -g option when building LLVM and Clang. (#2010675) + +* Mon Oct 04 2021 Nick Clifton - 10.09-1 +- Annocheck: Add more cases of glibc startup functions. (#1981410) +- Annocheck: Fix covscan detected problems. +- Annocheck: Add --profile=el8. +- gcc-plugin: Conditionalize generation of branch protection note. +- Annocheck: Ignore gaps containing NOP instructions. + +* Thu Sep 16 2021 Nick Clifton - 10.06-1 +- GCC Plugin: Fix detection of running inside the LTO compiler. (#2004917) +- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries. +- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result. (#1995224) +- Annocheck: Do not set CFLAGS/LDFLAGS when building. Take from environment instead. +- Annocheck: Fix exit code when tests PASS. +- Documentation: Add node for each hardening test. +- Documentation: Install online. +- Annocheck: Annote FAIL and MAYB results with URL to documentation +- Annocheck: Add --no-urls and --provide-urls options +- Annocheck: Add --help- option. +- Annocheck: Fix fuzzing detected failures. +- Annocheck: Add --profile option. +- Docs: Document --profile option and rpminspect.yaml. +- Annocheck: Skip GO/CET checks. Fix fuzzing detected failures. +- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444) +- spec file: Add the installation of the annobon sources into /usr/src/annobin. +- Annocheck: Fix memory corruption. (#1996963) +- spec file: Add the creation of a gcc-plugin version info file in /usr/lib/rpm/redhat. +- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection. + * Wed Aug 18 2021 Nick Clifton - 9.90-1 - Annocheck: Add linker generated function for ppc64le exceptions. (#1981410) - LLVM Plugin: Allow checks to be selected from the command line.