From b04c9c4f90b913311cf88940ebb8e02051a2bda3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 13 Apr 2021 20:07:40 +0000 Subject: [PATCH] import annobin-9.65-1.el8 --- .annobin.metadata | 2 +- .gitignore | 2 +- SOURCES/annobin-skip-stack-prot.patch | 31 +++++++++++++++++++++++++++ SPECS/annobin.spec | 27 +++++++++++++++++++++-- 4 files changed, 58 insertions(+), 4 deletions(-) create mode 100644 SOURCES/annobin-skip-stack-prot.patch diff --git a/.annobin.metadata b/.annobin.metadata index 326cd4e..59080ac 100644 --- a/.annobin.metadata +++ b/.annobin.metadata @@ -1 +1 @@ -a685f1ad709538c60b87a80594b1e19db105642f SOURCES/annobin-9.50.tar.xz +8f065c03bd8a5b86e99a66cfc9caa28ea362793f SOURCES/annobin-9.65.tar.xz diff --git a/.gitignore b/.gitignore index fcc5277..2fcb5e5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/annobin-9.50.tar.xz +SOURCES/annobin-9.65.tar.xz diff --git a/SOURCES/annobin-skip-stack-prot.patch b/SOURCES/annobin-skip-stack-prot.patch new file mode 100644 index 0000000..2536c63 --- /dev/null +++ b/SOURCES/annobin-skip-stack-prot.patch @@ -0,0 +1,31 @@ +diff --git a/annocheck/hardened.c b/annocheck/hardened.c +index d41c740..83645a7 100644 +--- a/annocheck/hardened.c ++++ b/annocheck/hardened.c +@@ -3523,8 +3523,12 @@ finish (annocheck_data * data) + case TEST_STACK_PROT: + if (per_file.current_tool == TOOL_GO) + skip (data, i, SOURCE_FINAL_SCAN, "GO is stack safe"); ++ else if (per_file.seen_tools == TOOL_GAS ++ || (per_file.gcc_from_comment && per_file.seen_tools == (TOOL_GAS | TOOL_GCC))) ++ skip (data, i, SOURCE_FINAL_SCAN, "no compiled code found"); + else if (is_C_compiler (per_file.seen_tools)) +- maybe (data, i, SOURCE_FINAL_SCAN, "no valid notes found regarding this test"); ++ /* The skip is necessary because some glibc code is built this way. */ ++ skip (data, i, SOURCE_FINAL_SCAN, "no notes found regarding this feature"); + else + skip (data, i, SOURCE_FINAL_SCAN, "not compiled code"); + break; +diff --git a/tests/glibc-notes-test b/tests/glibc-notes-test +index ab9e639..8496af8 100755 +--- a/tests/glibc-notes-test ++++ b/tests/glibc-notes-test +@@ -31,7 +31,7 @@ $GCC -pie -Wl,-z,now hello.o hello2.o hello3.o -L. -lhello -o glibc-notes.exe + + # Run annocheck + +-$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --ignore-gaps > glibc-notes.out ++$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --skip-stack-realign --ignore-gaps > glibc-notes.out + grep -e "PASS" glibc-notes.out + if [ $? != 0 ]; + then diff --git a/SPECS/annobin.spec b/SPECS/annobin.spec index 5c3e5c3..4f510c6 100644 --- a/SPECS/annobin.spec +++ b/SPECS/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.50 +Version: 9.65 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -55,7 +55,7 @@ Source: annobin-%{version}.tar.xz # For the latest sources use: git clone git://sourceware.org/git/annobin.git # Insert patches here, if needed. -# Patch01: annobin-xxx.patch +Patch01: annobin-skip-stack-prot.patch #--------------------------------------------------------------------------------- @@ -157,6 +157,7 @@ Summary: A tool for checking the security hardening status of binaries BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel %if %{with debuginfod} BuildRequires: elfutils-debuginfod-client-devel +BuildRequires: make %endif %description annocheck @@ -280,6 +281,9 @@ make check if [ -f tests/test-suite.log ]; then cat tests/test-suite.log fi +if [ -f tests/glibc-notes.log ]; then + cat tests/glibc-notes.log +fi %endif #--------------------------------------------------------------------------------- @@ -313,6 +317,25 @@ fi #--------------------------------------------------------------------------------- %changelog +* Wed Mar 17 2021 Nick Clifton - 9.65-1 +- gcc-plugin: Use a fixed filename when running in LTO mode. + +* Wed Mar 03 2021 Nick Clifton - 9.64-1 +- Annocheck: Fix detection of special function names. (#1934189) +- Annocheck: FAIL the deliberate use of -fno-stack-protector, but add some exceptions for glibc. (#1923439) +- Annocheck: Add colour to some messages. Skip the deliberate use of -fno-stack-protector. (#1923439) +- Annocheck: Fix some problems with tests for missing notes. +- Add some GO tests to annocheck. +- Add a future fail for the presence of RPATH in the dynamic tags. +- Add the ability to disable the warning message about -D_FORTIFY_SOURCE being missing. +- Workaround for elflint problems with PPC compiled files. (#1880634) +- Fix bogus AArch64 test failures. +- Improved testing by annocheck. Add fixed format message mode. +- Fix inconsistency reporting -fcf-protection and -fstack-clash-protection results. +- Add support for -D_FORTIFY_SOURCE=3. +- annocheck: When a binary is produced both by GAS and GCC, select GAS as the real producer. (#1906171) +- annocheck: Improve test for LTO compiled binaries that do not have -Wall annotations. (#1906171) + * Wed Dec 09 2020 Nick Clifton - 9.50-1 - annocheck: Mark a missining -D_FORTIFY_SOURCE as a FAIL.