From 05c4140d32a4ab98a1551bcbee7c59c0df868575 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 6 Jan 2014 15:58:20 -0500 Subject: [PATCH] Switch to as-committed version - grab a more-commented version of the most recent patch from upstream master --- krb5-1.12-enable-NX.patch | 29 +++++++++++++++++++++++++---- krb5.spec | 4 ++++ 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/krb5-1.12-enable-NX.patch b/krb5-1.12-enable-NX.patch index bd6f2f7..2b8a508 100644 --- a/krb5-1.12-enable-NX.patch +++ b/krb5-1.12-enable-NX.patch @@ -1,12 +1,32 @@ +commit c64e39c69a9a7ee32c00b0cf7918f6274a565544 +Author: Greg Hudson +Date: Fri Jan 3 13:50:48 2014 -0500 + + Mark AESNI files as not needing executable stacks + + Some Linux systems now come with facilities to mark the stack as + non-executable, making it more difficult to exploit buffer overrun + bugs. For this to work, object files built from assembly need a + section added to note whether they require an executable stack. + + Patch from Dhiru Kholia with comments added. More information at: + https://bugzilla.redhat.com/show_bug.cgi?id=1045699 + https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart + + ticket: 7813 + target_version: 1.12.1 + tags: pullup + diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s -index 1c091c1..3a3d6fc 100644 +index 1c091c1..d03c859 100644 --- a/src/lib/crypto/builtin/aes/iaesx64.s +++ b/src/lib/crypto/builtin/aes/iaesx64.s -@@ -834,3 +834,13 @@ lp256encsingle_CBC: +@@ -834,3 +834,14 @@ lp256encsingle_CBC: movdqu [r9],xmm1 add rsp,16*16+8 ret + ++; Mark this file as not needing an executable stack. +%ifidn __OUTPUT_FORMAT__,elf +section .note.GNU-stack noalloc noexec nowrite progbits +%endif @@ -17,14 +37,15 @@ index 1c091c1..3a3d6fc 100644 +section .note.GNU-stack noalloc noexec nowrite progbits +%endif diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s -index b667acd..03a8670 100644 +index b667acd..1aa12e6 100644 --- a/src/lib/crypto/builtin/aes/iaesx86.s +++ b/src/lib/crypto/builtin/aes/iaesx86.s -@@ -871,3 +871,13 @@ lp256encsingle_CBC: +@@ -871,3 +871,14 @@ lp256encsingle_CBC: movdqu [ecx],xmm1 ; store last iv for chaining ret + ++; Mark this file as not needing an executable stack. +%ifidn __OUTPUT_FORMAT__,elf +section .note.GNU-stack noalloc noexec nowrite progbits +%endif diff --git a/krb5.spec b/krb5.spec index 36ed60a..ae0924a 100644 --- a/krb5.spec +++ b/krb5.spec @@ -976,6 +976,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Jan 6 2014 Nalin Dahyabhai +- grab a more-commented version of the most recent patch from upstream + master + * Thu Jan 2 2014 Nalin Dahyabhai - 1.12-8 - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack