diff --git a/krb5-1.9-buildconf.patch b/krb5-1.9.1-buildconf.patch similarity index 62% rename from krb5-1.9-buildconf.patch rename to krb5-1.9.1-buildconf.patch index 8641a24..85173cf 100644 --- a/krb5-1.9-buildconf.patch +++ b/krb5-1.9.1-buildconf.patch @@ -1,18 +1,27 @@ -Build binaries in this package as RELRO PIEs and install shared libraries with -the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS -where they might leak out and affect apps which just want to link with the -libraries. FIXME: needs to check and not just assume that the compiler supports -using these flags. +Build binaries in this package as RELRO PIEs, libraries as partial RELRO, +and install shared libraries with the execute bit set on them. Prune out +the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect +apps which just want to link with the libraries. FIXME: needs to check and +not just assume that the compiler supports using these flags. diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf --- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500 +++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400 +@@ -419,7 +419,7 @@ mips-*-netbsd*) + SHLIBEXT=.so + # Linux ld doesn't default to stuffing the SONAME field... + # Use objdump -x to examine the fields of the library +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro' + # + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' + SHLIB_EXPORT_FILE_DEP=binutils.versions @@ -430,7 +430,8 @@ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' - CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' -+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' + INSTALL_SHLIB='${INSTALL} -m755' CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' @@ -20,7 +29,7 @@ diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in --- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 +++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 -@@ -187,8 +187,14 @@ if test -n "$do_libs"; then +@@ -187,8 +187,15 @@ if test -n "$do_libs"; then -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ @@ -30,8 +39,9 @@ diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in + if test `dirname $libdir` = /usr ; then + lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` + fi -+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"` -+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"` ++ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"` + if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" diff --git a/krb5.spec b/krb5.spec index 2929fba..4f5bda9 100644 --- a/krb5.spec +++ b/krb5.spec @@ -6,7 +6,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.9.1 -Release: 7%{?dist} +Release: 8%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -35,7 +35,7 @@ Source35: kdb_check_weak.c Patch5: krb5-1.8-ksu-access.patch Patch6: krb5-1.9-ksu-path.patch Patch12: krb5-1.7-ktany.patch -Patch16: krb5-1.9-buildconf.patch +Patch16: krb5-1.9.1-buildconf.patch Patch23: krb5-1.3.1-dns.patch Patch29: krb5-1.9-kprop-mktemp.patch Patch30: krb5-1.3.4-send-pr-tempfile.patch @@ -666,6 +666,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Fri Jul 22 2011 Nalin Dahyabhai 1.9.1-8 +- build shared libraries with partial RELRO support (#723995) +- filter out potentially multiple instances of -Wl,-z,relro from krb5-config + output, now that it's in the buildroot's default LDFLAGS + * Wed Jul 20 2011 Nalin Dahyabhai 1.9.1-7 - kadmind.init: drop the attempt to detect no-database-present errors (#723723)