Add Dhiru Kholia's patch to restore noexecstack
- add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others)
This commit is contained in:
parent
13df2d5386
commit
480b9efaa3
36
krb5-1.12-enable-NX.patch
Normal file
36
krb5-1.12-enable-NX.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s
|
||||||
|
index 1c091c1..3a3d6fc 100644
|
||||||
|
--- a/src/lib/crypto/builtin/aes/iaesx64.s
|
||||||
|
+++ b/src/lib/crypto/builtin/aes/iaesx64.s
|
||||||
|
@@ -834,3 +834,13 @@ lp256encsingle_CBC:
|
||||||
|
movdqu [r9],xmm1
|
||||||
|
add rsp,16*16+8
|
||||||
|
ret
|
||||||
|
+
|
||||||
|
+%ifidn __OUTPUT_FORMAT__,elf
|
||||||
|
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||||
|
+%endif
|
||||||
|
+%ifidn __OUTPUT_FORMAT__,elf32
|
||||||
|
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||||
|
+%endif
|
||||||
|
+%ifidn __OUTPUT_FORMAT__,elf64
|
||||||
|
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||||
|
+%endif
|
||||||
|
diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s
|
||||||
|
index b667acd..03a8670 100644
|
||||||
|
--- a/src/lib/crypto/builtin/aes/iaesx86.s
|
||||||
|
+++ b/src/lib/crypto/builtin/aes/iaesx86.s
|
||||||
|
@@ -871,3 +871,13 @@ lp256encsingle_CBC:
|
||||||
|
movdqu [ecx],xmm1 ; store last iv for chaining
|
||||||
|
|
||||||
|
ret
|
||||||
|
+
|
||||||
|
+%ifidn __OUTPUT_FORMAT__,elf
|
||||||
|
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||||
|
+%endif
|
||||||
|
+%ifidn __OUTPUT_FORMAT__,elf32
|
||||||
|
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||||
|
+%endif
|
||||||
|
+%ifidn __OUTPUT_FORMAT__,elf64
|
||||||
|
+section .note.GNU-stack noalloc noexec nowrite progbits
|
||||||
|
+%endif
|
12
krb5.spec
12
krb5.spec
@ -41,7 +41,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.12
|
Version: 1.12
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||||
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar
|
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar
|
||||||
Source0: krb5-%{version}.tar.gz
|
Source0: krb5-%{version}.tar.gz
|
||||||
@ -96,6 +96,7 @@ Patch137: krb5-master-gss_oid_leak.patch
|
|||||||
Patch138: krb5-master-keytab_close.patch
|
Patch138: krb5-master-keytab_close.patch
|
||||||
Patch139: krb5-1.12-copy_context.patch
|
Patch139: krb5-1.12-copy_context.patch
|
||||||
Patch140: krb5-master-spnego_error_messages.patch
|
Patch140: krb5-master-spnego_error_messages.patch
|
||||||
|
Patch141: krb5-1.12-enable-NX.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
@ -148,10 +149,9 @@ BuildRequires: iproute
|
|||||||
%if 0%{?fedora} >= 9
|
%if 0%{?fedora} >= 9
|
||||||
BuildRequires: python-pyrad
|
BuildRequires: python-pyrad
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?fedora} >= 8
|
%if 0%{?fedora} >= 8
|
||||||
%ifarch %{ix86} x86_64
|
%ifarch %{ix86} x86_64
|
||||||
#BuildRequires: yasm
|
BuildRequires: yasm
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
@ -321,6 +321,7 @@ ln -s NOTICE LICENSE
|
|||||||
%patch138 -p1 -b .keytab_close
|
%patch138 -p1 -b .keytab_close
|
||||||
%patch139 -p1 -b .copy_context
|
%patch139 -p1 -b .copy_context
|
||||||
%patch140 -p1 -b .spnego_error_messages
|
%patch140 -p1 -b .spnego_error_messages
|
||||||
|
%patch141 -p1 -b .enable-NX
|
||||||
|
|
||||||
# Apply when the hard-wired or configured default location is
|
# Apply when the hard-wired or configured default location is
|
||||||
# DIR:/run/user/%%{uid}/krb5cc.
|
# DIR:/run/user/%%{uid}/krb5cc.
|
||||||
@ -975,6 +976,11 @@ exit 0
|
|||||||
%{_sbindir}/uuserver
|
%{_sbindir}/uuserver
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jan 2 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-8
|
||||||
|
- add patch from Dhiru Kholia for the AES-NI implementations to allow
|
||||||
|
libk5crypto to be properly marked as not needing an executable stack
|
||||||
|
on arches where they're used (#1045699, and so many others)
|
||||||
|
|
||||||
* Thu Jan 2 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-7
|
* Thu Jan 2 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-7
|
||||||
- revert that last change for a bit while sorting out execstack when we
|
- revert that last change for a bit while sorting out execstack when we
|
||||||
use AES-NI (#1045699)
|
use AES-NI (#1045699)
|
||||||
|
Loading…
Reference in New Issue
Block a user