From a7376e1a41e36955e468f1f595c364d0dd935b90 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Fri, 3 Sep 2010 13:08:45 -0400
Subject: [PATCH] - also link binaries with -Wl,-z,relro,-z,now (part of
 #629950)

---
 krb5-1.7-buildconf.patch | 9 +++++----
 krb5.spec                | 5 ++++-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/krb5-1.7-buildconf.patch b/krb5-1.7-buildconf.patch
index 874df87..754962e 100644
--- a/krb5-1.7-buildconf.patch
+++ b/krb5-1.7-buildconf.patch
@@ -1,5 +1,5 @@
-Build binaries in this package as PIEs and install shared libraries with the
-execute bit set on them.  Prune out the -L/usr/lib*, PIE flags, and CFLAGS
+Build binaries in this package as RELRO PIEs and install shared libraries with
+the execute bit set on them.  Prune out the -L/usr/lib*, PIE flags, and CFLAGS
 where they might leak out and affect apps which just want to link with the
 libraries. FIXME: needs to check and not just assume that the compiler supports
 using these flags.
@@ -11,7 +11,7 @@ diff -up krb5-1.7/src/config/shlib.conf krb5-1.7/src/config/shlib.conf
  	RPATH_FLAG='-Wl,-rpath -Wl,'
  	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
  	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
-+	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie $(LDFLAGS)'
++	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
 +	INSTALL_SHLIB='${INSTALL} -m755'
  	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
  	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
@@ -19,7 +19,7 @@ diff -up krb5-1.7/src/config/shlib.conf krb5-1.7/src/config/shlib.conf
 diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in
 --- krb5-1.7/src/krb5-config.in	2009-06-04 14:01:28.000000000 -0400
 +++ krb5-1.7/src/krb5-config.in	2009-06-04 14:01:28.000000000 -0400
-@@ -187,8 +187,13 @@ if test -n "$do_libs"; then
+@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
  	    -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
  	    -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
  	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
@@ -30,6 +30,7 @@ diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in
 +        lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
 +    fi
 +    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
++    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
 +
      if test $library = 'kdb'; then
  	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
diff --git a/krb5.spec b/krb5.spec
index 4dd8e6a..9af0a74 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -5,7 +5,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.8.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -637,6 +637,9 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Fri Sep  3 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.3-3
+- also link binaries with -Wl,-z,relro,-z,now (part of #629950)
+
 * Tue Aug 24 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.3-2
 - fix a logic bug in computing key expiration times (RT#6762, #627022)