From 1ead6ac8f8e19bf48cdb0e5d5275b7586d3f752a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Mon, 3 Sep 2018 14:10:56 +0200 Subject: [PATCH] Properly harden package using -fstack-protector-strong. Resolves: rhbz#1624168 --- ....0-configure-fstack-protector-strong.patch | 43 +++++++++++++++++++ ruby.spec | 11 ++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 ruby-2.6.0-configure-fstack-protector-strong.patch diff --git a/ruby-2.6.0-configure-fstack-protector-strong.patch b/ruby-2.6.0-configure-fstack-protector-strong.patch new file mode 100644 index 0000000..e44d9bb --- /dev/null +++ b/ruby-2.6.0-configure-fstack-protector-strong.patch @@ -0,0 +1,43 @@ +From c8ccdbfe1e45cb3b832109d644296c0a3b3e0b59 Mon Sep 17 00:00:00 2001 +From: nobu +Date: Sun, 2 Sep 2018 03:49:31 +0000 +Subject: [PATCH] configure.ac: -fstack-protector-strong + +* configure.ac: use -fstack-protector-strong if available instead of + -fstack-protector conditionally. [ruby-core:88788] [Misc #15053] + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64614 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + configure.ac | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9328fa532de0..b8ee57239215 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -837,15 +837,18 @@ AS_IF([test "$GCC" = yes], [ + stack_protector=no + ]) + AS_IF([test -z "${stack_protector+set}"], [ +- RUBY_TRY_CFLAGS(-fstack-protector, [stack_protector=yes], [stack_protector=no]) +- AS_IF([test "x$stack_protector" = xyes], [ +- RUBY_TRY_LDFLAGS(-fstack-protector, [], [stack_protector=broken]) ++ AS_FOR(option, opt, [-fstack-protector-strong -fstack-protector], [ ++ RUBY_TRY_CFLAGS(option, [stack_protector=yes]) ++ AS_IF([test "x$stack_protector" = xyes], [ ++ RUBY_TRY_LDFLAGS(option, [], [stack_protector=]) ++ ]) ++ AS_IF([test "x$stack_protector" = xyes], [stack_protector=option; break]) + ]) + ]) +- AS_IF([test "x$stack_protector" = xyes], [ +- RUBY_APPEND_OPTION(XCFLAGS, -fstack-protector) +- RUBY_APPEND_OPTION(XLDFLAGS, -fstack-protector) +- RUBY_APPEND_OPTION(LDFLAGS, -fstack-protector) ++ AS_CASE(["$stack_protector"], [-*], [ ++ RUBY_APPEND_OPTION(XCFLAGS, $stack_protector) ++ RUBY_APPEND_OPTION(XLDFLAGS, $stack_protector) ++ RUBY_APPEND_OPTION(LDFLAGS, $stack_protector) + ]) + + AS_CASE("${compress_debug_sections:-zlib}", diff --git a/ruby.spec b/ruby.spec index 965e507..bb61935 100644 --- a/ruby.spec +++ b/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 99 +%global release 100 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory three, since the @@ -147,6 +147,9 @@ Patch15: ruby-2.6.0-library-options-to-MAINLIBS.patch Patch16: ruby-2.5.1-Avoid-need-of-C++-compiler-to-pass-the-test-suite.patch # https://github.com/ruby/rdoc/commit/d05e6269d4a4dfd701f5ddb3ae34306cba891511 Patch20: ruby-2.6.0-rdoc-6.0.1-fix-template-typo.patch +# Properly harden package using -fstack-protector-strong. +# https://bugs.ruby-lang.org/issues/15053 +Patch24: ruby-2.6.0-configure-fstack-protector-strong.patch # Fix some OpenSSL 1.1.1 test failures. # https://github.com/ruby/openssl/pull/202 @@ -557,6 +560,7 @@ rm -rf ext/fiddle/libffi* %patch21 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1107,6 +1111,11 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %changelog +* Mon Sep 03 2018 Vít Ondruch - 2.5.1-100 +- Properly harden package using -fstack-protector-strong. + * ruby-2.6.0-configure-fstack-protector-strong.patch + Resolves: rhbz#1624168 + * Wed Aug 29 2018 Vít Ondruch - 2.5.1-99 - Additional OpenSSL 1.1.1 fixes. * ruby-2.6.0-fix-test-failure-with-TLS-1.3-maint.patch