Properly harden package using -fstack-protector-strong.

Resolves: rhbz#1624168
This commit is contained in:
Vít Ondruch 2018-09-03 14:10:56 +02:00
parent cd4ba485c1
commit 1ead6ac8f8
2 changed files with 53 additions and 1 deletions

View File

@ -0,0 +1,43 @@
From c8ccdbfe1e45cb3b832109d644296c0a3b3e0b59 Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sun, 2 Sep 2018 03:49:31 +0000
Subject: [PATCH] configure.ac: -fstack-protector-strong
* configure.ac: use -fstack-protector-strong if available instead of
-fstack-protector conditionally. [ruby-core:88788] [Misc #15053]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64614 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
configure.ac | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/configure.ac b/configure.ac
index 9328fa532de0..b8ee57239215 100644
--- a/configure.ac
+++ b/configure.ac
@@ -837,15 +837,18 @@ AS_IF([test "$GCC" = yes], [
stack_protector=no
])
AS_IF([test -z "${stack_protector+set}"], [
- RUBY_TRY_CFLAGS(-fstack-protector, [stack_protector=yes], [stack_protector=no])
- AS_IF([test "x$stack_protector" = xyes], [
- RUBY_TRY_LDFLAGS(-fstack-protector, [], [stack_protector=broken])
+ AS_FOR(option, opt, [-fstack-protector-strong -fstack-protector], [
+ RUBY_TRY_CFLAGS(option, [stack_protector=yes])
+ AS_IF([test "x$stack_protector" = xyes], [
+ RUBY_TRY_LDFLAGS(option, [], [stack_protector=])
+ ])
+ AS_IF([test "x$stack_protector" = xyes], [stack_protector=option; break])
])
])
- AS_IF([test "x$stack_protector" = xyes], [
- RUBY_APPEND_OPTION(XCFLAGS, -fstack-protector)
- RUBY_APPEND_OPTION(XLDFLAGS, -fstack-protector)
- RUBY_APPEND_OPTION(LDFLAGS, -fstack-protector)
+ AS_CASE(["$stack_protector"], [-*], [
+ RUBY_APPEND_OPTION(XCFLAGS, $stack_protector)
+ RUBY_APPEND_OPTION(XLDFLAGS, $stack_protector)
+ RUBY_APPEND_OPTION(LDFLAGS, $stack_protector)
])
AS_CASE("${compress_debug_sections:-zlib}",

View File

@ -21,7 +21,7 @@
%endif %endif
%global release 99 %global release 100
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
# The RubyGems library has to stay out of Ruby directory three, since the # The RubyGems library has to stay out of Ruby directory three, since the
@ -147,6 +147,9 @@ Patch15: ruby-2.6.0-library-options-to-MAINLIBS.patch
Patch16: ruby-2.5.1-Avoid-need-of-C++-compiler-to-pass-the-test-suite.patch Patch16: ruby-2.5.1-Avoid-need-of-C++-compiler-to-pass-the-test-suite.patch
# https://github.com/ruby/rdoc/commit/d05e6269d4a4dfd701f5ddb3ae34306cba891511 # https://github.com/ruby/rdoc/commit/d05e6269d4a4dfd701f5ddb3ae34306cba891511
Patch20: ruby-2.6.0-rdoc-6.0.1-fix-template-typo.patch Patch20: ruby-2.6.0-rdoc-6.0.1-fix-template-typo.patch
# Properly harden package using -fstack-protector-strong.
# https://bugs.ruby-lang.org/issues/15053
Patch24: ruby-2.6.0-configure-fstack-protector-strong.patch
# Fix some OpenSSL 1.1.1 test failures. # Fix some OpenSSL 1.1.1 test failures.
# https://github.com/ruby/openssl/pull/202 # https://github.com/ruby/openssl/pull/202
@ -557,6 +560,7 @@ rm -rf ext/fiddle/libffi*
%patch21 -p1 %patch21 -p1
%patch22 -p1 %patch22 -p1
%patch23 -p1 %patch23 -p1
%patch24 -p1
# Provide an example of usage of the tapset: # Provide an example of usage of the tapset:
cp -a %{SOURCE3} . cp -a %{SOURCE3} .
@ -1107,6 +1111,11 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
%{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec
%changelog %changelog
* Mon Sep 03 2018 Vít Ondruch <vondruch@redhat.com> - 2.5.1-100
- Properly harden package using -fstack-protector-strong.
* ruby-2.6.0-configure-fstack-protector-strong.patch
Resolves: rhbz#1624168
* Wed Aug 29 2018 Vít Ondruch <vondruch@redhat.com> - 2.5.1-99 * Wed Aug 29 2018 Vít Ondruch <vondruch@redhat.com> - 2.5.1-99
- Additional OpenSSL 1.1.1 fixes. - Additional OpenSSL 1.1.1 fixes.
* ruby-2.6.0-fix-test-failure-with-TLS-1.3-maint.patch * ruby-2.6.0-fix-test-failure-with-TLS-1.3-maint.patch