diff --git a/0001-bin2s-Mark-stack-as-non-executable.patch b/0001-bin2s-Mark-stack-as-non-executable.patch new file mode 100644 index 0000000..66bd948 --- /dev/null +++ b/0001-bin2s-Mark-stack-as-non-executable.patch @@ -0,0 +1,47 @@ +From c9f7a7998021e1cbe22a8ec325d43e2bdc3eff5a Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 1 May 2014 09:42:11 +0100 +Subject: [PATCH] bin2s: Mark stack as non-executable. + +Every object file linked to supermin has to be marked as having a +non-executable stack. The object generated by bin2s was not being +marked this way, thus the final supermin binary ended up as having an +executable stack (wrongly). + +Before this change: + +$ execstack -q src/supermin +X src/supermin + +After applying this patch and rebuilding: + +$ execstack -q src/supermin +- src/supermin + +See also: + +http://gcc.gnu.org/ml/gcc-patches/2007-07/msg01155.html +https://wiki.gentoo.org/wiki/Project:Hardened/GNU_stack_quickstart +http://caml.inria.fr/mantis/print_bug_page.php?bug_id=4564 +--- + src/bin2s.pl | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/bin2s.pl b/src/bin2s.pl +index 2c78b5e..1b1c253 100755 +--- a/src/bin2s.pl ++++ b/src/bin2s.pl +@@ -18,6 +18,10 @@ open my $ofh, '>', $outfile or die "open $outfile: $!"; + print $ofh <<"EOF"; + /* This file has been automatically generated from $infile by $0 */ + ++/* Mark stack as non-executable for GNU tools. */ ++\t.section .note.GNU-stack,"",%progbits ++\t.previous ++ + \t.globl\t_binary_${infile}_start + \t.globl\t_binary_${infile}_end + \t.globl\t_binary_${infile}_size +-- +1.9.0 + diff --git a/supermin.spec b/supermin.spec index ab6583c..90acdbd 100644 --- a/supermin.spec +++ b/supermin.spec @@ -1,7 +1,7 @@ Summary: Tool for creating supermin appliances Name: supermin Version: 5.1.7 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ %if 0%{?rhel} >= 7 @@ -12,6 +12,7 @@ URL: http://people.redhat.com/~rjones/supermin/ Source0: http://libguestfs.org/download/supermin/%{name}-%{version}.tar.gz Patch1: 0001-Add-quoting-around-parameter-when-calling-external-m.patch +Patch2: 0001-bin2s-Mark-stack-as-non-executable.patch BuildRequires: /usr/bin/pod2man BuildRequires: rpm @@ -20,9 +21,6 @@ BuildRequires: /usr/sbin/mke2fs BuildRequires: e2fsprogs-devel BuildRequires: glibc-static, zlib-static BuildRequires: ocaml, ocaml-findlib-devel -%ifnarch aarch64 -BuildRequires: /usr/bin/execstack -%endif # These are required only to run the tests. We could patch out the # tests to not require these packages. @@ -55,6 +53,7 @@ second when you need to boot one of them. %setup -q %patch1 -p1 +%patch2 -p1 %build @@ -65,15 +64,6 @@ make %install make DESTDIR=$RPM_BUILD_ROOT install -# supermin is marked as requiring an executable stack. This happens -# because we use objcopy to create one of the component object files -# from a data file. The program does not in fact require an -# executable stack. The easiest way to fix this is to clear the flag -# here. -%ifnarch aarch64 -execstack -c $RPM_BUILD_ROOT%{_bindir}/supermin -%endif - %check make check || { @@ -89,6 +79,9 @@ make check || { %changelog +* Thu May 1 2014 Richard W.M. Jones - 5.1.7-3 +- Add upstream patch which removes need to run execstack (RHBZ#1093261). + * Mon Apr 7 2014 Richard W.M. Jones - 5.1.7-2 - Add patch to fix quoting around mke2fs parameter (RHBZ#1084960).