hardened builds + configuration for linker from the spec file

- rename patch unzip-6.0-nostrip.patch to unzip-6.0-configure.patch so linking is now configurable from the spec file - define __global_ldflags on EL <= 7 - set LFLAGS2 with __global_ldflags for hardened build Resolves: #1330519
2016-07-14 14:11:04 +02:00 · 2016-07-14 14:11:04 +02:00 · 45bcfca8da
commit 45bcfca8da
parent 23857b3ef2
2 changed files with 21 additions and 6 deletions
--- a/unzip-6.0-configure.patch
+++ b/unzip-6.0-configure.patch
@ -6,7 +6,7 @@ diff -up unzip60/unix/configure.nostrip unzip60/unix/configure
 CFLAGS="${CFLAGS} -I. -DUNIX"
 LFLAGS1=""
 -LFLAGS2="-s"
-+LFLAGS2=""
+LFLAGS2="${LFLAGS2}"
 LN="ln -s"
 
 CFLAGS_OPT=''
--- a/unzip.spec
+++ b/unzip.spec
@ -1,7 +1,13 @@
+
+# Settings for EL <= 7
+%if 0%{?rhel} && 0%{?rhel} <= 7
+%{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro}
+%endif
+
 Summary: A utility for unpacking zip files
 Name: unzip
 Version: 6.0
-Release: 29%{?dist}
+Release: 30%{?dist}
 License: BSD
 Group: Applications/Archiving
 Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz
@ -15,8 +21,9 @@ Patch3: unzip-6.0-close.patch
 # Reported to upstream: http://www.info-zip.org/board/board.pl?m-1259575993/
 Patch4: unzip-6.0-attribs-overflow.patch
 # Not sent to upstream, as it's Fedora/RHEL specific.
-# Modify the configure script not to request the strip of binaries.
-Patch5: unzip-6.0-nostrip.patch
+# Modify the configure script to accept var LFLAGS2 so linking can be configurable
+# from the spec file. In addition '-s' is still removed as before
+Patch5: unzip-6.0-configure.patch
 Patch6: unzip-6.0-manpage-fix.patch
 # Update match.c with recmatch() from zip 3.0's util.c
 # This also resolves the license issue in that old function.
@ -63,7 +70,7 @@ a zip archive.
 %patch2 -p1 -b .exec-shield
 %patch3 -p1 -b .close
 %patch4 -p1 -b .attribs-overflow
-%patch5 -p1 -b .nostrip
+%patch5 -p1 -b .configure
 %patch6 -p1 -b .manpage-fix
 %patch7 -p1 -b .recmatch
 %patch8 -p1 -b .symlink
@ -85,7 +92,8 @@ a zip archive.
 # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X
 # NOMEMCPY solve problem with memory overlapping - decomression is slowly,
 # but successfull.
-make -f unix/Makefile CF_NOOPT="-I. -DUNIX $RPM_OPT_FLAGS -DNOMEMCPY -DIZ_HAVE_UXUIDGID -DNO_LCHMOD" generic_gcc %{?_smp_mflags}
+make -f unix/Makefile CF_NOOPT="-I. -DUNIX $RPM_OPT_FLAGS -DNOMEMCPY -DIZ_HAVE_UXUIDGID -DNO_LCHMOD" \
+                      LFLAGS2="%{?__global_ldflags}" generic_gcc %{?_smp_mflags}

 %install
 rm -rf $RPM_BUILD_ROOT
@ -98,6 +106,13 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{
 %{_mandir}/*/*

 %changelog
+* Thu Jul 14 2016 Petr Stodulka <pstodulk@redhat.com> - 6.0-30
+- rename patch unzip-6.0-nostrip.patch to unzip-6.0-configure.patch
+  so linking is now configurable from the spec file
+- define __global_ldflags on EL <= 7
+- set LFLAGS2 with __global_ldflags for hardened build
+  Resolves: #1330519
+
 * Fri Jul 01 2016 Petr Stodulka <pstodulk@redhat.com> - 6.0-29
 - added build parameter "-DNO_LCHMOD" because lchmod isn't provided on Linux
  system