hardened builds + configuration for linker from the spec file

- rename patch unzip-6.0-nostrip.patch to unzip-6.0-configure.patch
  so linking is now configurable from the spec file
- define __global_ldflags on EL <= 7
- set LFLAGS2 with __global_ldflags for hardened build
  Resolves: #1330519
This commit is contained in:
Petr Stodulka 2016-07-14 14:11:04 +02:00
parent 23857b3ef2
commit 45bcfca8da
2 changed files with 21 additions and 6 deletions

View File

@ -6,7 +6,7 @@ diff -up unzip60/unix/configure.nostrip unzip60/unix/configure
CFLAGS="${CFLAGS} -I. -DUNIX" CFLAGS="${CFLAGS} -I. -DUNIX"
LFLAGS1="" LFLAGS1=""
-LFLAGS2="-s" -LFLAGS2="-s"
+LFLAGS2="" +LFLAGS2="${LFLAGS2}"
LN="ln -s" LN="ln -s"
CFLAGS_OPT='' CFLAGS_OPT=''

View File

@ -1,7 +1,13 @@
# Settings for EL <= 7
%if 0%{?rhel} && 0%{?rhel} <= 7
%{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro}
%endif
Summary: A utility for unpacking zip files Summary: A utility for unpacking zip files
Name: unzip Name: unzip
Version: 6.0 Version: 6.0
Release: 29%{?dist} Release: 30%{?dist}
License: BSD License: BSD
Group: Applications/Archiving Group: Applications/Archiving
Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz
@ -15,8 +21,9 @@ Patch3: unzip-6.0-close.patch
# Reported to upstream: http://www.info-zip.org/board/board.pl?m-1259575993/ # Reported to upstream: http://www.info-zip.org/board/board.pl?m-1259575993/
Patch4: unzip-6.0-attribs-overflow.patch Patch4: unzip-6.0-attribs-overflow.patch
# Not sent to upstream, as it's Fedora/RHEL specific. # Not sent to upstream, as it's Fedora/RHEL specific.
# Modify the configure script not to request the strip of binaries. # Modify the configure script to accept var LFLAGS2 so linking can be configurable
Patch5: unzip-6.0-nostrip.patch # from the spec file. In addition '-s' is still removed as before
Patch5: unzip-6.0-configure.patch
Patch6: unzip-6.0-manpage-fix.patch Patch6: unzip-6.0-manpage-fix.patch
# Update match.c with recmatch() from zip 3.0's util.c # Update match.c with recmatch() from zip 3.0's util.c
# This also resolves the license issue in that old function. # This also resolves the license issue in that old function.
@ -63,7 +70,7 @@ a zip archive.
%patch2 -p1 -b .exec-shield %patch2 -p1 -b .exec-shield
%patch3 -p1 -b .close %patch3 -p1 -b .close
%patch4 -p1 -b .attribs-overflow %patch4 -p1 -b .attribs-overflow
%patch5 -p1 -b .nostrip %patch5 -p1 -b .configure
%patch6 -p1 -b .manpage-fix %patch6 -p1 -b .manpage-fix
%patch7 -p1 -b .recmatch %patch7 -p1 -b .recmatch
%patch8 -p1 -b .symlink %patch8 -p1 -b .symlink
@ -85,7 +92,8 @@ a zip archive.
# IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X
# NOMEMCPY solve problem with memory overlapping - decomression is slowly, # NOMEMCPY solve problem with memory overlapping - decomression is slowly,
# but successfull. # but successfull.
make -f unix/Makefile CF_NOOPT="-I. -DUNIX $RPM_OPT_FLAGS -DNOMEMCPY -DIZ_HAVE_UXUIDGID -DNO_LCHMOD" generic_gcc %{?_smp_mflags} make -f unix/Makefile CF_NOOPT="-I. -DUNIX $RPM_OPT_FLAGS -DNOMEMCPY -DIZ_HAVE_UXUIDGID -DNO_LCHMOD" \
LFLAGS2="%{?__global_ldflags}" generic_gcc %{?_smp_mflags}
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@ -98,6 +106,13 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Thu Jul 14 2016 Petr Stodulka <pstodulk@redhat.com> - 6.0-30
- rename patch unzip-6.0-nostrip.patch to unzip-6.0-configure.patch
so linking is now configurable from the spec file
- define __global_ldflags on EL <= 7
- set LFLAGS2 with __global_ldflags for hardened build
Resolves: #1330519
* Fri Jul 01 2016 Petr Stodulka <pstodulk@redhat.com> - 6.0-29 * Fri Jul 01 2016 Petr Stodulka <pstodulk@redhat.com> - 6.0-29
- added build parameter "-DNO_LCHMOD" because lchmod isn't provided on Linux - added build parameter "-DNO_LCHMOD" because lchmod isn't provided on Linux
system system