diff --git a/.gitignore b/.gitignore index 2f51990..9a46aab 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /zstd-1.4.7.tar.gz /zstd-1.4.9.tar.gz /zstd-1.5.0.tar.gz +/zstd-1.5.1.tar.gz diff --git a/enable-CET.patch b/enable-CET.patch new file mode 100644 index 0000000..335e95d --- /dev/null +++ b/enable-CET.patch @@ -0,0 +1,38 @@ +From cd7620a730413a48843e175d34dc408c152f8125 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Tue, 11 Jan 2022 07:28:25 -0800 +Subject: [PATCH] x86-64: Enable Intel CET + +Intel Control-flow Enforcement Technology (CET): + +https://en.wikipedia.org/wiki/Control-flow_integrity#Intel_Control-flow_Enforcement_Technology + +requires that on Linux, all linker input files are marked as CET enabled +in .note.gnu.property section. For high-level language source codes, +.note.gnu.property section is added by compiler with the -fcf-protection +option. For assembly sources, include to add .note.gnu.property +section. +--- + lib/common/portability_macros.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/lib/common/portability_macros.h b/lib/common/portability_macros.h +index 627ef9eed4..6ac4b05510 100644 +--- a/lib/common/portability_macros.h ++++ b/lib/common/portability_macros.h +@@ -128,4 +128,15 @@ + # define ZSTD_ENABLE_ASM_X86_64_BMI2 0 + #endif + ++/* ++ * For x86 ELF targets, add .note.gnu.property section for Intel CET in ++ * assembly sources when CET is enabled. ++ */ ++#if defined(__ELF__) && (defined(__x86_64__) || defined(__i386__)) \ ++ && defined(__has_include) ++# if __has_include() ++# include ++# endif ++#endif ++ + #endif /* ZSTD_PORTABILITY_MACROS_H */ diff --git a/pzstd.1.patch b/pzstd.1.patch index f86e8d8..d4e3a1f 100644 --- a/pzstd.1.patch +++ b/pzstd.1.patch @@ -1,9 +1,9 @@ -diff -Naur zstd-1.4.7.orig/programs/zstd.1 zstd-1.4.7/programs/zstd.1 ---- zstd-1.4.7.orig/programs/zstd.1 2020-12-16 23:00:18.000000000 +0000 -+++ zstd-1.4.7/programs/zstd.1 2020-12-17 15:15:22.586152398 +0000 -@@ -208,6 +208,14 @@ - . - .IP "\(bu" 4 +diff -Naur zstd-1.5.1.orig/programs/zstd.1 zstd-1.5.1/programs/zstd.1 +--- zstd-1.5.1.orig/programs/zstd.1 2021-12-20 22:49:18.000000000 +0000 ++++ zstd-1.5.1/programs/zstd.1 2021-12-22 16:49:17.160850340 +0000 +@@ -146,6 +146,14 @@ + \fB\-\-show\-default\-cparams\fR: Shows the default compression parameters that will be used for a particular src file\. If the provided src file is not a regular file (eg\. named pipe), the cli will just output the default parameters\. That is, the parameters that are used when the src size is unknown\. + .IP "\[ci]" 4 \fB\-\-\fR: All arguments after \fB\-\-\fR are treated as files + +.SH Parallel Zstd OPTIONS @@ -13,6 +13,6 @@ diff -Naur zstd-1.4.7.orig/programs/zstd.1 zstd-1.4.7/programs/zstd.1 + number of threads to use for (de)compression (default:4) + + - . .IP "" 0 - . + .SS "Restricted usage of Environment Variables" + Using environment variables to set parameters has security implications\. Therefore, this avenue is intentionally restricted\. Only \fBZSTD_CLEVEL\fR and \fBZSTD_NBTHREADS\fR are currently supported\. They set the compression level and number of threads to use during compression, respectively\. diff --git a/sources b/sources index c2fe8e6..8d53d3a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (zstd-1.5.0.tar.gz) = b322fc1b89a556827b7fece2fb0f34c83bf65bb85b2468c791d6d9178a65c81e21f4171b7533cbf12bc1dfb2fd323d3e8c34d86167b157645c27f65186eec659 +SHA512 (zstd-1.5.1.tar.gz) = 00c7f5f6f6a2b51557f3ede56026d54d8e023c85f9824496f4522524ce8ced495e88d56452e3510df6ec1bf53e659b2633cdcc84d016bcdbfdcc76e142d3620f diff --git a/zstd.spec b/zstd.spec index f43ecfc..07badb5 100644 --- a/zstd.spec +++ b/zstd.spec @@ -1,3 +1,12 @@ +# enable .lz4 support by default +%bcond_without lz4 + +# enable .xz/.lzma support by default +%bcond_without lzma + +# enable .gz support by default +%bcond_without zlib + %if 0%{?rhel} && 0%{?rhel} <= 6 # gcc-4.4 is currently too old to compile pzstd %bcond_with pzstd @@ -11,12 +20,21 @@ %endif %endif +%ifarch x86_64 +%bcond_without asm +%else +# Disable asm to ensure non excutable stack +# used on archs where asm not actually used +# https://github.com/facebook/zstd/issues/2963 +%bcond_with asm +%endif + # Disable gtest %bcond_with gtest Name: zstd -Version: 1.5.0 -Release: 2%{?dist} +Version: 1.5.1 +Release: 1%{?dist} Summary: Zstd compression library License: BSD and GPLv2 @@ -24,15 +42,26 @@ URL: https://github.com/facebook/zstd Source0: https://github.com/facebook/zstd/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch1: pzstd.1.patch +Patch2: enable-CET.patch -BuildRequires: make +BuildRequires: make BuildRequires: gcc %if %{with gtest} -BuildRequires: gtest-devel +BuildRequires: gtest-devel +%endif +%if %{with lz4} +BuildRequires: lz4-devel +%endif +%if %{with lzma} +BuildRequires: xz-devel %endif %if %{with pzstd} BuildRequires: gcc-c++ %endif +%if %{with zlib} +BuildRequires: zlib-devel +%endif +BuildRequires: execstack %description Zstd, short for Zstandard, is a fast lossless compression algorithm, @@ -64,18 +93,23 @@ find -name .gitignore -delete %if %{with pzstd} %patch1 -p1 %endif +%patch2 -p1 %build export CFLAGS="$RPM_OPT_FLAGS" export LDFLAGS="$RPM_LD_FLAGS" -%make_build -C lib lib-mt -%make_build -C programs +export PREFIX="%{_prefix}" +export LIBDIR="%{_libdir}" +%make_build -C lib lib-mt %{!?with_asm:ZSTD_NO_ASM=1} +%make_build -C programs %{!?with_asm:ZSTD_NO_ASM=1} %if %{with pzstd} export CXXFLAGS="$RPM_OPT_FLAGS" -%make_build -C contrib/pzstd +%make_build -C contrib/pzstd %{!?with_asm:ZSTD_NO_ASM=1} %endif %check +execstack lib/libzstd.so.1 + export CFLAGS="$RPM_OPT_FLAGS" export LDFLAGS="$RPM_LD_FLAGS" make -C tests test-zstd @@ -129,12 +163,20 @@ install -D -m644 programs/%{name}.1 %{buildroot}%{_mandir}/man1/p%{name}.1 %ldconfig_scriptlets -n lib%{name} %changelog +* Wed Jan 12 2022 Michel Alexandre Salim - 1.5.1-1 +- Rebase to the latest upstream version +- Enable optional gz, xz/lzma, and lz4 support in the zstd tool +- Disable amd64 assembly on non-x86_64 architectures (rhbz#2035802) + this should avoid the issue where an executable stack is created +- Re-enable CET protections (rhbz#2039353) + Resolves: rhbz#2039488 + * Tue Aug 10 2021 Mohan Boddu - 1.5.0-2 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 * Mon Jul 12 2021 Jakub Martisko - 1.5.0-1 -* Rebase to the latest usptream version +* Rebase to the latest upstream version Resolves: rhbz#1928094 * Thu Jul 01 2021 Jakub Martisko - 1.4.9-3