diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2010-10-05 11:15:37 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2010-10-05 11:15:37 -0400 |
commit | 4d1de02afe9b9d96bdf1e34a951cf3bd56896ebc (patch) | |
tree | 07c905ca1720918e5460f290b8de457bc0c339f9 | |
parent | 739b67be1aeaa23877606d8db78ffdabc2e48532 (diff) | |
download | krb5-4d1de02afe9b9d96bdf1e34a951cf3bd56896ebc.tar.gz krb5-4d1de02afe9b9d96bdf1e34a951cf3bd56896ebc.tar.xz krb5-4d1de02afe9b9d96bdf1e34a951cf3bd56896ebc.zip |
- also link binaries with -Wl,-z,relro,-z,now (part of #629950)
-rw-r--r-- | krb5-1.7-buildconf.patch | 9 | ||||
-rw-r--r-- | krb5.spec | 1 |
2 files changed, 6 insertions, 4 deletions
diff --git a/krb5-1.7-buildconf.patch b/krb5-1.7-buildconf.patch index 874df87..754962e 100644 --- a/krb5-1.7-buildconf.patch +++ b/krb5-1.7-buildconf.patch @@ -1,5 +1,5 @@ -Build binaries in this package as PIEs and install shared libraries with the -execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS +Build binaries in this package as RELRO PIEs and install shared libraries with +the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. @@ -11,7 +11,7 @@ diff -up krb5-1.7/src/config/shlib.conf krb5-1.7/src/config/shlib.conf RPATH_FLAG='-Wl,-rpath -Wl,' PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' -+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)' + INSTALL_SHLIB='${INSTALL} -m755' CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' @@ -19,7 +19,7 @@ diff -up krb5-1.7/src/config/shlib.conf krb5-1.7/src/config/shlib.conf diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in --- krb5-1.7/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 +++ krb5-1.7/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 -@@ -187,8 +187,13 @@ if test -n "$do_libs"; then +@@ -187,8 +187,14 @@ if test -n "$do_libs"; then -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ @@ -30,6 +30,7 @@ diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in + lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` + fi + lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"` + if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" @@ -644,6 +644,7 @@ exit 0 %changelog * Tue Oct 5 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.2-5 +- also link binaries with -Wl,-z,relro,-z,now (part of #629950) - build with -fstack-protector-all instead of the default -fstack-protector, so that we add checking to more functions (i.e., all of them) (#629950) |