Hello list!
As discussed a few days ago [1] there's a _severe_ bug in autotool's libtool known for ages [2] preventing libs not to be build fully hardened (partial RELRO), even if you have included `%global _hardened_build 1` into you rpm-spec.
There was some LDFLAGS-hack [3] mentioned by me during review of bz# 977446 nbdkit, which turned out to block proper exporting of LDFLAGS during `%configure`-invocation. So I did some experiments how to get a proper working and future aware solution for this.
I recommend EVERYBODY, who maintains pkgs meeting the above criteria (libtool + hardening) to re-check their build pkg's proper hardening invoking `hardening-check --color --verbose $path_to_lib` and if it's report reveals
... Read-only relocations: yes ---> Immediate binding: no, not found! <---
to apply the following lines immediatly AFTER invoking `%configure` to their affected pkg's spec:
# dirty hack to force immediate binding with hardenend build having # autocrap's libtool pass the need gcc-specs to linker. sed -i -e 's! \$compiler_flags !&\$CFLAGS \$LDFLAGS !' libtool
This simple (but effective) hack makes sure ALL hardening-relevant flags are passed to the linker.
I just filed a ticket for FESCo-meeting [4] to have this workaround included in `%configure`-macro provided by rpm-package.
If you are unsure whether your package is affected this feel free to ask me and please provide a build.log, so I can check.
Cheers, Björn
[1]https://lists.fedoraproject.org/pipermail/devel/2013-June/184429.html [2]http://lists.gnu.org/archive/html/bug-libtool/2005-10/msg00003.html [3]https://bugzilla.redhat.com/show_bug.cgi?id=977446#c13 [4]https://fedorahosted.org/fesco/ticket/1132
These m4 scripts (used by libvirt) may also be of interest to upstream developers:
http://libvirt.org/git/?p=libvirt.git;a=blob;f=m4/virt-compile-pie.m4;hb=HEA... http://libvirt.org/git/?p=libvirt.git;a=blob;f=m4/virt-linker-relro.m4;hb=HE...
Rich.
Il 26/06/2013 17:39, Björn Esser ha scritto:
# dirty hack to force immediate binding with hardenend build having # autocrap's libtool pass the need gcc-specs to linker. sed -i -e 's! \$compiler_flags !&\$CFLAGS \$LDFLAGS !' libtool
Weird, I didn't see any mention of this on the autocrap's libtool mailing list(s)... O:-)
Is there at least a Fedora BZ for this?
Paolo
packaging@lists.fedoraproject.org