Bug 1548751

Summary: libtool: Disables build hardening
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: libtoolAssignee: Pavel Raiskup <praiskup>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: ivazqueznet, jakub, karsten, kasal, mmathesi, praiskup, rhbugs
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libtool-2.4.6-24.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-27 04:10:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1539083    

Description Florian Weimer 2018-02-24 19:13:49 UTC 
/usr/lib64/libltdl.so.7.3.1 in libtool-ltdl-2.4.6-22.fc28.x86_64 is not built with full hardening.  This is because the RPM spec file disables hardening:

# See the bug #1289759
%undefine _hardened_build

There has to be a better solution for that, especially since libtool aggressively strips -specs= options for some reason, which causes countless other packages to lose full hardening coverage.

Starting with redhat-rpm-config-101-1.fc28, only executables really need the -specs= options (not shared objects), so maybe there is now a better way to avoid dropping hardening flags.

There is also a discussion about build flag embedding, see bug 1543394.

See https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md for information on RPM macros and environment variables provided by the build environment.
Comment 1 Merlin Mathesius 2018-04-18 19:14:15 UTC 
libtool-2.4.6-23.fc29 has been patched to avoid stripping the -specs= options (https://src.fedoraproject.org/rpms/libtool/c/2e616087c1dce036105331cb0ef67e57499011f3?branch=master), but it's only in Rawhide at the moment--not F28.
Comment 2 Florian Weimer 2018-04-18 19:15:59 UTC 

*** This bug has been marked as a duplicate of bug 985592 ***
Comment 3 Pavel Raiskup 2018-04-18 20:19:40 UTC 
I'm not sure this is duplicate of 985592.  Wasn't thisrequest to harden
libltdl.so in particular?
Comment 4 Florian Weimer 2018-04-18 20:23:39 UTC 
(In reply to Pavel Raiskup from comment #3)
> I'm not sure this is duplicate of 985592.  Wasn't thisrequest to harden
> libltdl.so in particular?

Oh.  I assumed this was fixed as a side effect.  I can't easily check this until the Fedora 28 update hits the testing repositories, though.
Comment 5 Pavel Raiskup 2018-04-18 22:36:11 UTC 
Taking into account that the semantics of 'dlopen(... , RTLD_LAZY)' call
shouldn't be changed by linking caller with -Wl,-z,now (libltdl depends
on that), I'll harden the DSO tomorrow or so.  Please correct me if I'm
wrong.
Comment 6 Fedora Update System 2018-04-20 14:27:28 UTC 
libtool-2.4.6-24.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c7c0a0abcc
Comment 7 Fedora Update System 2018-04-21 18:38:11 UTC 
libtool-2.4.6-24.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c7c0a0abcc
Comment 8 Fedora Update System 2018-04-27 04:10:06 UTC 
libtool-2.4.6-24.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.