1548751 – libtool: Disables build hardening

Bug 1548751 - libtool: Disables build hardening

Summary: libtool: Disables build hardening

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libtool
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Pavel Raiskup
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	Fedora28BuildFlags
TreeView+	depends on / blocked

Reported:	2018-02-24 19:13 UTC by Florian Weimer
Modified:	2018-04-27 04:10 UTC (History)
CC List:	7 users (show)
Fixed In Version:	libtool-2.4.6-24.fc28
Clone Of:
Environment:
Last Closed:	2018-04-27 04:10:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Florian Weimer 2018-02-24 19:13:49 UTC

/usr/lib64/libltdl.so.7.3.1 in libtool-ltdl-2.4.6-22.fc28.x86_64 is not built with full hardening.  This is because the RPM spec file disables hardening:

# See the bug #1289759
%undefine _hardened_build

There has to be a better solution for that, especially since libtool aggressively strips -specs= options for some reason, which causes countless other packages to lose full hardening coverage.

Starting with redhat-rpm-config-101-1.fc28, only executables really need the -specs= options (not shared objects), so maybe there is now a better way to avoid dropping hardening flags.

There is also a discussion about build flag embedding, see bug 1543394.

See https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md for information on RPM macros and environment variables provided by the build environment.

Comment 1 Merlin Mathesius 2018-04-18 19:14:15 UTC

libtool-2.4.6-23.fc29 has been patched to avoid stripping the -specs= options (https://src.fedoraproject.org/rpms/libtool/c/2e616087c1dce036105331cb0ef67e57499011f3?branch=master), but it's only in Rawhide at the moment--not F28.

Comment 2 Florian Weimer 2018-04-18 19:15:59 UTC


*** This bug has been marked as a duplicate of bug 985592 ***

Comment 3 Pavel Raiskup 2018-04-18 20:19:40 UTC

I'm not sure this is duplicate of 985592.  Wasn't thisrequest to harden
libltdl.so in particular?

Comment 4 Florian Weimer 2018-04-18 20:23:39 UTC

(In reply to Pavel Raiskup from comment #3)
> I'm not sure this is duplicate of 985592.  Wasn't thisrequest to harden
> libltdl.so in particular?

Oh.  I assumed this was fixed as a side effect.  I can't easily check this until the Fedora 28 update hits the testing repositories, though.

Comment 5 Pavel Raiskup 2018-04-18 22:36:11 UTC

Taking into account that the semantics of 'dlopen(... , RTLD_LAZY)' call
shouldn't be changed by linking caller with -Wl,-z,now (libltdl depends
on that), I'll harden the DSO tomorrow or so.  Please correct me if I'm
wrong.

Comment 6 Fedora Update System 2018-04-20 14:27:28 UTC

libtool-2.4.6-24.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c7c0a0abcc

Comment 7 Fedora Update System 2018-04-21 18:38:11 UTC

libtool-2.4.6-24.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c7c0a0abcc

Comment 8 Fedora Update System 2018-04-27 04:10:06 UTC

libtool-2.4.6-24.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.