Bug 892837 - fix hardened specs to be safe against multiple inclusion
fix hardened specs to be safe against multiple inclusion
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: redhat-rpm-config (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Adam Jackson
Fedora Extras Quality Assurance
:
: 958290 (view as bug list)
Depends On:
Blocks: 853199 954347
  Show dependency treegraph
 
Reported: 2013-01-07 19:30 EST by Matthias Clasen
Modified: 2013-06-11 05:18 EDT (History)
9 users (show)

See Also:
Fixed In Version: redhat-rpm-config-9.1.0-37.1.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-24 16:14:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthias Clasen 2013-01-07 19:30:23 EST
I was trying a hardened build of polkit, but the build fails when it gets to the introspection part. What probably happens is that the introspection mangles the CFLAGS, and ends up duplicating the -specs=... line. This in turn causes gcc to complain about %rename defining something that already exists.

Using something like:

*cc1_options:
+ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}

(and similar for ld) instead allows the build to succeed, and yields a fully relro polkit package.
Comment 1 Matthias Clasen 2013-04-30 16:53:18 EDT
*** Bug 958290 has been marked as a duplicate of this bug. ***
Comment 2 Dhiru Kholia 2013-05-02 05:39:06 EDT
Multiple packages are being affected by this bug. Both F18 and F19 are affected.

Why is fixing this almost trivial bug taking so long?
Comment 3 Richard Hughes 2013-05-03 16:28:23 EDT
I'm having to fix this up in RHEL7 manually, it would be awesome to have the macro working. Thanks!
Comment 4 Dan Williams 2013-05-06 17:36:33 EDT
Hitting this with NetworkManager as well, would be good to have this solved correctly instead of carrying a bunch of patches for a bunch of packages.
Comment 5 Dhiru Kholia 2013-05-08 11:02:04 EDT
LibreOffice is affected too. Wasted many hours due to this bug.
Comment 6 Miloslav Trmač 2013-05-10 18:39:57 EDT
At least for polkit, the compilation failure is caused by gdk-doc duplicating the -specs flags (#962005).

There's nothing obviously wrong with the -specs command in redhat-rpm-config AFAICS.  True, it is not idempotent - was it ever promised to be?
Comment 8 Panu Matilainen 2013-05-13 02:48:19 EDT
Reassigning to ajax who added the hardening-stuff in the first place and thus likely has a better clue about the thing than me.
Comment 9 Adam Jackson 2013-05-13 11:17:54 EDT
I'm... honestly not sure why we used %rename there, besides that I think that's the template Jakub(?) gave me to work with.  The + syntax is clearly more sane.

I've fixed this in git (bodhi update to follow in a moment).

However, when I tested it (both before and after) against libXext, a fairly trivial automake/libtool project, libtool seems to delight in just throwing away huge chunks of the link command line, including the -specs= part, because libtool is a net loss for humanity.  Sorry about that, but I don't see a reasonable workaround for it at the rpm macro level, it's really libtool's bug.
Comment 10 Fedora Update System 2013-05-13 11:26:37 EDT
redhat-rpm-config-9.1.0-44.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/redhat-rpm-config-9.1.0-44.fc19
Comment 11 Fedora Update System 2013-05-13 23:45:22 EDT
Package redhat-rpm-config-9.1.0-44.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing redhat-rpm-config-9.1.0-44.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8112/redhat-rpm-config-9.1.0-44.fc19
then log in and leave karma (feedback).
Comment 12 Dhiru Kholia 2013-05-14 07:02:32 EDT
The fix works great. Thanks Adam!
Comment 13 Nathanael Noblet 2013-05-15 12:44:32 EDT
So I just attempted to do this today, my build failed. Is it because the fix above isn't in the buildroot?
Comment 14 Adam Jackson 2013-05-15 17:06:20 EDT
(In reply to comment #13)
> So I just attempted to do this today, my build failed. Is it because the fix
> above isn't in the buildroot?

It won't be in the buildroot until the update gets approved, correct.  That's what karma is for...
Comment 15 Richard Hughes 2013-05-17 08:10:31 EDT
FWIW, I ended up addin the PIE and full RELRO stuff upstream in my projects, rather than using the specfile macro.
Comment 16 Christopher Meng 2013-05-17 22:03:11 EDT
Fixed.
Comment 17 Christopher Meng 2013-05-17 22:45:25 EDT
Rawhide seems fixed.

BUt f19 still comes across this:

http://koji.fedoraproject.org/koji/taskinfo?taskID=5394351
Comment 18 Christopher Meng 2013-05-21 02:55:40 EDT
Hi,

It seems OK now.

But will you have a update for fedora 18?
Comment 19 Fedora Update System 2013-05-24 16:14:57 EDT
redhat-rpm-config-9.1.0-44.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2013-05-29 11:43:28 EDT
redhat-rpm-config-9.1.0-37.1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/redhat-rpm-config-9.1.0-37.1.fc18
Comment 21 Fedora Update System 2013-06-11 05:18:34 EDT
redhat-rpm-config-9.1.0-37.1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.