Bug 971836 - Review Request: hardening-check - Tool to check ELF for being built hardened
Review Request: hardening-check - Tool to check ELF for being built hardened
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ville Skyttä
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-07 07:37 EDT by Björn 'besser82' Esser
Modified: 2013-06-25 20:41 EDT (History)
3 users (show)

See Also:
Fixed In Version: hardening-check-2.3-2.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-11 05:09:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ville.skytta: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Björn 'besser82' Esser 2013-06-07 07:37:06 EDT
Spec URL: http://besser82.fedorapeople.org/review/hardening-check/hardening-check.spec
SRPM URL: http://besser82.fedorapeople.org/review/hardening-check/hardening-check-2.3-1.fc19.src.rpm

Description:
hardening-check is a perl-script to check whether an already compiled ELF was built using hardening-flags.

It checks, using readelf, for these hardening-characteristics:

  * Position Independent Executable
    (gcc/g++ -fPIE -pie)
  * Stack protected
    (gcc/g++ -D_FORTIFY_SOURCE=2)
  * Fortify Source functions
    (gcc/g++ -fstack-protector --param ssp-buffer-size=4)
  * Read-only relocations
    (ld -z relro)
  * Immediate binding
    (ld -z now)

Fedora Account System Username: besser82
Comment 2 Ville Skyttä 2013-06-09 06:52:54 EDT
The binutils and glibc-common build deps are redundant and should be removed.

Renaming the docs seems unusual and quite pointless deviation from upstream to me, I'd just refer to their names like in %doc debian/... (non-blocker as far as the review goes).

I suspect that the examples in parenthesis in %description are not quite accurate and are also subject to bitrot, I'd just remove them and while at it, remove some unnecessary bits off it and remove some extraneous hyphens, fix capitalization etc:

----

%{name} is a tool to check whether an already compiled ELF file
was built using hardening flags.

It checks, using readelf, for these hardening characteristics:

  * Position Independent Executable
  * Stack protected
  * Fortify source functions
  * Read-only relocations
  * Immediate binding
Comment 3 Björn 'besser82' Esser 2013-06-09 07:07:48 EDT
Spec URL: http://besser82.fedorapeople.org/review/hardening-check/hardening-check.spec
SRPM URL: http://besser82.fedorapeople.org/review/hardening-check/hardening-check-2.3-2.fc19.src.rpm

%changelog
* Sun Jun 09 2013 Björn Esser <bjoern.esser@gmail.com> - 2.3-2
- removed BuildRequires: binutils glibc-common
- not renaming docs in debian/
- removed terms to be possibly subject to bitrot from %%description
- as suggested by Ville Skyttä during review

* Fri Jun 07 2013 Björn Esser <bjoern.esser@gmail.com> - 2.3-1
- initial rpm release
Comment 4 Björn 'besser82' Esser 2013-06-09 07:27:23 EDT
Thanks for your review, Ville! If I can do a favour (read: review your pkgs) to you, just let me know.

With above changes everything should be fine, I think.
Comment 5 Ville Skyttä 2013-06-09 11:09:34 EDT
Looks good, approved.

And thanks for the offer, I'll try to keep it in mind when/if I have some new packages to submit sometime.
Comment 6 Björn 'besser82' Esser 2013-06-09 11:14:50 EDT
Allright! Thanks again! Just drop me a PM, somewhen...

New Package SCM Request
=======================
Package Name: hardening-check
Short Description: Tool to check ELF for being built hardened
Owners: besser82
Branches: f19 f18 el6
InitialCC:
Comment 7 Gwyn Ciesla 2013-06-10 08:39:49 EDT
Git done (by process-git-requests).
Comment 8 Fedora Update System 2013-06-10 08:57:35 EDT
hardening-check-2.3-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/hardening-check-2.3-2.fc19
Comment 9 Fedora Update System 2013-06-10 08:58:07 EDT
hardening-check-2.3-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/hardening-check-2.3-2.fc18
Comment 10 Fedora Update System 2013-06-10 08:58:49 EDT
hardening-check-2.3-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/hardening-check-2.3-2.el6
Comment 11 Fedora Update System 2013-06-10 13:05:49 EDT
hardening-check-2.3-2.el6 has been pushed to the Fedora EPEL 6 testing repository.
Comment 12 Fedora Update System 2013-06-11 05:09:15 EDT
hardening-check-2.3-2.fc18 has been pushed to the Fedora 18 stable repository.
Comment 13 Fedora Update System 2013-06-11 23:36:03 EDT
hardening-check-2.3-2.fc19 has been pushed to the Fedora 19 stable repository.
Comment 14 Fedora Update System 2013-06-25 20:41:53 EDT
hardening-check-2.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository.

Note You need to log in before you can comment on or make changes to this bug.