2022610 - fix compilation issues reported by annocheck

2021-11-12 08:27:05 +01:00 · 2021-11-12 08:27:05 +01:00 · 2bb84e3551
parent 53144ac0a4
commit 2bb84e3551
2 changed files with 61 additions and 3 deletions
--- a/cups-fstack-strong.patch
+++ b/cups-fstack-strong.patch
@ -0,0 +1,49 @@
+diff --git a/config-scripts/cups-compiler.m4 b/config-scripts/cups-compiler.m4
+index 733b06c..bb770f0 100644
+--- a/config-scripts/cups-compiler.m4
+++ b/config-scripts/cups-compiler.m4
+@@ -123,21 +123,35 @@ if test -n "$GCC"; then
+     		OPTIM="-fPIC $OPTIM"
+ 	fi
+ 
+-	# The -fstack-protector option is available with some versions of
+-	# GCC and adds "stack canaries" which detect when the return address
+-	# has been overwritten, preventing many types of exploit attacks.
+-	AC_MSG_CHECKING(whether compiler supports -fstack-protector)
+    # The -fstack-protector-strong and -fstack-protector options are available
+    # with some versions of# GCC and adds "stack canaries" which detect
+    # when the return address has been overwritten, preventing many types of exploit attacks.
+    # First check for -fstack-protector-strong, then for -fstack-protector...
+    AC_MSG_CHECKING([whether compiler supports -fstack-protector-strong])
+ 	OLDCFLAGS="$CFLAGS"
+-	CFLAGS="$CFLAGS -fstack-protector"
+-	AC_TRY_LINK(,,
+  CFLAGS="$CFLAGS -fstack-protector-strong"
+	AC_TRY_LINK(,,[
+ 		if test "x$LSB_BUILD" = xy; then
+ 			# Can't use stack-protector with LSB binaries...
+ 			OPTIM="$OPTIM -fno-stack-protector"
+ 		else
+-			OPTIM="$OPTIM -fstack-protector"
+			OPTIM="$OPTIM -fstack-protector-strong"
+ 		fi
+-		AC_MSG_RESULT(yes),
+-		AC_MSG_RESULT(no))
+		AC_MSG_RESULT(yes)
+  ], [
+	  AC_MSG_CHECKING([whether compiler supports -fstack-protector])
+	  CFLAGS="$OLDCFLAGS -fstack-protector"
+	  AC_LINK_IFELSE([AC_LANG_PROGRAM()], [
+	    AS_IF([test "x$LSB_BUILD" = xy], [
+	  	# Can't use stack-protector with LSB binaries...
+	  	OPTIM="$OPTIM -fno-stack-protector"
+	    ], [
+	  	OPTIM="$OPTIM -fstack-protector"
+	    ])
+	    ], [
+	    AC_MSG_RESULT([no])
+	    ])
+	])
+ 	CFLAGS="$OLDCFLAGS"
+ 
+ 	if test "x$LSB_BUILD" != xy; then
--- a/cups.spec
+++ b/cups.spec
@ -17,7 +17,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: ASL 2.0
 Url: https://openprinting.github.io/cups/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -95,6 +95,8 @@ Patch22: cups-restart-job-hold-until.patch
 Patch23: 0001-cups-md5passwd.c-Stub-out-httpMD5-functions.patch
 # 2019845 - Add more warning messages about drivers going deprecated
 Patch24: cups-deprecate-drivers-webui.patch
+# 2022610 - compile with -fstack-protector-strong if available
+Patch25: cups-fstack-strong.patch

 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@ -318,6 +320,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch23 -p1 -b .no-httpmd5
 # 2019845 - Add more warning messages about drivers going deprecated
 %patch24 -p1 -b .deprecated-drivers-webui
+# 2022610 - compile with fstack-protector-strong if available
+%patch25 -p1 -b .fstack-strong


 %if %{lspp}
@ -343,8 +347,10 @@ autoconf -f -I config-scripts
 export CC=%{__cc}
 export CXX=%{__cxx}
 # add Fedora specific flags to DSOFLAGS
-export DSOFLAGS="$DSOFLAGS -L../cgi-bin -L../filter -L../ppdc -L../scheduler -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-z,relro,-z,now -fPIE -pie" 
-export CFLAGS="$RPM_OPT_FLAGS -fstack-protector-all -DLDAP_DEPRECATED=1"
+export DSOFLAGS="$DSOFLAGS $RPM_LD_FLAGS"
+export CFLAGS="$CFLAGS $RPM_OPT_FLAGS -DLDAP_DEPRECATED=1"
+export CXXFLAGS="$CXXFLAGS $RPM_OPT_FLAGS -DLDAP_DEPRECATED=1"
+export LDFLAGS="$LDFLAGS $RPM_LD_FLAGS -Wall -fstack-clash-protection -D_FORTIFY_SOURCE=2"
 # --enable-debug to avoid stripping binaries
 %configure --with-docdir=%{_datadir}/%{name}/www --enable-debug \
 %if %{lspp}
@ -667,6 +673,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz

 %changelog
+* Fri Nov 12 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-10
+- 2022610 - fix compilation issues reported by annocheck
+
 * Thu Nov 04 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-9
 - stubbed out deprecated httpMD5 functions
 - 2019845 - Add more warning messages about drivers going deprecated (web ui part)