From e56431f08d84bac84c85897966bd9c5985fdae33 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Wed, 20 Mar 2013 18:04:02 +0100 Subject: [PATCH 01/11] spec: add system group dip (GID=40) to ppp package --- ppp.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ppp.spec b/ppp.spec index c116bd4..5373315 100644 --- a/ppp.spec +++ b/ppp.spec @@ -1,7 +1,7 @@ Summary: The Point-to-Point Protocol daemon Name: ppp Version: 2.4.5 -Release: 28%{?dist} +Release: 29%{?dist} License: BSD and LGPLv2+ and GPLv2+ and Public Domain Group: System Environment/Daemons URL: http://www.samba.org/ppp @@ -37,6 +37,8 @@ Patch32: ppp-2.4.5-l2tp-multilink.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: pam-devel, libpcap-devel, openssl-devel Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6 systemd-units +Requires(pre): /usr/bin/getent +Requires(pre): /usr/sbin/groupadd %description The ppp package contains the PPP (Point-to-Point Protocol) daemon and @@ -120,6 +122,9 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/ppp.conf mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/ppp +%pre +getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || : + %files %defattr(-,root,root) %{_sbindir}/chat @@ -156,6 +161,9 @@ install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/ppp %doc PLUGINS %changelog +* Wed Mar 20 2013 Michal Sekletar - 2.4.5-29 +- Add creation of dip system group + * Wed Mar 20 2013 Michal Sekletar - 2.4.5-28 - Add /etc/logrotate.d to files section since we no longer hard depend on logrotate From 0c288beeb7bd9b697e4c612610de03b00e7654a5 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Fri, 22 Mar 2013 15:24:19 +0100 Subject: [PATCH 02/11] radius-plugin: ignore unknown directives We shouldn't be so strict when parsing radius client configuration file. Instead of exiting when encountering directive we don't recognize and don't care about, we should just warn and continue parsing. Resolves RHBZ #906913 --- ppp-2.4.5-radius-config.patch | 14 ++++++++++++++ ppp.spec | 8 +++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 ppp-2.4.5-radius-config.patch diff --git a/ppp-2.4.5-radius-config.patch b/ppp-2.4.5-radius-config.patch new file mode 100644 index 0000000..40ef6fc --- /dev/null +++ b/ppp-2.4.5-radius-config.patch @@ -0,0 +1,14 @@ +diff -up ppp-2.4.5/pppd/plugins/radius/config.c.radius ppp-2.4.5/pppd/plugins/radius/config.c +--- ppp-2.4.5/pppd/plugins/radius/config.c.radius 2009-11-16 23:26:07.000000000 +0100 ++++ ppp-2.4.5/pppd/plugins/radius/config.c 2013-03-22 16:18:58.374665717 +0100 +@@ -216,8 +216,8 @@ int rc_read_config(char *filename) + p[pos] = '\0'; + + if ((option = find_option(p, OT_ANY)) == NULL) { +- error("%s: line %d: unrecognized keyword: %s", filename, line, p); +- return (-1); ++ warn("%s: line %d: unrecognized keyword: %s", filename, line, p); ++ continue; + } + + if (option->status != ST_UNDEF) { diff --git a/ppp.spec b/ppp.spec index 5373315..da373b3 100644 --- a/ppp.spec +++ b/ppp.spec @@ -1,7 +1,7 @@ Summary: The Point-to-Point Protocol daemon Name: ppp Version: 2.4.5 -Release: 29%{?dist} +Release: 30%{?dist} License: BSD and LGPLv2+ and GPLv2+ and Public Domain Group: System Environment/Daemons URL: http://www.samba.org/ppp @@ -33,6 +33,7 @@ Patch29: ppp-2.4.5-man.patch Patch30: ppp-2.4.5-eth.patch Patch31: ppp-2.4.5-lock.patch Patch32: ppp-2.4.5-l2tp-multilink.patch +Patch33: ppp-2.4.5-radius-config.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: pam-devel, libpcap-devel, openssl-devel @@ -84,6 +85,7 @@ This package contains the header files for building plugins for ppp. # fixes bz#708260 - SELinux is preventing access on the file LCK..ttyUSB3 %patch31 -p1 -b .lock %patch32 -p1 -b .l2tp-multilink +%patch33 -p1 -b .radius rm -f scripts/*.local rm -f scripts/*.change_resolv_conf @@ -161,6 +163,10 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || : %doc PLUGINS %changelog +* Wed May 29 2013 Michal Sekletar - 2.4.5-30 +- make radius plugin config parser less strict +- resolves : #906913 + * Wed Mar 20 2013 Michal Sekletar - 2.4.5-29 - Add creation of dip system group From f2801bcfd928db18a6cf0891c8e0e03176d85e4c Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Thu, 4 Jul 2013 16:19:23 +0200 Subject: [PATCH 03/11] pppd: fix possible null pointer dereferencing We shouldn't call strcmp directly on return value of crypt() because it might return NULL. Resolves: #815617 --- ppp-2.4.5-crypt.patch | 47 +++++++++++++++++++++++++++++++++++++++++++ ppp.spec | 7 ++++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 ppp-2.4.5-crypt.patch diff --git a/ppp-2.4.5-crypt.patch b/ppp-2.4.5-crypt.patch new file mode 100644 index 0000000..a7dffb9 --- /dev/null +++ b/ppp-2.4.5-crypt.patch @@ -0,0 +1,47 @@ +diff -up ppp-2.4.5/pppd/auth.c.crypt ppp-2.4.5/pppd/auth.c +--- ppp-2.4.5/pppd/auth.c.crypt 2013-07-04 16:10:27.338463397 +0200 ++++ ppp-2.4.5/pppd/auth.c 2013-07-04 16:15:00.204471203 +0200 +@@ -1515,11 +1515,19 @@ check_passwd(unit, auser, userlen, apass + ret = UPAP_AUTHNAK; + } + } ++ + if (secret[0] != 0 && !login_secret) { +- /* password given in pap-secrets - must match */ +- if ((cryptpap || strcmp(passwd, secret) != 0) +- && strcmp(crypt(passwd, secret), secret) != 0) +- ret = UPAP_AUTHNAK; ++ /* password given in pap-secrets - must match */ ++ char *cryptbuf = NULL; ++ cryptbuf = crypt(passwd, secret); ++ ++ if (cryptpap) { ++ if ((cryptbuf == NULL) || (strcmp(cryptbuf, secret) != 0)) ++ ret = UPAP_AUTHNAK; ++ } else { ++ if ((strcmp(passwd, secret) != 0) && (cryptbuf == NULL || strcmp(cryptbuf, secret) != 0)) ++ ret = UPAP_AUTHNAK; ++ } + } + } + fclose(f); +diff -up ppp-2.4.5/pppd/session.c.crypt ppp-2.4.5/pppd/session.c +--- ppp-2.4.5/pppd/session.c.crypt 2009-11-16 23:26:07.000000000 +0100 ++++ ppp-2.4.5/pppd/session.c 2013-07-04 16:10:27.354463397 +0200 +@@ -348,9 +348,14 @@ session_start(flags, user, passwd, ttyNa + /* + * If no passwd, don't let them login if we're authenticating. + */ +- if (pw->pw_passwd == NULL || strlen(pw->pw_passwd) < 2 +- || strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd) != 0) ++ if (pw->pw_passwd == NULL || strlen(pw->pw_passwd) < 2) { + return SESSION_FAILED; ++ } else { ++ char *cryptbuf = NULL; ++ cryptbuf = crypt(passwd, pw->pw_passwd); ++ if ((cryptbuf == NULL) || (strcmp(cryptbuf, pw->pw_passwd) != 0)) ++ return SESSION_FAILED; ++ } + } + + #endif /* #ifdef USE_PAM */ diff --git a/ppp.spec b/ppp.spec index da373b3..eaee48b 100644 --- a/ppp.spec +++ b/ppp.spec @@ -1,7 +1,7 @@ Summary: The Point-to-Point Protocol daemon Name: ppp Version: 2.4.5 -Release: 30%{?dist} +Release: 31%{?dist} License: BSD and LGPLv2+ and GPLv2+ and Public Domain Group: System Environment/Daemons URL: http://www.samba.org/ppp @@ -34,6 +34,7 @@ Patch30: ppp-2.4.5-eth.patch Patch31: ppp-2.4.5-lock.patch Patch32: ppp-2.4.5-l2tp-multilink.patch Patch33: ppp-2.4.5-radius-config.patch +Patch34: ppp-2.4.5-crypt.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: pam-devel, libpcap-devel, openssl-devel @@ -86,6 +87,7 @@ This package contains the header files for building plugins for ppp. %patch31 -p1 -b .lock %patch32 -p1 -b .l2tp-multilink %patch33 -p1 -b .radius +%patch34 -p1 -b .crypt rm -f scripts/*.local rm -f scripts/*.change_resolv_conf @@ -163,6 +165,9 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || : %doc PLUGINS %changelog +* Thu Jul 04 2013 Michal Sekletar - 2.4.5-31 +- fix possible NULL pointer dereferencing + * Wed May 29 2013 Michal Sekletar - 2.4.5-30 - make radius plugin config parser less strict - resolves : #906913 From f6b684d242ecab164de4bea2bd6b2670a14065a7 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Fri, 12 Jul 2013 15:45:34 +0200 Subject: [PATCH 04/11] spec: don't ship /var/lock/ppp in rpm payload Recent changes in filesystem package prevent installation of ppp in chroot because /run/lock directory is not created by filesystem package anymore. To make things work again, we create ppp subdir in %post scriptlet and mark it as %ghost. Resolves: #980100 --- ppp.spec | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ppp.spec b/ppp.spec index eaee48b..f177c05 100644 --- a/ppp.spec +++ b/ppp.spec @@ -1,7 +1,7 @@ Summary: The Point-to-Point Protocol daemon Name: ppp Version: 2.4.5 -Release: 31%{?dist} +Release: 32%{?dist} License: BSD and LGPLv2+ and GPLv2+ and Public Domain Group: System Environment/Daemons URL: http://www.samba.org/ppp @@ -129,6 +129,9 @@ install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/ppp %pre getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || : +%post +mkdir -p %{_localstatedir}/lock/ppp + %files %defattr(-,root,root) %{_sbindir}/chat @@ -146,7 +149,7 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || : %{_libdir}/pppd %dir %{_sysconfdir}/ppp %dir %{_localstatedir}/run/ppp -%dir %{_localstatedir}/lock/ppp +%ghost %dir %{_localstatedir}/lock/ppp %dir %{_sysconfdir}/logrotate.d %attr(700, root, root) %dir %{_localstatedir}/log/ppp %config %{_prefix}/lib/tmpfiles.d/ppp.conf @@ -165,6 +168,9 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || : %doc PLUGINS %changelog +* Fri Jul 12 2013 Michal Sekletar - 2.4.5-32 +- don't ship /var/lock/ppp in rpm payload and create it in %post instead + * Thu Jul 04 2013 Michal Sekletar - 2.4.5-31 - fix possible NULL pointer dereferencing From 44d88161353634df62baa8c0a3a26b8e83e12625 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Fri, 12 Jul 2013 17:43:00 +0200 Subject: [PATCH 05/11] spec: fix installation of tmpfiles.d configuration Use convenient macro instead of hard coded path to directory where tmpfiles configuration is stored. tmpfiles config file should not be marked as %config, change that as well while we are at it. --- ppp.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ppp.spec b/ppp.spec index f177c05..e74f299 100644 --- a/ppp.spec +++ b/ppp.spec @@ -119,8 +119,8 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/ppp mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/ppp mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lock/ppp -install -d -m 755 $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d -install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/ppp.conf +install -d -m 755 $RPM_BUILD_ROOT%{_tmpfilesdir} +install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_tmpfilesdir}/ppp.conf # Logrotate script mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d @@ -152,7 +152,6 @@ mkdir -p %{_localstatedir}/lock/ppp %ghost %dir %{_localstatedir}/lock/ppp %dir %{_sysconfdir}/logrotate.d %attr(700, root, root) %dir %{_localstatedir}/log/ppp -%config %{_prefix}/lib/tmpfiles.d/ppp.conf %config(noreplace) %{_sysconfdir}/ppp/eaptls-client %config(noreplace) %{_sysconfdir}/ppp/eaptls-server %config(noreplace) %{_sysconfdir}/ppp/chap-secrets @@ -160,6 +159,7 @@ mkdir -p %{_localstatedir}/lock/ppp %config(noreplace) %{_sysconfdir}/ppp/pap-secrets %config(noreplace) %{_sysconfdir}/pam.d/ppp %config(noreplace) %{_sysconfdir}/logrotate.d/ppp +%{_tmpfilesdir}/ppp.conf %doc FAQ README README.cbcp README.linux README.MPPE README.MSCHAP80 README.MSCHAP81 README.pwfd README.pppoe scripts sample README.eap-tls %files devel @@ -170,6 +170,7 @@ mkdir -p %{_localstatedir}/lock/ppp %changelog * Fri Jul 12 2013 Michal Sekletar - 2.4.5-32 - don't ship /var/lock/ppp in rpm payload and create it in %post instead +- fix installation of tmpfiles.d configuration * Thu Jul 04 2013 Michal Sekletar - 2.4.5-31 - fix possible NULL pointer dereferencing From 815da11c84b386197bd7d90f1eb3b8f9535f6779 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Sun, 28 Jul 2013 15:35:41 +0200 Subject: [PATCH 06/11] spec: enable hardened build --- ppp.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ppp.spec b/ppp.spec index e74f299..a41b4dd 100644 --- a/ppp.spec +++ b/ppp.spec @@ -1,3 +1,5 @@ +%global _hardened_build 1 + Summary: The Point-to-Point Protocol daemon Name: ppp Version: 2.4.5 @@ -171,6 +173,7 @@ mkdir -p %{_localstatedir}/lock/ppp * Fri Jul 12 2013 Michal Sekletar - 2.4.5-32 - don't ship /var/lock/ppp in rpm payload and create it in %post instead - fix installation of tmpfiles.d configuration +- enable hardened build * Thu Jul 04 2013 Michal Sekletar - 2.4.5-31 - fix possible NULL pointer dereferencing From 61a2a4505231699d4ae16229d58cc2b002e89fb7 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Sun, 28 Jul 2013 15:41:12 +0200 Subject: [PATCH 07/11] spec: fix bogus dates in changelog --- ppp.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ppp.spec b/ppp.spec index a41b4dd..4ac81ad 100644 --- a/ppp.spec +++ b/ppp.spec @@ -174,6 +174,7 @@ mkdir -p %{_localstatedir}/lock/ppp - don't ship /var/lock/ppp in rpm payload and create it in %post instead - fix installation of tmpfiles.d configuration - enable hardened build +- fix bogus dates in changelog * Thu Jul 04 2013 Michal Sekletar - 2.4.5-31 - fix possible NULL pointer dereferencing @@ -399,7 +400,7 @@ mkdir -p %{_localstatedir}/lock/ppp * Tue Jun 15 2004 Elliot Lee - rebuilt -* Wed May 24 2004 David Woodhouse 2.4.2-2.3 +* Mon May 24 2004 David Woodhouse 2.4.2-2.3 - Enable IPv6 support. Disable PIE to avoid bogus Provides: * Fri May 14 2004 Thomas Woerner 2.4.2-2.2 @@ -521,7 +522,7 @@ mkdir -p %{_localstatedir}/lock/ppp * Fri Apr 09 1999 Cristian Gafton - force pppd use the glibc's logwtmp instead of implementing its own -* Wed Apr 01 1999 Preston Brown +* Thu Apr 01 1999 Preston Brown - version 2.3.7 bugfix release * Tue Mar 23 1999 Cristian Gafton From 364693c75b37a97401b39b5d37e697f02b9c6c7c Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Sun, 28 Jul 2013 16:48:35 +0200 Subject: [PATCH 08/11] spec: compile all binaries with hardening flags --- ppp.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ppp.spec b/ppp.spec index 4ac81ad..a8e69c1 100644 --- a/ppp.spec +++ b/ppp.spec @@ -37,6 +37,7 @@ Patch31: ppp-2.4.5-lock.patch Patch32: ppp-2.4.5-l2tp-multilink.patch Patch33: ppp-2.4.5-radius-config.patch Patch34: ppp-2.4.5-crypt.patch +Patch35: ppp-2.4.5-hardened.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: pam-devel, libpcap-devel, openssl-devel @@ -90,6 +91,7 @@ This package contains the header files for building plugins for ppp. %patch32 -p1 -b .l2tp-multilink %patch33 -p1 -b .radius %patch34 -p1 -b .crypt +%patch35 -p1 -b .hardened rm -f scripts/*.local rm -f scripts/*.change_resolv_conf @@ -175,6 +177,7 @@ mkdir -p %{_localstatedir}/lock/ppp - fix installation of tmpfiles.d configuration - enable hardened build - fix bogus dates in changelog +- compile all binaries with hardening flags * Thu Jul 04 2013 Michal Sekletar - 2.4.5-31 - fix possible NULL pointer dereferencing From 129b80d0f932e236f96f92e6574c20111a430005 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Sun, 28 Jul 2013 16:58:20 +0200 Subject: [PATCH 09/11] spec: get rid of the BuildRoot: --- ppp.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/ppp.spec b/ppp.spec index a8e69c1..a02ec27 100644 --- a/ppp.spec +++ b/ppp.spec @@ -39,7 +39,6 @@ Patch33: ppp-2.4.5-radius-config.patch Patch34: ppp-2.4.5-crypt.patch Patch35: ppp-2.4.5-hardened.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: pam-devel, libpcap-devel, openssl-devel Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6 systemd-units Requires(pre): /usr/bin/getent From 41c783d0d46487900bf71623b0f30775caf3fe8e Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Mon, 29 Jul 2013 13:20:22 +0200 Subject: [PATCH 10/11] sources: add forgotten patch --- ppp-2.4.5-hardened.patch | 80 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 ppp-2.4.5-hardened.patch diff --git a/ppp-2.4.5-hardened.patch b/ppp-2.4.5-hardened.patch new file mode 100644 index 0000000..edea29e --- /dev/null +++ b/ppp-2.4.5-hardened.patch @@ -0,0 +1,80 @@ +diff -up ppp-2.4.5/chat/Makefile.linux.hardened ppp-2.4.5/chat/Makefile.linux +--- ppp-2.4.5/chat/Makefile.linux.hardened 2013-07-28 16:36:54.379766667 +0200 ++++ ppp-2.4.5/chat/Makefile.linux 2013-07-28 16:37:25.816760232 +0200 +@@ -10,7 +10,7 @@ CDEF3= -UNO_SLEEP # Use the usleep fun + CDEF4= -DFNDELAY=O_NDELAY # Old name value + CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4) + +-COPTS= $(RPM_OPT_FLAGS) ++COPTS= $(RPM_OPT_FLAGS) -fPIE + CFLAGS= $(COPTS) $(CDEFS) + + INSTALL= install +@@ -18,7 +18,7 @@ INSTALL= install + all: chat + + chat: chat.o +- $(CC) -pie -o chat chat.o ++ $(CC) -z now -pie -o chat chat.o + + chat.o: chat.c + $(CC) -c $(CFLAGS) -o chat.o chat.c +diff -up ppp-2.4.5/pppd/plugins/rp-pppoe/Makefile.linux.hardened ppp-2.4.5/pppd/plugins/rp-pppoe/Makefile.linux +--- ppp-2.4.5/pppd/plugins/rp-pppoe/Makefile.linux.hardened 2013-07-28 16:38:50.454744701 +0200 ++++ ppp-2.4.5/pppd/plugins/rp-pppoe/Makefile.linux 2013-07-28 16:39:30.297737993 +0200 +@@ -27,11 +27,11 @@ INSTALL = install + RP_VERSION=3.8p + + COPTS=$(RPM_OPT_FLAGS) +-CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' ++CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' -fPIE + all: rp-pppoe.so pppoe-discovery + + pppoe-discovery: pppoe-discovery.o debug.o +- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o ++ $(CC) -z now -pie -o pppoe-discovery pppoe-discovery.o debug.o + + pppoe-discovery.o: pppoe-discovery.c + $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c +diff -up ppp-2.4.5/pppdump/Makefile.linux.hardened ppp-2.4.5/pppdump/Makefile.linux +--- ppp-2.4.5/pppdump/Makefile.linux.hardened 2013-07-28 16:38:09.270751992 +0200 ++++ ppp-2.4.5/pppdump/Makefile.linux 2013-07-28 16:38:34.296747511 +0200 +@@ -2,7 +2,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin + MANDIR = $(DESTDIR)/share/man/man8 + +-CFLAGS= $(RPM_OPT_FLAGS) -I../include/net ++CFLAGS= $(RPM_OPT_FLAGS) -I../include/net -fPIE + OBJS = pppdump.o bsd-comp.o deflate.o zlib.o + + INSTALL= install +@@ -10,7 +10,7 @@ INSTALL= install + all: pppdump + + pppdump: $(OBJS) +- $(CC) -o pppdump $(OBJS) ++ $(CC) -z now -pie -o pppdump $(OBJS) + + clean: + rm -f pppdump $(OBJS) *~ +diff -up ppp-2.4.5/pppstats/Makefile.linux.hardened ppp-2.4.5/pppstats/Makefile.linux +--- ppp-2.4.5/pppstats/Makefile.linux.hardened 2013-07-28 16:40:28.737728584 +0200 ++++ ppp-2.4.5/pppstats/Makefile.linux 2013-07-28 16:40:49.130725389 +0200 +@@ -11,7 +11,7 @@ PPPSTATOBJS = pppstats.o + + #CC = gcc + COPTS = $(RPM_OPT_FLAGS) +-COMPILE_FLAGS = -I../include ++COMPILE_FLAGS = -I../include -fPIE + LIBS = + + INSTALL= install +@@ -26,7 +26,7 @@ install: pppstats + $(INSTALL) -c -m 444 pppstats.8 $(MANDIR) + + pppstats: $(PPPSTATSRCS) +- $(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS) ++ $(CC) $(CFLAGS) -z now -pie -o pppstats pppstats.c $(LIBS) + + clean: + rm -f pppstats *~ #* core From 91f7b1a03064f2cf9f03590dcf82ff2a121214ba Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Mon, 29 Jul 2013 19:02:07 +0200 Subject: [PATCH 11/11] spec: add systemd to BuildRequires: %{_tmpfilesdir} macro is provided by systemd package. Also systemd-units is nowadays virtual provide of systemd, change that as well while we are at it. --- ppp.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ppp.spec b/ppp.spec index a02ec27..bcea204 100644 --- a/ppp.spec +++ b/ppp.spec @@ -39,8 +39,8 @@ Patch33: ppp-2.4.5-radius-config.patch Patch34: ppp-2.4.5-crypt.patch Patch35: ppp-2.4.5-hardened.patch -BuildRequires: pam-devel, libpcap-devel, openssl-devel -Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6 systemd-units +BuildRequires: pam-devel, libpcap-devel, openssl-devel, systemd +Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd Requires(pre): /usr/bin/getent Requires(pre): /usr/sbin/groupadd