Properly harden package using -fstack-protector-strong.

2018-09-03 14:10:56 +02:00 · 2018-09-03 14:10:56 +02:00 · 7c66ce151d
commit 7c66ce151d
parent d5e84a533c
2 changed files with 51 additions and 1 deletions
--- a/ruby-2.6.0-configure-fstack-protector-strong.patch
+++ b/ruby-2.6.0-configure-fstack-protector-strong.patch
@ -0,0 +1,43 @@
+From c8ccdbfe1e45cb3b832109d644296c0a3b3e0b59 Mon Sep 17 00:00:00 2001
+From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Sun, 2 Sep 2018 03:49:31 +0000
+Subject: [PATCH] configure.ac: -fstack-protector-strong
+
+* configure.ac: use -fstack-protector-strong if available instead of
+  -fstack-protector conditionally.  [ruby-core:88788] [Misc #15053]
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64614 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+---
+ configure.ac | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9328fa532de0..b8ee57239215 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -837,15 +837,18 @@ AS_IF([test "$GCC" = yes], [
+ 	stack_protector=no
+     ])
+     AS_IF([test -z "${stack_protector+set}"], [
+-	RUBY_TRY_CFLAGS(-fstack-protector, [stack_protector=yes], [stack_protector=no])
+-	AS_IF([test "x$stack_protector" = xyes], [
+-	    RUBY_TRY_LDFLAGS(-fstack-protector, [], [stack_protector=broken])
+	AS_FOR(option, opt, [-fstack-protector-strong -fstack-protector], [
+	    RUBY_TRY_CFLAGS(option, [stack_protector=yes])
+	    AS_IF([test "x$stack_protector" = xyes], [
+		RUBY_TRY_LDFLAGS(option, [], [stack_protector=])
+	    ])
+	    AS_IF([test "x$stack_protector" = xyes], [stack_protector=option; break])
+ 	])
+     ])
+-    AS_IF([test "x$stack_protector" = xyes], [
+-	RUBY_APPEND_OPTION(XCFLAGS, -fstack-protector)
+-	RUBY_APPEND_OPTION(XLDFLAGS, -fstack-protector)
+-	RUBY_APPEND_OPTION(LDFLAGS, -fstack-protector)
+    AS_CASE(["$stack_protector"], [-*], [
+	RUBY_APPEND_OPTION(XCFLAGS, $stack_protector)
+	RUBY_APPEND_OPTION(XLDFLAGS, $stack_protector)
+	RUBY_APPEND_OPTION(LDFLAGS, $stack_protector)
+     ])
+ 
+     AS_CASE("${compress_debug_sections:-zlib}",
--- a/ruby.spec
+++ b/ruby.spec
@ -21,7 +21,7 @@
 %endif


-%global release 99
+%global release 100
 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}

 # The RubyGems library has to stay out of Ruby directory three, since the
@ -147,6 +147,9 @@ Patch15: ruby-2.6.0-library-options-to-MAINLIBS.patch
 Patch16: ruby-2.5.1-Avoid-need-of-C++-compiler-to-pass-the-test-suite.patch
 # https://github.com/ruby/rdoc/commit/d05e6269d4a4dfd701f5ddb3ae34306cba891511
 Patch20: ruby-2.6.0-rdoc-6.0.1-fix-template-typo.patch
+# Properly harden package using -fstack-protector-strong.
+# https://bugs.ruby-lang.org/issues/15053
+Patch24: ruby-2.6.0-configure-fstack-protector-strong.patch

 # Fix some OpenSSL 1.1.1 test failures.
 # https://github.com/ruby/openssl/pull/202
@ -557,6 +560,7 @@ rm -rf ext/fiddle/libffi*
 %patch21 -p1
 %patch22 -p1
 %patch23 -p1
+%patch24 -p1

 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1103,6 +1107,9 @@ make check TESTS="-v $DISABLE_TESTS"
 %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec

 %changelog
+* Mon Sep 03 2018 Vít Ondruch <vondruch@redhat.com> - 2.5.1-100
+- Properly harden package using -fstack-protector-strong.
+
 * Wed Aug 29 2018 Vít Ondruch <vondruch@redhat.com> - 2.5.1-99
 - Additional OpenSSL 1.1.1 fixes.
 - Add --with-cxxflags configuration for %%gem_install macro.