From 94723f8841b4d68bea62dc5211c83ca17f0a956b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Mon, 4 Dec 2017 11:07:08 +0100
Subject: [PATCH] Link libaesni-intel-samba4.so with -z noexecstack

resolves: #1520163
---
 samba-4.7-fix-linking-aesni-intel.patch | 38 +++++++++++++++++++++++++
 samba.spec                              |  6 +++-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 samba-4.7-fix-linking-aesni-intel.patch

diff --git a/samba-4.7-fix-linking-aesni-intel.patch b/samba-4.7-fix-linking-aesni-intel.patch
new file mode 100644
index 0000000..0f5dcc0
--- /dev/null
+++ b/samba-4.7-fix-linking-aesni-intel.patch
@@ -0,0 +1,38 @@
+From 0f6d676a74818fc1a3d59c2238bd3752470fdc40 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
+Date: Mon, 4 Dec 2017 10:49:19 +0100
+Subject: [PATCH] third_party: Link th aesni-intel library with -z noexecstack
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13174
+
+Signed-off-by: Björn Baumbach <bb@sernet.de>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ third_party/aesni-intel/wscript | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
+index eb92d6626fe..f11cf9446a2 100644
+--- a/third_party/aesni-intel/wscript
++++ b/third_party/aesni-intel/wscript
+@@ -12,6 +12,8 @@ def configure(conf):
+                 raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
+         else:
+             raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
++        if not conf.CHECK_LDFLAGS('-z noexecstack'):
++            raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
+ 
+ def build(bld):
+     if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
+@@ -20,4 +22,5 @@ def build(bld):
+     bld.SAMBA_LIBRARY('aesni-intel',
+         source='aesni-intel_asm.c',
+         cflags='-Wp,-E,-lang-asm',
++        ldflags='-z noexecstack',
+         private_library=True)
+-- 
+2.15.0
+
diff --git a/samba.spec b/samba.spec
index 9f0750b..3f0539c 100644
--- a/samba.spec
+++ b/samba.spec
@@ -6,7 +6,7 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering
 
-%define main_release 2
+%define main_release 3
 
 %define samba_version 4.7.3
 %define talloc_version 2.1.10
@@ -117,6 +117,7 @@ Source201: README.downgrade
 Patch0: samba-4.7.0-bind_dlz.patch
 Patch1: samba-4.7.0-support-krb5-1.16.patch
 Patch2: samba-4.7-fix_samba_with_systemd.patch
+Patch3: samba-4.7-fix-linking-aesni-intel.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -3386,6 +3387,9 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
+* Mon Dec 04 2017 Andreas Schneider <asn@redhat.com> - 4.7.3-3
+- resolves: #1520163 - Link libaesni-intel-samba4.so with -z noexecstack
+
 * Thu Nov 30 2017 Andreas Schneider <asn@redhat.com> - 4.7.3-2
 - Fix deamon startup with systemd