From 43bd23e45a39f0e025042aa03dda73ff1a48ce52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
Date: Tue, 11 Jan 2022 18:26:05 +0000
Subject: [PATCH] re-enable CET protections

---
 enable-CET.patch | 38 ++++++++++++++++++++++++++++++++++++++
 zstd.spec        |  7 ++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 enable-CET.patch

diff --git a/enable-CET.patch b/enable-CET.patch
new file mode 100644
index 0000000..335e95d
--- /dev/null
+++ b/enable-CET.patch
@@ -0,0 +1,38 @@
+From cd7620a730413a48843e175d34dc408c152f8125 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 11 Jan 2022 07:28:25 -0800
+Subject: [PATCH] x86-64: Enable Intel CET
+
+Intel Control-flow Enforcement Technology (CET):
+
+https://en.wikipedia.org/wiki/Control-flow_integrity#Intel_Control-flow_Enforcement_Technology
+
+requires that on Linux, all linker input files are marked as CET enabled
+in .note.gnu.property section.  For high-level language source codes,
+.note.gnu.property section is added by compiler with the -fcf-protection
+option.  For assembly sources, include <cet.h> to add .note.gnu.property
+section.
+---
+ lib/common/portability_macros.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/common/portability_macros.h b/lib/common/portability_macros.h
+index 627ef9eed4..6ac4b05510 100644
+--- a/lib/common/portability_macros.h
++++ b/lib/common/portability_macros.h
+@@ -128,4 +128,15 @@
+ # define ZSTD_ENABLE_ASM_X86_64_BMI2 0
+ #endif
+ 
++/*
++ * For x86 ELF targets, add .note.gnu.property section for Intel CET in
++ * assembly sources when CET is enabled.
++ */
++#if defined(__ELF__) && (defined(__x86_64__) || defined(__i386__)) \
++    && defined(__has_include)
++# if __has_include(<cet.h>)
++#  include <cet.h>
++# endif
++#endif
++
+ #endif /* ZSTD_PORTABILITY_MACROS_H */
diff --git a/zstd.spec b/zstd.spec
index 79fa74f..1dceeb5 100644
--- a/zstd.spec
+++ b/zstd.spec
@@ -31,7 +31,7 @@
 
 Name:           zstd
 Version:        1.5.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Zstd compression library
 
 License:        BSD and GPLv2
@@ -39,6 +39,7 @@ URL:            https://github.com/facebook/zstd
 Source0:        https://github.com/facebook/zstd/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 
 Patch1:         pzstd.1.patch
+Patch2:         enable-CET.patch
 
 BuildRequires:  make
 BuildRequires:  gcc gtest-devel
@@ -86,6 +87,7 @@ find -name .gitignore -delete
 %if %{with pzstd}
 %patch1 -p1
 %endif
+%patch2 -p1
 
 %build
 export CFLAGS="$RPM_OPT_FLAGS"
@@ -153,6 +155,9 @@ install -D -m644 programs/%{name}.1 %{buildroot}%{_mandir}/man1/p%{name}.1
 %ldconfig_scriptlets -n lib%{name}
 
 %changelog
+* Tue Jan 11 2022 Pádraig Brady <P@draigBrady.com> - 1.5.1-6
+- Re-enable CET protections (#2039353)
+
 * Fri Jan 07 2022 Michel Alexandre Salim <salimma@fedoraproject.org> - 1.5.1-5
 - Enable gz, .xz/.lzma and .lz4 support