From 56dfec1918e77fc905d31ee63dc804f392a27174 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jan=20R=C4=99korajski?= Date: Tue, 30 Oct 2018 23:07:26 +0100 Subject: [PATCH] - add macro to check ELF file for executable stack (see https://www.openwall.com/lists/oss-security/2018/10/22/3 and followup) - up to 1.735 --- rpm-build-macros.spec | 4 ++-- rpm.macros | 25 +++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/rpm-build-macros.spec b/rpm-build-macros.spec index 239faa4..90b0fef 100644 --- a/rpm-build-macros.spec +++ b/rpm-build-macros.spec @@ -1,10 +1,10 @@ -%define rpm_macros_rev 1.734 +%define rpm_macros_rev 1.735 %define find_lang_rev 1.40 Summary: PLD Linux RPM build macros Summary(pl.UTF-8): Makra do budowania pakietów RPM dla Linuksa PLD Name: rpm-build-macros Version: %{rpm_macros_rev} -Release: 2 +Release: 1 License: GPL Group: Development/Building Source0: rpm.macros diff --git a/rpm.macros b/rpm.macros index 896c953..4baa339 100644 --- a/rpm.macros +++ b/rpm.macros @@ -745,6 +745,31 @@ __spec_install_post_check_so() { \ %{!?no_install_post_check_so:return $fail;} \ }; __spec_install_post_check_so }} +#----------------------------------------------------------------- +# Find all ELF files with executable stac. Warn and terminate if any found +# (termination can be turned off by define). +#%no_install_post_check_stackexec 1 +#%skip_post_check_stackexec libwithexecstackok.so.* +# +# NOTE: define skip_post_check_stackexec only if such program or library +# really requires executable stack and always leave a comment why +# it is required: +# # Programs full of nested functions that cannot be fixed +# %define skip_post_check_execstack /bin/foo libwithexecstack.so.* +# +%__spec_install_post_check_execstack { \ +__spec_install_post_check_execstack() { \ +%{!?debug:set +x;} \ + fail=0; \ + printf "Searching for ELF programs with executable stack..."; \ + for f in $(find $RPM_BUILD_ROOT -type f -print) ; do \ + LC_ALL=C readelf -lW $f 2>/dev/null | \ + LC_ALL=C awk -v "file=$f" 'BEGIN { found=0; } /GNU_STACK/ { if ($7 ~ "E") { found=1 } } END { if (found) { print "\nExecutable stack found in: " file; %{?skip_post_check_execstack:split("%{skip_post_check_execstack}", R); for (i=1; i in R; i++) { if (file ~ "(^|/)" R[i] "$") { print "File marked with skip_post_check_execstack, ignoring errors.\n"; exit(0); } } } exit(1); } }' || fail=1 ; \ + done ; \ + echo " DONE"; \ + %{!?no_install_post_check_execstack:return $fail;} \ +}; __spec_install_post_check_execstack }} + #----------------------------------------------------------------- # Verify that for each directory under /var/run package contains # tmpfiles.d configuration. Warn and terminate build if config is -- 2.43.0