Accepting request 1304321 from security

- update to version 2.25.19:
  - no changes in hardening-check, this is just to silence the
    "download_files" service, which wasn't able to download the version
    2.25.15 tarball, which got deleted upstream.

- update to version 2.25.15:
  - this is now based on hardening-check found in Debian's devscripts package.
  - the standalone hardening-check package no longer exists.
  - drop perl_regex.patch no longer needed.
  - adjust to new build system complexities:
    - add makefile_fixes.patch: cut out Debian specific parts
    - add avoid_pod2man_errors.patch: silence some error diagnostics in
      Docbook sources for man pages.
  - the new version has additional support for new fortify source macros and
    branch protection checks.

OBS-URL: https://build.opensuse.org/request/show/1304321
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/hardening-check?expand=0&rev=5

avoid_pod2man_errors.patch

@@ -0,0 +1,65 @@
+Index: devscripts/scripts/chdist.pl
+===================================================================
+--- devscripts.orig/scripts/chdist.pl
++++ devscripts/scripts/chdist.pl
+@@ -26,7 +26,7 @@ B<chdist> [I<options>] [I<command>] [I<c
+ B<chdist> [I<options>] I<DIST> I<command> [I<command parameters>]
+ 
+ The second syntax is accepted when the I<DIST> does not match
+-one of the known commands from the list below (see L</COMMANDS>).
++one of the known commands from the list below (see COMMANDS).
+ Then the I<command> may be any program available on the system
+ and anything based on apt will be using the I<DIST> apt data.
+ 
+Index: devscripts/scripts/uscan.pl
+===================================================================
+--- devscripts.orig/scripts/uscan.pl
++++ devscripts/scripts/uscan.pl
+@@ -47,7 +47,7 @@ a directory containing multiple source t
+ 
+ Unless --watchfile is given, B<uscan> looks recursively for valid source
+ trees starting from the current directory (see the below section
+-L<Directory name checking> for details).
++<Directory name checking> for details).
+ 
+ For each valid source tree found, typically the following happens:
+ 
+Index: devscripts/po4a/po/de.po
+===================================================================
+--- devscripts.orig/po4a/po/de.po
++++ devscripts/po4a/po/de.po
+@@ -3774,7 +3774,7 @@ msgstr "B<chdist> [I<Optionen>] [I<Befeh
+ #: ../scripts/chdist.pl:28
+ msgid ""
+ "The second syntax is accepted when the I<DIST> does not match one of the "
+-"known commands from the list below (see L</COMMANDS>).  Then the I<command> "
++"known commands from the list below (see <COMMANDS>).  Then the I<command> "
+ "may be any program available on the system and anything based on apt will be "
+ "using the I<DIST> apt data."
+ msgstr ""
+Index: devscripts/po4a/po/fr.po
+===================================================================
+--- devscripts.orig/po4a/po/fr.po
++++ devscripts/po4a/po/fr.po
+@@ -2889,7 +2889,7 @@ msgstr "B<chdist> [I<options>] I<DIST> [
+ #. type: textblock
+ #: ../scripts/chdist.pl:28
+ msgid ""
+-"The second syntax is accepted when the I<DIST> does not match one of the known commands from the list below (see L</COMMANDS>).  Then the I<command> may be "
++"The second syntax is accepted when the I<DIST> does not match one of the known commands from the list below (see <COMMANDS>).  Then the I<command> may be "
+ "any program available on the system and anything based on apt will be using the I<DIST> apt data."
+ msgstr ""
+ "La seconde syntaxe est acceptée quand I<DIST> ne correspond pas à une commande connue de la liste plus bas (voir L</COMMANDES>). Dans ce cas I<commande> peut "
+Index: devscripts/po4a/po/pt.po
+===================================================================
+--- devscripts.orig/po4a/po/pt.po
++++ devscripts/po4a/po/pt.po
+@@ -3709,7 +3709,7 @@ msgstr "B<chdist> [I<options>] I<DIST> I
+ #: ../scripts/chdist.pl:28
+ msgid ""
+ "The second syntax is accepted when the I<DIST> does not match one of the "
+-"known commands from the list below (see L</COMMANDS>).  Then the I<command> "
++"known commands from the list below (see <COMMANDS>).  Then the I<command> "
+ "may be any program available on the system and anything based on apt will be "
+ "using the I<DIST> apt data."
+ msgstr ""

devscripts_2.25.19.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c0806c245c1acd9f60651a63338470128f997b4bd81ccffbe8e3c89fa66be0db
+size 1156604

hardening-check.changes

@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Fri Sep 12 13:28:08 UTC 2025 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- update to version 2.25.19:
+  - no changes in hardening-check, this is just to silence the
+    "download_files" service, which wasn't able to download the version
+    2.25.15 tarball, which got deleted upstream.
+
+-------------------------------------------------------------------
+Tue Sep  9 09:28:45 UTC 2025 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- update to version 2.25.15:
+  - this is now based on hardening-check found in Debian's devscripts package.
+  - the standalone hardening-check package no longer exists.
+  - drop perl_regex.patch no longer needed.
+  - adjust to new build system complexities:
+    - add makefile_fixes.patch: cut out Debian specific parts
+    - add avoid_pod2man_errors.patch: silence some error diagnostics in
+      Docbook sources for man pages.
+  - the new version has additional support for new fortify source macros and
+    branch protection checks.
+
 -------------------------------------------------------------------
 Thu Feb 22 07:51:16 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 

hardening-check.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package hardening-check
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,14 +12,14 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
 # the hardening checker script belongs to the hardening-wrapper, but we don't
 # need the wrapper parts, it's been discontinued in Debian/Ubuntu recently
 # anyways
-%define upstream_pkg hardening-wrapper
+%define upstream_pkg devscripts
 Name:           hardening-check
 # NOTE: there seems to exists a curious disappeared version 2.7 of
 # hardening-wrapper that is shipped on Gentoo, for example, and also marked as released here:
@@ -29,45 +29,71 @@ Name:           hardening-check
 # checked the differences and they don't concern the checker script, only the
 # wrappers, so we don't need to spend to much work on this and stay with the
 # latest one available on debian FTP
-Version:        2.6
+Version:        2.25.19
 Release:        0
 Requires:       perl
 Summary:        A tool for inspecting low-level hardening characteristics of ELF binaries
-License:        GPL-2.0+
-Url:            http://packages.debian.org/%{upstream_pkg}
-Source0:        http://ftp.debian.org/debian/pool/main/h/%{upstream_pkg}/%{upstream_pkg}_%{version}.tar.xz
+License:        GPL-2.0-or-later
+URL:            http://packages.debian.org/%{upstream_pkg}
+Source0:        http://ftp.debian.org/debian/pool/main/d/%{upstream_pkg}/%{upstream_pkg}_%{version}.tar.xz
 Source1:        hardening-check-rpmlintrc
+Patch0:         avoid_pod2man_errors.patch
+Patch1:         makefile_fixes.patch
+BuildRequires:  docbook-xsl-stylesheets
+BuildRequires:  help2man
+BuildRequires:  po4a
+BuildRequires:  python3-setuptools
 # fixes a syntax error in a perl regex in the Makefile that came up with a
 # newer perl version it seems
-Patch0:         perl_regex.patch
+#Patch0:         perl_regex.patch
 
 %description
 This package contains a Perl script that allows checking
 a number of hardening characteristics of ELF binaries.
 
-This includes checks for PIE executables, stack protection, source
-fortification, read-only relocations and immediate binding.
+This includes checks for:
+
+- PIE executables
+- stack protection
+- source fortification macros
+- read-only relocations
+- immediate binding
+- branch protection
 
 %prep
-%autosetup -p1 -n hardening-wrapper
+%autosetup -p1 -n devscripts-%{version}
+
+# hardening-check is now part of the larger devscripts project, which
+# contains a bunch of Debian-specific utilities. We only want the
+# hardening-check parts. The problem is that the man page is generated during
+# build time, thus we need to run the build system, which gives us some pain,
+# given that we are not Debian.
+
+# The Makefiles contain some hard-coded references to docbook stylesheets we
+# have to adjust.
+XSL_NEEDLE="/usr/share/sgml/docbook/stylesheet/xsl/nwalsh/manpages/docbook.xsl"
+XSL_REPLACE="/usr/share/xml/docbook/stylesheet/nwalsh/1.79.2/manpages/docbook.xsl"
+XSL_EXPR="s:$XSL_NEEDLE:$XSL_REPLACE:g"
+find -type f -name "Makefile" -exec sed -i -e "$XSL_EXPR" {} \;
 
 %build
-# this is to silence make errors but it doesn't influence our package, because
-# the values only influence the wrapper scripts which aren't shipped, we only
-# want the hardening-check script
-
-# the script is also filled with some values from libc during the make step
+# the script is also filled with some values from libc during the `make` step
 # thus this script cannot considered to be noarch, information extracted from
 # libc may differ between archs
 export DEB_HOST_ARCH=`uname -m`
 export DEB_HOST_ARCH_OS=`uname -s`
+# ignore any podchecker errors the hard way (it seems we're using a newer
+# toolchain or a different toolchain which complains about some constructs)
+alias podchecker=true
+# generate a version file from our RPM version information (this would
+# otherwise require a deb-parsechangelog utility).
+echo "%{Version}" >version
 make %{?_smp_mflags}
 
 %install
-# NOTE: there are two variants of the check script, one written in bash, one
-# written in perl. The perl one is more fancy so lets stick with that one
-install -D -m 755 build-tree/hardening-check %{buildroot}%{_bindir}/hardening-check
-install -D -m 644 build-tree/hardening-check.1 %{buildroot}%{_mandir}/man1/hardening-check.1
+# only pick what we need: the script and the man page
+install -D -m 755 scripts/hardening-check %{buildroot}%{_bindir}/hardening-check
+install -D -m 644 scripts/hardening-check.1 %{buildroot}%{_mandir}/man1/hardening-check.1
 
 %files
 %{_bindir}/hardening-check

hardening-wrapper_2.6.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5fc46439646d0929a0605e4f3db67e57eefbbf5ceec5a2888440dbdf4450224
-size 19436

makefile_fixes.patch

@@ -0,0 +1,28 @@
+Index: devscripts/Makefile
+===================================================================
+--- devscripts.orig/Makefile
++++ devscripts/Makefile
+@@ -6,10 +6,6 @@ DESTDIR =
+ 
+ all: version doc make_scripts conf.default translated_manpages
+ 
+-version:
+-	rm -f version
+-	dpkg-parsechangelog -SVersion > version
+-
+ conf.default: conf.default.in version
+ 	rm -f $@ $@.tmp
+ 	VERSION=`cat version` && sed -e "s/###VERSION###/$$VERSION/" $< \
+Index: devscripts/scripts/Makefile
+===================================================================
+--- devscripts.orig/scripts/Makefile
++++ devscripts/scripts/Makefile
+@@ -166,7 +166,7 @@ clean:
+ test: test_pl test_sh test_py
+ 
+ install: all
+-	python3 setup.py install --root="$(DESTDIR)" --no-compile --install-layout=deb
++	python3 setup.py install --root="$(DESTDIR)" --no-compile
+ 	cp $(SCRIPTS) $(DESTDIR)$(BINDIR)
+ 	ln -sf edit-patch $(DESTDIR)$(BINDIR)/add-patch
+ 	install -d $(DESTDIR)$(COMPL_DIR)

perl_regex.patch

@@ -1,15 +0,0 @@
-Index: hardening-check/hardening-wrapper/Makefile
-===================================================================
---- hardening-wrapper.orig/Makefile
-+++ hardening-wrapper/Makefile
-@@ -19,8 +19,8 @@ $(BUILD_TREE)/stamp-build: $(WRAPPERS) $
- 	install $(WRAPPERS) $(BUILD_TREE)/
- 	# Set defaults, based on OS and ARCH.
- 	perl -pi -e 's/ #OS#/ '"$(DEB_HOST_ARCH_OS)"'/; s/ #ARCH#/ '"$(DEB_HOST_ARCH)"'/;' $(BUILD_TREE)/hardened-cc $(BUILD_TREE)/hardened-ld
--	perl -pi -e "s/default{'DEB_BUILD_HARDENING_PIE'}=1;/default{'DEB_BUILD_HARDENING_PIE'}=$(DEFAULT_PIE);/;" $(BUILD_TREE)/hardened-cc $(BUILD_TREE)/hardened-ld
--	perl -pi -e "s/default{'DEB_BUILD_HARDENING_STACKPROTECTOR'}=1;/default{'DEB_BUILD_HARDENING_STACKPROTECTOR'}=$(DEFAULT_STACKPROT);/;" $(BUILD_TREE)/hardened-cc $(BUILD_TREE)/hardened-ld
-+	perl -pi -e "s/default\{'DEB_BUILD_HARDENING_PIE'}=1;/default{'DEB_BUILD_HARDENING_PIE'}=$(DEFAULT_PIE);/;" $(BUILD_TREE)/hardened-cc $(BUILD_TREE)/hardened-ld
-+	perl -pi -e "s/default\{'DEB_BUILD_HARDENING_STACKPROTECTOR'}=1;/default{'DEB_BUILD_HARDENING_STACKPROTECTOR'}=$(DEFAULT_STACKPROT);/;" $(BUILD_TREE)/hardened-cc $(BUILD_TREE)/hardened-ld
- 	# Duplicate cc wrapper to c++.
- 	install $(BUILD_TREE)/hardened-cc $(BUILD_TREE)/hardened-c++
- 	perl -pi -e 's/hardened-cc/hardened-c++/g; s|/usr/bin/cc|/usr/bin/c++|g;' $(BUILD_TREE)/hardened-c++