Accepting request 109859 from home:mseben:branches:Virtualization

use pie/fPIE for setuid binaries (vbox-fpie.diff) (bnc#743143)

OBS-URL: https://build.opensuse.org/request/show/109859
OBS-URL: https://build.opensuse.org/package/show/Virtualization/virtualbox?expand=0&rev=78

vbox-fpie.diff

@@ -0,0 +1,20 @@
+Index: VirtualBox-4.1.8_OSE/Config.kmk
+===================================================================
+--- VirtualBox-4.1.8_OSE.orig/Config.kmk
++++ VirtualBox-4.1.8_OSE/Config.kmk
+@@ -3368,10 +3368,13 @@ TEMPLATE_VBOXR3HARDENEDEXE_LDFLAGS.darwi
+ ifeq ($(KBUILD_TARGET),linux)
+ # not necessary except USE_LIB_PCAP is defined in SUPR3HardenedMain.cpp
+ # TEMPLATE_VBOXR3HARDENEDEXE_LIBS += cap
++ TEMPLATE_VBOXR3HARDENEDEXE_CXXFLAGS.linux = $(TEMPLATE_VBOXR3EXE_CXXFLAGS.linux) -fPIE
++ TEMPLATE_VBOXR3HARDENEDEXE_CFLAGS.linux = $(TEMPLATE_VBOXR3EXE_CFLAGS.linux) -fPIE
++ TEMPLATE_VBOXR3HARDENEDEXE_LDFLAGS.linux = $(TEMPLATE_VBOXR3EXE_LDFLAGS.linux) -pie
+ endif
+ ifn1of ($(KBUILD_TARGET), win os2)
+- TEMPLATE_VBOXR3HARDENEDEXE_LDFLAGS       = $(filter-out '$(VBOX_GCC_RPATH_OPT)%,$(TEMPLATE_VBOXR3EXE_LDFLAGS))
+- TEMPLATE_VBOXR3HARDENEDEXE_LDFLAGS.linux = $(filter-out $(VBOX_GCC_ORIGIN_OPT),$(TEMPLATE_VBOXR3EXE_LDFLAGS.linux))
++ TEMPLATE_VBOXR3HARDENEDEXE_LDFLAGS       = $(filter-out '$(VBOX_GCC_RPATH_OPT)%,$(TEMPLATE_VBOXR3EXE_LDFLAGS)) -pie
++ TEMPLATE_VBOXR3HARDENEDEXE_LDFLAGS.linux = $(filter-out $(VBOX_GCC_ORIGIN_OPT),$(TEMPLATE_VBOXR3EXE_LDFLAGS.linux)) -pie
+ endif
+ 
+ #

virtualbox.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Sun Mar 18 08:18:34 UTC 2012 - mseben@gmail.com
+
+- use pie/fPIE for setuid binaries (vbox-fpie.diff) (bnc#743143) 
+
 -------------------------------------------------------------------
 Wed Mar 14 20:45:06 UTC 2012 - mseben@gmail.com
 

virtualbox.spec

@@ -29,12 +29,11 @@ BuildRequires:  hal-devel
 %if %suse_version >= 1210
 BuildRequires:  glibc-devel-static
 %endif
-%if %suse_version > 1210
 #gsoap and java needed for building webservice
 BuildRequires:  gsoap-devel
 BuildRequires:  libgsoap-devel
 BuildRequires:  java-1_6_0-openjdk-devel
-%endif
+#
 BuildRequires:  LibVNCServer-devel
 BuildRequires:  SDL-devel
 BuildRequires:  bin86
@@ -131,6 +130,8 @@ Patch101:       vbox-default-os-type.diff
 Patch102:       kernel-3.3.patch
 #disable update in vbox gui
 Patch103:       vbox-disable-updates.diff
+#use pie/fPIE for setuid binaries (bnc#743143) 
+Patch104:       vbox-fpie.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         pwdutils permissions
 Requires:       %{name}-host-kmp = %version
@@ -254,6 +255,7 @@ Development file for %{name}
 %patch101
 %patch102 -p1
 %patch103
+%patch104 -p1
 #copy user manual
 %__cp %{S:1} ./UserManual.pdf
 
@@ -277,7 +279,7 @@ source env.sh
 #  	VBOX_PATH_PACKAGE_DOCS set propper path for link to pdf in .desktop file
 # 	VBOX_WITH_REGISTRATION_REQUEST= VBOX_WITH_UPDATE_REQUEST= just disable some functionality in gui
 echo "build basic parts"
-/usr/bin/kmk %{?_smp_mflags} VBOX_JAVA_HOME=/usr/%{_lib}/jvm/java-1.6.0-openjdk-1.6.0/ VBOX_GCC_WERR= KBUILD_VERBOSE=2 VBOX_WITH_REGISTRATION_REQUEST= VBOX_WITH_UPDATE_REQUEST= TOOL_YASM_AS=yasm VBOX_PATH_PACKAGE_DOCS=/usr/share/doc/packages/virtualbox all
+/usr/bin/kmk %{?_smp_mfalgs} VBOX_JAVA_HOME=/usr/%{_lib}/jvm/java-1.6.0-openjdk-1.6.0/ VBOX_GCC_WERR= KBUILD_VERBOSE=2 VBOX_WITH_REGISTRATION_REQUEST= VBOX_WITH_UPDATE_REQUEST= TOOL_YASM_AS=yasm VBOX_PATH_PACKAGE_DOCS=/usr/share/doc/packages/virtualbox all
 #
 # build kernel modules for guest and host (check novel-kmp package as example)
 # host  modules : vboxdrv,vboxnetflt,vboxnetadp