Marcus Meissner
ff3493d16b
- update to 1.19.3 (bsc#1189929, CVE-2021-37750): * Fix a denial of service attack against the KDC [CVE-2021-37750]. * Fix KDC null deref on TGS inner body null server * Fix conformance issue in GSSAPI tests OBS-URL: https://build.opensuse.org/request/show/967999 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=257
73 lines
3.4 KiB
Diff
73 lines
3.4 KiB
Diff
From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001
|
|
From: Robbie Harwood <rharwood@redhat.com>
|
|
Date: Tue, 23 Aug 2016 16:45:26 -0400
|
|
Subject: [PATCH 3/8] Adjust build configuration
|
|
|
|
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
|
|
and install shared libraries with the execute bit set on them. Prune out
|
|
the -L/usr/lib* and PIE flags where they might leak out and affect
|
|
apps which just want to link with the libraries. FIXME: needs to check and
|
|
not just assume that the compiler supports using these flags.
|
|
|
|
Last-updated: krb5-1.15-beta1
|
|
---
|
|
src/build-tools/krb5-config.in | 7 +++++++
|
|
src/config/pre.in | 2 +-
|
|
src/config/shlib.conf | 5 +++--
|
|
3 files changed, 11 insertions(+), 3 deletions(-)
|
|
|
|
Index: krb5-1.19.3/src/build-tools/krb5-config.in
|
|
===================================================================
|
|
--- krb5-1.19.3.orig/src/build-tools/krb5-config.in
|
|
+++ krb5-1.19.3/src/build-tools/krb5-config.in
|
|
@@ -224,6 +224,13 @@ if test -n "$do_libs"; then
|
|
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
|
-e 's#\$(CFLAGS)##'`
|
|
|
|
+ if test `dirname $libdir` = /usr ; then
|
|
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
|
|
+ fi
|
|
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
|
|
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
|
|
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
|
|
+
|
|
if test $library = 'kdb'; then
|
|
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
|
library=krb5
|
|
Index: krb5-1.19.3/src/config/pre.in
|
|
===================================================================
|
|
--- krb5-1.19.3.orig/src/config/pre.in
|
|
+++ krb5-1.19.3/src/config/pre.in
|
|
@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
|
|
INSTALL_SCRIPT=@INSTALL_PROGRAM@
|
|
INSTALL_DATA=@INSTALL_DATA@
|
|
INSTALL_SHLIB=@INSTALL_SHLIB@
|
|
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
|
|
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
|
|
## This is needed because autoconf will sometimes define @exec_prefix@ to be
|
|
## ${prefix}.
|
|
prefix=@prefix@
|
|
Index: krb5-1.19.3/src/config/shlib.conf
|
|
===================================================================
|
|
--- krb5-1.19.3.orig/src/config/shlib.conf
|
|
+++ krb5-1.19.3/src/config/shlib.conf
|
|
@@ -424,7 +424,7 @@ mips-*-netbsd*)
|
|
# Linux ld doesn't default to stuffing the SONAME field...
|
|
# Use objdump -x to examine the fields of the library
|
|
# UNDEF_CHECK is suppressed by --enable-asan
|
|
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
|
|
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel'
|
|
UNDEF_CHECK='-Wl,--no-undefined'
|
|
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
|
|
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
|
|
@@ -436,7 +436,8 @@ mips-*-netbsd*)
|
|
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
|
PROFFLAGS=-pg
|
|
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
|
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
|
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
|
|
+ INSTALL_SHLIB='${INSTALL} -m755'
|
|
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
|
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
|
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
|