diff --git a/rpmlint-all-pie.patch b/rpmlint-all-pie.patch new file mode 100644 index 0000000..b713752 --- /dev/null +++ b/rpmlint-all-pie.patch @@ -0,0 +1,25 @@ +Index: rpmlint-rpmlint-1.8/BinariesCheck.py +=================================================================== +--- rpmlint-rpmlint-1.8.orig/BinariesCheck.py ++++ rpmlint-rpmlint-1.8/BinariesCheck.py +@@ -560,6 +560,9 @@ class BinariesCheck(AbstractCheck.Abstra + if not is_shobj and pie_exec_re and pie_exec_re.search(fname): + printError(pkg, 'non-position-independent-executable', + fname) ++ if not is_shobj: ++ printError(pkg, 'position-independent-executable-suggested', ++ fname) + + if bin_info.readelf_error: + continue +@@ -809,6 +812,10 @@ stripping process.''', + '''This executable must be position independent. Check that it is built with + -fPIE/-fpie in compiler flags and -pie in linker flags.''', + ++'position-independent-executable-suggested', ++'''This executable should be position independent (all binaries should). Check ++that it is built with -fPIE/-fpie in compiler flags and -pie in linker flags.''', ++ + 'missing-call-to-setgroups-before-setuid', + '''This executable is calling setuid and setgid without setgroups or + initgroups. There is a high probability this means it didn't relinquish all diff --git a/rpmlint-pie-factory.patch b/rpmlint-pie-factory.patch new file mode 100644 index 0000000..8f363aa --- /dev/null +++ b/rpmlint-pie-factory.patch @@ -0,0 +1,26 @@ +Index: rpmlint-tests-84.87+git20170418.092177d/tests/pie.ref +=================================================================== +--- rpmlint-tests-84.87+git20170418.092177d.orig/tests/pie.ref ++++ rpmlint-tests-84.87+git20170418.092177d/tests/pie.ref +@@ -1,4 +1,5 @@ ++pie: W: position-independent-executable-suggested /usr/bin/telnet + pie: W: permissions-incorrect /bin/mount has mode 0755 but should be 04755 + pie: E: non-position-independent-executable (Badness: 10000) /usr/bin/telnet + pie: W: missing-call-to-setgroups-before-setuid /bin/mount +-1 packages and 0 specfiles checked; 1 errors, 2 warnings. ++1 packages and 0 specfiles checked; 1 errors, 3 warnings. +Index: rpmlint-tests-84.87+git20170418.092177d/tests/permissions1.ref +=================================================================== +--- rpmlint-tests-84.87+git20170418.092177d.orig/tests/permissions1.ref ++++ rpmlint-tests-84.87+git20170418.092177d/tests/permissions1.ref +@@ -1,3 +1,4 @@ ++permissions1: W: position-independent-executable-suggested /bin/ls + permissions1: E: permissions-unauthorized-file (Badness: 10000) /etc/permissions.d/test + permissions1: W: permissions-missing-verifyscript missing %verify_permissions -e /bin/ls + permissions1: W: permissions-missing-verifyscript missing %verify_permissions -e /bin/su +@@ -8,4 +9,4 @@ permissions1: W: permissions-incorrect-o + permissions1: W: permissions-incorrect /bin/su has mode 0755 but should be 04755 + permissions1: E: permissions-file-setuid-bit (Badness: 10000) /bin/ls is packaged with setuid/setgid bits (04755) + permissions1: W: non-position-independent-executable /bin/ls +-1 packages and 0 specfiles checked; 2 errors, 8 warnings. ++1 packages and 0 specfiles checked; 2 errors, 9 warnings. diff --git a/rpmlint-pie-leap42.patch b/rpmlint-pie-leap42.patch new file mode 100644 index 0000000..8d52a9f --- /dev/null +++ b/rpmlint-pie-leap42.patch @@ -0,0 +1,88 @@ +Index: rpmlint-tests-84.87+git20170418.092177d/tests/srv.ref +=================================================================== +--- rpmlint-tests-84.87+git20170418.092177d.orig/tests/srv.ref ++++ rpmlint-tests-84.87+git20170418.092177d/tests/srv.ref +@@ -1,4 +1,5 @@ + srv: E: suse-filelist-forbidden-srv (Badness: 10000) /usr/local/ftp is not allowed in SUSE + srv: W: suse-filelist-forbidden-fhs23 /usr/local is not allowed in FHS 2.3 ++srv: W: position-independent-executable-suggested /usr/local/ftp/foo + srv: W: call-to-mktemp /usr/local/ftp/foo +-1 packages and 0 specfiles checked; 1 errors, 2 warnings. ++1 packages and 0 specfiles checked; 1 errors, 3 warnings. +Index: rpmlint-tests-84.87+git20170418.092177d/tests/debug.ref +=================================================================== +--- rpmlint-tests-84.87+git20170418.092177d.orig/tests/debug.ref ++++ rpmlint-tests-84.87+git20170418.092177d/tests/debug.ref +@@ -1,5 +1,6 @@ + debug: W: static-library-without-symtab /usr/lib/foo/t2.a + debug: W: static-library-without-debuginfo /usr/lib/foo/t.a ++debug: W: position-independent-executable-suggested /usr/bin/t + debug: E: devel-file-in-non-devel-package (Badness: 50) /usr/lib/foo/t.a + debug: E: devel-file-in-non-devel-package (Badness: 50) /usr/lib/foo/t2.a +-1 packages and 0 specfiles checked; 2 errors, 2 warnings. ++1 packages and 0 specfiles checked; 2 errors, 3 warnings. +Index: rpmlint-tests-84.87+git20170418.092177d/tests/game.ref +=================================================================== +--- rpmlint-tests-84.87+git20170418.092177d.orig/tests/game.ref ++++ rpmlint-tests-84.87+git20170418.092177d/tests/game.ref +@@ -1,5 +1,7 @@ + game: E: suse-filelist-forbidden-games (Badness: 10000) /usr/games/lib/blub is not allowed in SUSE + game: E: suse-filelist-forbidden-games (Badness: 10000) /usr/games/lib is not allowed in SUSE ++game: W: position-independent-executable-suggested /usr/games/foo ++game: W: position-independent-executable-suggested /usr/games/lib/blub + game: W: call-to-mktemp /usr/games/foo + game: W: call-to-mktemp /usr/games/lib/blub +-1 packages and 0 specfiles checked; 2 errors, 2 warnings. ++1 packages and 0 specfiles checked; 2 errors, 4 warnings. +Index: rpmlint-tests-84.87+git20170418.092177d/tests/debug2.ref +=================================================================== +--- rpmlint-tests-84.87+git20170418.092177d.orig/tests/debug2.ref ++++ rpmlint-tests-84.87+git20170418.092177d/tests/debug2.ref +@@ -1,4 +1,5 @@ + debug2: W: static-library-without-symtab /usr/lib/foo/t2.a ++debug2: W: position-independent-executable-suggested /usr/bin/t + debug2: E: devel-file-in-non-devel-package (Badness: 50) /usr/lib/foo/t.a + debug2: E: devel-file-in-non-devel-package (Badness: 50) /usr/lib/foo/t2.a +-1 packages and 0 specfiles checked; 2 errors, 1 warnings. ++1 packages and 0 specfiles checked; 2 errors, 2 warnings. +Index: rpmlint-tests-84.87+git20170418.092177d/tests/chroot.ref +=================================================================== +--- rpmlint-tests-84.87+git20170418.092177d.orig/tests/chroot.ref ++++ rpmlint-tests-84.87+git20170418.092177d/tests/chroot.ref +@@ -1,2 +1,4 @@ ++chroot: W: position-independent-executable-suggested /usr/bin/call_chroot_with_chdir ++chroot: W: position-independent-executable-suggested /usr/bin/call_chroot + chroot: W: missing-call-to-chdir-with-chroot /usr/bin/call_chroot +-1 packages and 0 specfiles checked; 0 errors, 1 warnings. ++1 packages and 0 specfiles checked; 0 errors, 3 warnings. +Index: rpmlint-tests-84.87+git20170418.092177d/tests/debug1.ref +=================================================================== +--- rpmlint-tests-84.87+git20170418.092177d.orig/tests/debug1.ref ++++ rpmlint-tests-84.87+git20170418.092177d/tests/debug1.ref +@@ -1,5 +1,6 @@ + debug1: W: static-library-without-symtab /usr/lib/foo/t2.a + debug1: W: static-library-without-debuginfo /usr/lib/foo/t.a ++debug1: W: position-independent-executable-suggested /usr/bin/t + debug1: E: devel-file-in-non-devel-package (Badness: 50) /usr/lib/foo/t.a + debug1: E: devel-file-in-non-devel-package (Badness: 50) /usr/lib/foo/t2.a +-1 packages and 0 specfiles checked; 2 errors, 2 warnings. ++1 packages and 0 specfiles checked; 2 errors, 3 warnings. +Index: rpmlint-tests-84.87+git20170418.092177d/tests/gethostbyname.ref +=================================================================== +--- rpmlint-tests-84.87+git20170418.092177d.orig/tests/gethostbyname.ref ++++ rpmlint-tests-84.87+git20170418.092177d/tests/gethostbyname.ref +@@ -1,7 +1,13 @@ ++gethostbyname: W: position-independent-executable-suggested /usr/bin/call_gethostbyaddr ++gethostbyname: W: position-independent-executable-suggested /usr/bin/call_gethostbyname2 ++gethostbyname: W: position-independent-executable-suggested /usr/bin/call_gethostbyname ++gethostbyname: W: position-independent-executable-suggested /usr/bin/call_gethostbyname2_r ++gethostbyname: W: position-independent-executable-suggested /usr/bin/call_gethostbyaddr_r ++gethostbyname: W: position-independent-executable-suggested /usr/bin/call_gethostbyname_r + gethostbyname: I: binary-or-shlib-calls-gethostbyname /usr/bin/call_gethostbyaddr + gethostbyname: I: binary-or-shlib-calls-gethostbyname /usr/bin/call_gethostbyname2 + gethostbyname: I: binary-or-shlib-calls-gethostbyname /usr/bin/call_gethostbyname + gethostbyname: I: binary-or-shlib-calls-gethostbyname /usr/bin/call_gethostbyname2_r + gethostbyname: I: binary-or-shlib-calls-gethostbyname /usr/bin/call_gethostbyaddr_r + gethostbyname: I: binary-or-shlib-calls-gethostbyname /usr/bin/call_gethostbyname_r +-1 packages and 0 specfiles checked; 0 errors, 0 warnings. ++1 packages and 0 specfiles checked; 0 errors, 6 warnings. diff --git a/rpmlint-tests.changes b/rpmlint-tests.changes index bce8faa..7be06f2 100644 --- a/rpmlint-tests.changes +++ b/rpmlint-tests.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sun Jul 2 16:30:01 UTC 2017 - meissner@suse.com + +- rpmlint-pie-leap42.patch, rpmlint-pie-factory.patch: + adjust testsuite to match new PIE warning, for both + Leap 42.3 and Factory. + ------------------------------------------------------------------- Tue Apr 18 13:49:18 UTC 2017 - opensuse-packaging@opensuse.org diff --git a/rpmlint-tests.spec b/rpmlint-tests.spec index 85fb04c..199ba4c 100644 --- a/rpmlint-tests.spec +++ b/rpmlint-tests.spec @@ -32,6 +32,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://www.opensuse.org/ Source: rpmlint-tests-%version.tar.xz Patch1: 0001-Update-varrun-test-for-Leap-42.2-severity-reduction.patch +Patch2: rpmlint-pie-leap42.patch +Patch3: rpmlint-pie-factory.patch %description This package doesn't actually contain any files and is not meant to @@ -43,6 +45,10 @@ regression tests against rpmlint(-mini). %if 0%{?sle_version} >= 120200 %patch1 -p1 %endif +%if 0%{?suse_version} < 1330 +%patch2 -p1 +%endif +%patch3 -p1 %build mkdir rpms @@ -50,7 +56,4 @@ make test %install -%clean -rm -rf %buildroot - %changelog diff --git a/rpmlint.changes b/rpmlint.changes index bb2d0b0..1001908 100644 --- a/rpmlint.changes +++ b/rpmlint.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jun 22 08:33:11 UTC 2017 - meissner@suse.com + +- rpmlint-all-pie.patch: for non-PIE built binaries emit a warning + to suggest build them as PIE. + ------------------------------------------------------------------- Tue Jun 6 18:33:56 UTC 2017 - marec@detebe.org diff --git a/rpmlint.spec b/rpmlint.spec index ff03eb0..8994d8b 100644 --- a/rpmlint.spec +++ b/rpmlint.spec @@ -125,6 +125,7 @@ Patch67: suse-readd_terminator_in_regex.patch Patch68: boo1027577-license_tag.patch # Fix check for 'missing-call-to-chdir-with-chroot' on ARM, relax check on PPC Patch69: BinariesCheck_fix_chroot_check_on_non_x86.patch +Patch70: rpmlint-all-pie.patch # PATCHLIST END # BuildArch must at the end. is a bug: https://bugzilla.suse.com/show_bug.cgi?id=926766 BuildArch: noarch