diff --git a/.annobin.metadata b/.annobin.metadata index 37f887f..7dcffa3 100644 --- a/.annobin.metadata +++ b/.annobin.metadata @@ -1 +1 @@ -614adb91b1cfdafd70be85afc8d77bc10e39c959 SOURCES/annobin-8.64.tar.xz +a1168f411d26bb7f0a7c950ee98d0a1fd2fb856d SOURCES/annobin-8.78.tar.xz diff --git a/.gitignore b/.gitignore index e3e599a..8bc2739 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/annobin-8.64.tar.xz +SOURCES/annobin-8.78.tar.xz diff --git a/SPECS/annobin.spec b/SPECS/annobin.spec index 576a9cb..028ef3e 100644 --- a/SPECS/annobin.spec +++ b/SPECS/annobin.spec @@ -1,8 +1,14 @@ -# Suppress this for BZ 1630550. -# The problem should now only arise when rebasing to a new major version -# of gcc, in which case the undefine below can be temporarily reinstated. -# +Name: annobin +Summary: Binary annotation plugin for GCC +Version: 8.78 +Release: 1%{?dist} + +License: GPLv3+ +URL: https://fedoraproject.org/wiki/Toolchain/Watermark +# Maintainer: nickc@redhat.com + + # # Do not build the annobin plugin with annotation enabled. # # This is because if we are bootstrapping a new build environment we can have # # a new version of gcc installed, but without a new of annobin installed. @@ -11,16 +17,13 @@ # # version, the old plugin will complain that version of gcc for which it # # was built is different from the version of gcc that is now being used, and # # then it will abort. +# +# Suppress this for BZ 1630550. +# The problem should now only arise when rebasing to a new major version +# of gcc, in which case the undefine below can be temporarily reinstated. +# # %%undefine _annotated_build -Name: annobin -Summary: Binary annotation plugin for GCC -Version: 8.64 -Release: 1%{?dist} - -License: GPLv3+ -URL: https://fedoraproject.org/wiki/Toolchain/Watermark - # Use "--without tests" to disable the testsuite. The default is to run them. %bcond_without tests @@ -29,11 +32,12 @@ URL: https://fedoraproject.org/wiki/Toolchain/Watermark # Set this to zero to disable the requirement for a specific version of gcc. # This should only be needed if there is some kind of problem with the version -# checking logic. +# checking logic or when building on RHEL-7 or earlier. %global with_hard_gcc_version_requirement 1 #--------------------------------------------------------------------------------- -Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz +# Source: https://nickc.fedorapeople.org/annobin-%%{version}.tar.xz +Source: annobin-%{version}.tar.xz # For the latest sources use: git clone git://sourceware.org/git/annobin.git # Insert patches here, if needed. @@ -41,47 +45,6 @@ Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz #--------------------------------------------------------------------------------- -BuildRequires: gcc gcc-plugin-devel gcc-c++ - -%description -Provides a plugin for GCC that records extra information in the files -that it compiles and a set of scripts that can analyze the recorded -information. - -Note - the plugin is automatically enabled in gcc builds via flags -provided by the redhat-rpm-macros package. - -#--------------------------------------------------------------------------------- -%if %{with tests} - -%package tests -Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin - -%description tests -Provides a means to test the generation of annotated binaries and the parsing -of the resulting files. - -%endif - -#--------------------------------------------------------------------------------- -%if %{with annocheck} - -%package annocheck -Summary: A tool for checking the security hardening status of binaries - -BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel - -%description annocheck -Installs the annocheck program which uses the notes generated by annobin to -check that the specified files were compiled with the correct security -hardening options. - -%endif - -#--------------------------------------------------------------------------------- - -%global ANNOBIN_PLUGIN_DIR %(gcc --print-file-name=plugin) - # [Stolen from gcc-python-plugin] # GCC will only load plugins that were built against exactly that build of GCC # We thus need to embed the exact GCC version as a requirement within the @@ -115,25 +78,75 @@ hardening options. # # The following implements the above: -%global gcc_vr %(gcc --version | head -n 1 | sed -e 's|.*(Red\ Hat\ ||g' | sed -e 's|)$||g') +%global gcc_vr %(gcc --version | head -n 1 | sed -e 's|.*(Red\ Hat\ ||g' -e 's|)$||g') + +# We need the major version of gcc. +%global gcc_major %(echo "%{gcc_vr}" | cut -f1 -d".") +%global gcc_next %(v="%{gcc_major}"; echo $((++v))) + +# Needed when building the srpm. +%if 0%{?gcc_major} == 0 +%global gcc_major 0 +%endif # This is a gcc plugin, hence gcc is required. %if %{with_hard_gcc_version_requirement} -Requires: gcc == %{gcc_vr} -BuildRequires: gcc == %{gcc_vr} +# BZ 1607430 - There is an exact requirement on the major version of gcc. +Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next}) %else Requires: gcc %endif +BuildRequires: gcc gcc-plugin-devel gcc-c++ + +%description +Provides a plugin for GCC that records extra information in the files +that it compiles. + +Note - the plugin is automatically enabled in gcc builds via flags +provided by the redhat-rpm-macros package. + #--------------------------------------------------------------------------------- +%if %{with tests} -%prep +%package tests +Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin + +%description tests +Provides a means to test the generation of annotated binaries and the parsing +of the resulting files. +%endif + +#--------------------------------------------------------------------------------- +%if %{with annocheck} + +%package annocheck +Summary: A tool for checking the security hardening status of binaries + +BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel + +%description annocheck +Installs the annocheck program which uses the notes generated by annobin to +check that the specified files were compiled with the correct security +hardening options. + +%endif + +#--------------------------------------------------------------------------------- + +%global ANNOBIN_PLUGIN_DIR %(gcc --print-file-name=plugin) + +#--------------------------------------------------------------------------------- + +%prep if [ -z "%{gcc_vr}" ]; then echo "*** Missing gcc_vr spec file macro, cannot continue." >&2 exit 1 fi +echo "Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next})" + %autosetup -p1 # The plugin has to be configured with the same arcane configure @@ -157,7 +170,10 @@ touch doc/annobin.info # that it should be OK. cp plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so make -C plugin clean -make -C plugin CXXFLAGS="%{optflags} -fplugin=%{_tmppath}/tmp_annobin.so -fplugin-arg-tmp_annobin-rename" +BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so -fplugin-arg-tmp_annobin-rename" +# If building on RHEL7, enable the next option as the .attach_to_group assembler pseudo op is not available in the assembler. +# BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" +make -C plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" rm %{_tmppath}/tmp_annobin.so #--------------------------------------------------------------------------------- @@ -170,7 +186,11 @@ rm %{_tmppath}/tmp_annobin.so %if %{with tests} %check +# On RHEL7 the assembler does not support all of the annobin tests. make check +if [ -f tests/test-suite.log ]; then + cat tests/test-suite.log +fi %endif #--------------------------------------------------------------------------------- @@ -200,6 +220,76 @@ make check #--------------------------------------------------------------------------------- %changelog +* Tue Aug 06 2019 Nick Clifton - 8.78-1 +- Fix a memory allocation error in the annobin plugin. (#1737306) + +* Mon Aug 05 2019 Nick Clifton - 8.77-2 +- NVR bump to allow rebuilding against latest gcc. + +* Mon Jun 24 2019 Nick Clifton - 8.77-1 +- Another attempt at fixing the detection and reporting of missing -D_FORTIFY_SOURCE options. (#1703500) + +* Thu Jun 13 2019 Nick Clifton - 8.76-2 +- Release bump in order to allow rebuild against latest version of gcc in RHEL-8 buildroot. (#1720179) + +* Tue Jun 04 2019 Nick Clifton - 8.76-1 +- Report a missing -D_FORTIFY_SOUCRE option if -D_GLIBCXX_ASSERTIONS was detected. (#1703500) +- Do not report problems with -fstack-protection if the binary was not built by gcc or clang. (#1703788) +- Add tests of clang command line options recorded in the DW_AT_producer attribute. + +* Fri May 10 2019 Nick Clifton - 8.73-2 +- Release bump in order to allow rebuild against latest version of gcc in RHEL-8 buildroot. (#1657912) + +* Wed Apr 24 2019 Nick Clifton - 8.73-1 +- Fix test for an executable stack segment. (#1700924) + +* Thu Feb 28 2019 Nick Clifton - 8.71-1 +- Annobin: Suppress more calls to free() which are triggering memory checker errors. (#1684148) + +* Fri Feb 01 2019 Nick Clifton - 8.70-1 +- Add section flag matching ability to section size tool. + +* Thu Jan 31 2019 Fedora Release Engineering - 8.69-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Jan 29 2019 Björn Esser - 8.69-6 +- Use 'with' for rich dependency on gcc + +* Tue Jan 29 2019 Björn Esser - 8.69-5 +- Really fix rhbz#1607430. + +* Mon Jan 28 2019 Björn Esser - 8.69-4 +- Rebuilt with annotations enabled + +* Mon Jan 28 2019 Björn Esser - 8.69-3 +- Fix rpm query for gcc version. + +* Mon Jan 28 2019 Nick Clifton - 8.69-2 +- Add an exact requirement on the major version of gcc. (#1607430) + +* Thu Jan 24 2019 Nick Clifton - 8.69-1 +- Annobin: Add support for .text.startup and .text.exit sections generated by gcc 9. +- Annocheck: Add a note displaying tool. + +* Wed Jan 23 2019 Nick Clifton - 8.68-1 +- Annocheck: Skip checks for -D_FORTIFY_SOURCE and -D_GLIBCXX_ASSERTIONS if there is no compiler generated code in the binary. + +* Mon Jan 21 2019 Björn Esser - 8.67-3 +- Rebuilt with annotations enabled + +* Mon Jan 21 2019 Björn Esser - 8.67-2 +- Rebuilt for GCC 9 + +* Thu Jan 17 2019 Nick Clifton - 8.67-1 +- Annocheck: Only skip specific checks for specific symbols. (#1666823) +- Annobin: Record the setting of the -fomit-frame-pointer option. (#1657912) + +* Wed Jan 02 2019 Nick Clifton - 8.66-1 +- Annocheck: Do not ignore -Og when checking to see if an optimization level has been set. (#1624162) + +* Tue Dec 11 2018 Nick Clifton - 8.65-1 +- Annobin: Fix handling of multiple .text.unlikely sections. + * Fri Nov 30 2018 Nick Clifton - 8.64-1 - Annocheck: Skip gaps in PPC64 executables covered by start_bcax_ symbols. (#1630564)