From 1f6024a0e3452c3e6a380e01f1d6759e01168b1d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 24 2020 03:03:48 +0000 Subject: import annobin-9.19-1.el8 --- diff --git a/.annobin.metadata b/.annobin.metadata index 251f07a..0901f25 100644 --- a/.annobin.metadata +++ b/.annobin.metadata @@ -1 +1 @@ -eafca541590675b6734ff6d5cebfb720eed2e732 SOURCES/annobin-8.90.tar.xz +36f7f3875f1f588cbc366193527dd6f6d57f5b40 SOURCES/annobin-9.19.tar.xz diff --git a/.gitignore b/.gitignore index 80d5723..27b7242 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/annobin-8.90.tar.xz +SOURCES/annobin-9.19.tar.xz diff --git a/SPECS/annobin.spec b/SPECS/annobin.spec index b6b8b43..564eaf9 100644 --- a/SPECS/annobin.spec +++ b/SPECS/annobin.spec @@ -1,13 +1,34 @@ Name: annobin -Summary: Binary annotation plugin for GCC -Version: 8.90 -Release: 1%{?dist}.0.1 - +Summary: Annotate and examine compiled binary files +Version: 9.19 +Release: 1%{?dist} License: GPLv3+ -URL: https://fedoraproject.org/wiki/Toolchain/Watermark +# ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark # Maintainer: nickc@redhat.com +#--------------------------------------------------------------------------------- + +# Use "--without tests" to disable the testsuite. +%bcond_without tests + +# Use "--without annocheck" to disable the installation of the annocheck program. +%bcond_without annocheck + +# Use "--with debuginfod" to force support for debuginfod to be compiled into +# the annocheck program. By default the configure script will check for +# availablilty at build time, but this might not match the run time situation. +# FIXME: Add a --without debuginfod option to forcefully disable the configure +# time check for debuginfod support. +%bcond_with debuginfod + +# Use "--with clangplugin" to build the annobin plugin for clang. +%bcond_with clangplugin + +# Set this to zero to disable the requirement for a specific version of gcc. +# This should only be needed if there is some kind of problem with the version +# checking logic or when building on RHEL-7 or earlier. +%global with_hard_gcc_version_requirement 1 # # Do not build the annobin plugin with annotation enabled. # # This is because if we are bootstrapping a new build environment we can have @@ -24,18 +45,8 @@ URL: https://fedoraproject.org/wiki/Toolchain/Watermark # # %%undefine _annotated_build -# Use "--without tests" to disable the testsuite. The default is to run them. -%bcond_without tests - -# Use "--without annocheck" to disable the installation of the annocheck program. -%bcond_without annocheck - -# Set this to zero to disable the requirement for a specific version of gcc. -# This should only be needed if there is some kind of problem with the version -# checking logic or when building on RHEL-7 or earlier. -%global with_hard_gcc_version_requirement 1 - #--------------------------------------------------------------------------------- + # Source: https://nickc.fedorapeople.org/annobin-%%{version}.tar.xz Source: annobin-%{version}.tar.xz # For the latest sources use: git clone git://sourceware.org/git/annobin.git @@ -98,6 +109,9 @@ Requires: gcc %endif BuildRequires: gcc gcc-plugin-devel gcc-c++ +%if %{with clangplugin} +BuildRequires: clang clang-devel llvm llvm-devel +%endif %description Provides a plugin for GCC that records extra information in the files @@ -106,6 +120,10 @@ that it compiles. Note - the plugin is automatically enabled in gcc builds via flags provided by the redhat-rpm-macros package. +%if %{with clangplugin} +Also provides a plugin for clang which performs a similar function. +%endif + #--------------------------------------------------------------------------------- %if %{with tests} @@ -125,6 +143,9 @@ of the resulting files. Summary: A tool for checking the security hardening status of binaries BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel +%if %{with debuginfod} +BuildRequires: elfutils-debuginfod-client-devel +%endif %description annocheck Installs the annocheck program which uses the notes generated by annobin to @@ -135,7 +156,15 @@ hardening options. #--------------------------------------------------------------------------------- -%global ANNOBIN_PLUGIN_DIR %(gcc --print-file-name=plugin) +%global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin) + +%if %{with clangplugin} +# FIXME: Clang does not appear to have an official plugin directory. +# Instead it just uses dlopen() with no pathname prefix. So we +# construct a (hopefully good) path and rely upon users of annobin +# knowing about this location. +%global ANNOBIN_CLANG_PLUGIN_DIR /usr/lib64/clang/%(clang --dumpversion)/lib +%endif #--------------------------------------------------------------------------------- @@ -145,14 +174,14 @@ if [ -z "%{gcc_vr}" ]; then exit 1 fi -echo "Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next})" +echo "Requires: (gcc >= %{gcc_major} and gcc < %{gcc_next})" %autosetup -p1 # The plugin has to be configured with the same arcane configure # scripts used by gcc. Hence we must not allow the Fedora build # system to regenerate any of the configure files. -touch aclocal.m4 plugin/config.h.in +touch aclocal.m4 gcc-plugin/config.h.in touch configure */configure Makefile.in */Makefile.in # Similarly we do not want to rebuild the documentation. touch doc/annobin.info @@ -160,7 +189,13 @@ touch doc/annobin.info #--------------------------------------------------------------------------------- %build -%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_PLUGIN_DIR} + +%if %{with debuginfod} +%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} --with-debuginfod || cat config.log +%else +%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} || cat config.log +%endif + %make_build # Rebuild the plugin, this time using the plugin itself! This # ensures that the plugin works, and that it contains annotations @@ -168,35 +203,50 @@ touch doc/annobin.info # double annotations in it. (If the build system enables annotations # for plugins by default). I have not tested this yet, but I think # that it should be OK. -cp plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so -make -C plugin clean +cp gcc-plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so +make -C gcc-plugin clean BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so -fplugin-arg-tmp_annobin-rename" # If building on RHEL7, enable the next option as the .attach_to_group assembler pseudo op is not available in the assembler. # BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" -make -C plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" +make -C gcc-plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" rm %{_tmppath}/tmp_annobin.so +%if %{with clangplugin} +# FIXME: The symbolic link should not be needed. +ln -f -s ../annobin-global.h clang-plugin +make -C clang-plugin annobin.so +%endif + #--------------------------------------------------------------------------------- %install %make_install %{__rm} -f %{buildroot}%{_infodir}/dir +%if %{with clangplugin} +cp clang-plugin/annobin.so %{ANNOBIN_CLANG_PLUGIN_DIR} +%endif + #--------------------------------------------------------------------------------- %if %{with tests} %check -# On RHEL7 the assembler does not support all of the annobin tests. +# Change the following line to "make check || :" on RHEL7 or if you need to see the +# test suite logs in order to diagnose a test failure. make check if [ -f tests/test-suite.log ]; then cat tests/test-suite.log fi + +%if %{with clangplugin} +# FIXME: Add tests of the clang plugin. +%endif %endif #--------------------------------------------------------------------------------- %files -%{ANNOBIN_PLUGIN_DIR} +%{ANNOBIN_GCC_PLUGIN_DIR} %{_bindir}/built-by %{_bindir}/check-abi %{_bindir}/hardened @@ -212,7 +262,12 @@ fi %doc %{_mandir}/man1/hardened.1.gz %doc %{_mandir}/man1/run-on-binaries-in.1.gz +%if %{with clangplugin} +%{ANNOBIN_CLANG_PLUGIN_DIR} +%endif + %if %{with annocheck} +%files annocheck %{_bindir}/annocheck %doc %{_mandir}/man1/annocheck.1.gz %endif @@ -220,6 +275,33 @@ fi #--------------------------------------------------------------------------------- %changelog +* Mon Apr 06 2020 Nick Clifton - 9.19-1 +- Annobin: If option name mismatch occurs, seach for the real option. (#1817452) +- Annocheck: Fix a division by zero error when parsing GO binaries. (#1818863) +- Annobin: Fix access to the -flto and -fsanitize flags. +- Annobin: Use offsets stored in gcc's cl_option structure to access the global_options array, thus removing the need to check for changes in the size of this structure. +- Rename gcc plugin directory to gcc-plugin. +- Stop annocheck from complaining about missing options when the binary has been built in a mixed environment. +- Improve builtby tool. +- Stop annocheck complaining about missing notes when the binary is not compiled by either gcc or clang. +- Skip the check of the ENTRY instruction for binaries not compiled by gcc or clang. (#1809656) +- Fix infinite loop hangup in annocheck. +- Disable debuginfod support by default. +- Improve parsing of .comment section. +- Fix clang plugin to use hidden symbols. +- Add ability to build clang plugin (disabled by default). +- Annocheck: Fix error printing out the version number. +- Annobin: Add checks of the exact location of the examined switches. +- Annobin: Note when stack clash notes are generated. +- Annocheck: Handle multiple builder IDs in the .comment section. +- Add configure option to suppress building annocheck. +- Fix debuginfod test. +- Correct the build requirement for building with debuginfod support. +- Add debuginfod support. +- Add clang plugin (experimental). +- Have annocheck ignore notes with an end address of 0. +- Improve checking of gcc versions. + * Fri Nov 15 2019 Nick Clifton - 8.90-1 - Do not skip positive results.