diff --git a/.annobin.metadata b/.annobin.metadata index 5147fc1..9cbd4e4 100644 --- a/.annobin.metadata +++ b/.annobin.metadata @@ -1 +1 @@ -ef2dd2da3cf83071af47dfa2fd95309e18317dd4 SOURCES/annobin-9.72.tar.xz +cb5a3c922fa3018c7df177d27357a04cfc9085e5 SOURCES/annobin-10.29.tar.xz diff --git a/.gitignore b/.gitignore index fa9a89f..913d4cc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/annobin-9.72.tar.xz +SOURCES/annobin-10.29.tar.xz diff --git a/SOURCES/annobin-gaps-test.patch b/SOURCES/annobin-gaps-test.patch new file mode 100644 index 0000000..b19ab99 --- /dev/null +++ b/SOURCES/annobin-gaps-test.patch @@ -0,0 +1,17 @@ +--- annobin.orig/tests/gaps-test 2021-11-22 16:02:17.449655455 +0000 ++++ annobin-10.27/tests/gaps-test 2021-11-22 16:06:37.296680446 +0000 +@@ -40,12 +40,13 @@ fi + # Run annocheck + + SKIPS="--skip-property-note --skip-dynamic-tags --skip-not-dynamic-tags --skip-branch-protection --skip-not-branch-protection --skip-lto" ++SKIPS+=" --skip-stack-clash --skip-cf-protection --skip-stack-realign" + $ANNOCHECK main.exe $SKIPS > main.out + grep -e "PASS" main.out + if [ $? != 0 ]; + then + echo "gaps-test: FAIL: using rpm build macros did not produce an executable that passes annocheck" +- $ANNOCHECK main.exe $SKIPS --verbose --enable-notes ++ $ANNOCHECK main.exe $SKIPS --verbose + echo $GCC $OPTS $srcdir/main.c -o main.exe + end_test + exit 1 diff --git a/SOURCES/annobin.unicode.patch b/SOURCES/annobin.unicode.patch deleted file mode 100644 index 0ad95ae..0000000 --- a/SOURCES/annobin.unicode.patch +++ /dev/null @@ -1,412 +0,0 @@ ---- /dev/null 2021-10-25 08:23:06.499675237 +0100 -+++ annobin-9.85/tests/unicode-test 2021-10-26 17:50:14.620383879 +0100 -@@ -0,0 +1,45 @@ -+#!/bin/bash -+ -+# Copyright (c) 2021 Red Hat. -+# -+# This is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published -+# by the Free Software Foundation; either version 3, or (at your -+# option) any later version. -+# -+# It is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+ -+TEST_NAME=unicode -+. $srcdir/common.sh -+ -+OPTS="-O2 -g -Wl,-z,now -pie -fpie" -+ -+start_test -+ -+$GCC $OPTS $srcdir/trick-hello.s -o trick-hello.exe -+if [ $? != 0 ]; -+then -+ echo "unicode-test: FAIL: Could not compile test source file" -+ end_test -+ exit 1 -+fi -+ -+# Run annocheck -+ -+OPTS="--ignore-gaps --skip-all --test-unicode" -+ -+$ANNOCHECK trick-hello.exe $OPTS > unicode.out -+grep -e "FAIL: unicode" unicode.out -+if [ $? != 0 ]; -+then -+ echo "unicode-test: FAIL: annocheck did not detect suspicious symbol names" -+ $ANNOCHECK trick-hello.exe $OPTS --verbose -+ end_test -+ exit 1 -+fi -+ -+end_test -+ ---- /dev/null 2021-10-25 08:23:06.499675237 +0100 -+++ annobin-9.85/tests/trick-hello.s 2021-10-26 17:15:25.803197562 +0100 -@@ -0,0 +1,33 @@ -+ .file "trick-hello.c" -+ .text -+ .section .rodata -+.LC0: -+ .string "hah, gotcha!" -+ .text -+ .globl he‮oll‬ -+ .type he‮oll‬, @function -+he‮oll‬: -+.LFB0: -+ nop -+.LFE0: -+ .size he‮oll‬, .-he‮oll‬ -+ .section .rodata -+.LC1: -+ .string "Hello world" -+ .text -+ .globl hello -+ .type hello, @function -+hello: -+.LFB1: -+ nop -+.LFE1: -+ .size hello, .-hello -+ .globl main -+ .type main, @function -+main: -+.LFB2: -+ nop -+.LFE2: -+ .size main, .-main -+ .ident "GCC: (GNU) 11.2.1 20210728 (Red Hat 11.2.1-1)" -+ .section .note.GNU-stack,"",@progbits -diff -rup annobin.orig/Makefile.in annobin-9.72/Makefile.in ---- annobin.orig/Makefile.in 2021-10-27 17:34:09.438721166 +0100 -+++ annobin-9.72/Makefile.in 2021-10-27 17:34:19.226658425 +0100 -@@ -323,6 +323,7 @@ plugindir = @plugindir@ - prefix = @prefix@ - program_transform_name = @program_transform_name@ - psdir = @psdir@ -+runstatedir = @runstatedir@ - sbindir = @sbindir@ - sharedstatedir = @sharedstatedir@ - srcdir = @srcdir@ -diff -rup annobin.orig/annocheck/Makefile.in annobin-9.72/annocheck/Makefile.in ---- annobin.orig/annocheck/Makefile.in 2021-10-27 17:34:09.443721134 +0100 -+++ annobin-9.72/annocheck/Makefile.in 2021-10-27 17:34:19.227658419 +0100 -@@ -314,6 +314,7 @@ plugindir = @plugindir@ - prefix = @prefix@ - program_transform_name = @program_transform_name@ - psdir = @psdir@ -+runstatedir = @runstatedir@ - sbindir = @sbindir@ - sharedstatedir = @sharedstatedir@ - srcdir = @srcdir@ -diff -rup annobin.orig/annocheck/hardened.c annobin-9.72/annocheck/hardened.c ---- annobin.orig/annocheck/hardened.c 2021-10-27 17:34:09.443721134 +0100 -+++ annobin-9.72/annocheck/hardened.c 2021-10-27 17:35:14.200306024 +0100 -@@ -37,7 +37,8 @@ - #define SOURCE_SEGMENT_CONTENTS "segment contents" - #define SOURCE_SEGMENT_HEADERS "segment headers" - #define SOURCE_STRING_SECTION "string section" --#define SOURCE_COMMENT_SECTION "comment section" -+#define SOURCE_COMMENT_SECTION "comment section" -+#define SOURCE_SYMBOL_SECTION "symbol section" - - #define GOLD_COLOUR "\e[33;40m" - #define RED_COLOUR "\x1B[31;47m" -@@ -199,6 +200,7 @@ enum test_index - TEST_STACK_REALIGN, - TEST_TEXTREL, - TEST_THREADS, -+ TEST_UNICODE, - TEST_WARNINGS, - TEST_WRITEABLE_GOT, - -@@ -243,6 +245,7 @@ static test tests [TEST_MAX] = - TEST (stack-realign, STACK_REALIGN, "Compiled with -mstackrealign (i686 only)"), - TEST (textrel, TEXTREL, "There are no text relocations in the binary"), - TEST (threads, THREADS, "Compiled with -fexceptions"), -+ TEST (unicode, UNICODE, "No unicode symbol names"), - TEST (warnings, WARNINGS, "Compiled with -Wall"), - TEST (writeable-got, WRITEABLE_GOT, "The .got section is not writeable"), - }; -@@ -1099,6 +1102,11 @@ interesting_sec (annocheck_data * da - if (streq (sec->secname, ".gdb_index")) - per_file.debuginfo_file = true; - -+ if (tests[TEST_UNICODE].enabled -+ && (sec->shdr.sh_type == SHT_SYMTAB -+ || sec->shdr.sh_type == SHT_DYNSYM)) -+ return true; -+ - if (streq (sec->secname, ".text")) - { - /* Separate debuginfo files have a .text section with a non-zero -@@ -2829,6 +2837,64 @@ check_code_section (annocheck_data * - } - - static bool -+contains_suspicious_characters (const unsigned char * name) -+{ -+ uint i; -+ uint len = strlen ((const char *) name); -+ -+ /* FIXME: Test that locale is UTF-8. */ -+ -+ for (i = 0; i < len; i++) -+ { -+ unsigned char c = name[i]; -+ -+ if (isgraph (c)) -+ continue; -+ -+ /* Control characters are always suspect. So are spaces and DEL */ -+ if (iscntrl (c) || c == ' ' || c == 0x7f) -+ return true; -+ -+ if (c < 0x7f) /* This test is probably redundant. */ -+ continue; -+ -+ return true; -+ } -+ -+ return false; -+} -+ -+static bool -+check_symbol_section (annocheck_data * data, annocheck_section * sec) -+{ -+ if (! tests[TEST_UNICODE].enabled) -+ return true; -+ -+ /* Scan the symbols looking for non-ASCII characters in their names -+ that might cause problems. Note - we do not examine the string -+ tables directly as there are perfectly legitimate reasons why these -+ characters might appear in strings. But when they are used for -+ identifier names, their use is ... problematic. */ -+ GElf_Sym sym; -+ uint symndx; -+ -+ for (symndx = 1; gelf_getsym (sec->data, symndx, & sym) != NULL; symndx++) -+ { -+ const char * symname = elf_strptr (data->elf, sec->shdr.sh_link, sym.st_name); -+ -+ if (contains_suspicious_characters ((const unsigned char *) symname)) -+ { -+ fail (data, TEST_UNICODE, SOURCE_SYMBOL_SECTION, "suspicious characters were found in a symbol name"); -+ einfo (VERBOSE, "%s: info: symname: '%s', (%lu bytes long) in section: %s", -+ get_filename (data), symname, (unsigned long) strlen (symname), sec->secname); -+ if (!BE_VERBOSE) -+ break; -+ } -+ } -+ return true; -+} -+ -+static bool - check_sec (annocheck_data * data, - annocheck_section * sec) - { -@@ -2839,6 +2905,8 @@ check_sec (annocheck_data * data, - selected in interesting_sec(). */ - switch (sec->shdr.sh_type) - { -+ case SHT_SYMTAB: -+ case SHT_DYNSYM: return check_symbol_section (data, sec); - case SHT_NOTE: return check_note_section (data, sec); - case SHT_STRTAB: return check_string_section (data, sec); - case SHT_DYNAMIC: return check_dynamic_section (data, sec); -@@ -3526,6 +3594,7 @@ finish (annocheck_data * data) - case TEST_RWX_SEG: - case TEST_TEXTREL: - case TEST_THREADS: -+ case TEST_UNICODE: - case TEST_WRITEABLE_GOT: - /* The absence of a result for these tests actually means that they have passed. */ - pass (data, i, SOURCE_FINAL_SCAN, NULL); -Only in annobin-9.72/annocheck: hardened.c.orig -Only in annobin-9.72/annocheck: hardened.c.rej -diff -rup annobin.orig/configure annobin-9.72/configure ---- annobin.orig/configure 2021-10-27 17:34:09.438721166 +0100 -+++ annobin-9.72/configure 2021-10-27 17:34:19.229658406 +0100 -@@ -763,6 +763,7 @@ infodir - docdir - oldincludedir - includedir -+runstatedir - localstatedir - sharedstatedir - sysconfdir -@@ -860,6 +861,7 @@ datadir='${datarootdir}' - sysconfdir='${prefix}/etc' - sharedstatedir='${prefix}/com' - localstatedir='${prefix}/var' -+runstatedir='${localstatedir}/run' - includedir='${prefix}/include' - oldincludedir='/usr/include' - docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' -@@ -1112,6 +1114,15 @@ do - | -silent | --silent | --silen | --sile | --sil) - silent=yes ;; - -+ -runstatedir | --runstatedir | --runstatedi | --runstated \ -+ | --runstate | --runstat | --runsta | --runst | --runs \ -+ | --run | --ru | --r) -+ ac_prev=runstatedir ;; -+ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ -+ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ -+ | --run=* | --ru=* | --r=*) -+ runstatedir=$ac_optarg ;; -+ - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) - ac_prev=sbindir ;; - -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ -@@ -1249,7 +1260,7 @@ fi - for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ - datadir sysconfdir sharedstatedir localstatedir includedir \ - oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ -- libdir localedir mandir -+ libdir localedir mandir runstatedir - do - eval ac_val=\$$ac_var - # Remove trailing slashes. -@@ -1402,6 +1413,7 @@ Fine tuning of the installation director - --sysconfdir=DIR read-only single-machine data [PREFIX/etc] - --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] - --localstatedir=DIR modifiable single-machine data [PREFIX/var] -+ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] - --libdir=DIR object code libraries [EPREFIX/lib] - --includedir=DIR C header files [PREFIX/include] - --oldincludedir=DIR C header files for non-gcc [/usr/include] -Only in annobin-9.72: configure.orig -diff -rup annobin.orig/doc/Makefile.in annobin-9.72/doc/Makefile.in ---- annobin.orig/doc/Makefile.in 2021-10-27 17:34:09.439721160 +0100 -+++ annobin-9.72/doc/Makefile.in 2021-10-27 17:34:19.229658406 +0100 -@@ -329,6 +329,7 @@ plugindir = @plugindir@ - prefix = @prefix@ - program_transform_name = @program_transform_name@ - psdir = @psdir@ -+runstatedir = @runstatedir@ - sbindir = @sbindir@ - sharedstatedir = @sharedstatedir@ - srcdir = @srcdir@ -diff -rup annobin.orig/doc/annobin.info annobin-9.72/doc/annobin.info ---- annobin.orig/doc/annobin.info 2021-10-27 17:34:09.440721153 +0100 -+++ annobin-9.72/doc/annobin.info 2021-10-27 17:34:19.230658399 +0100 -@@ -737,6 +737,7 @@ File: annobin.info, Node: Hardened, Ne - [-skip-stack-realign] - [-skip-textrel] - [-skip-threads] -+ [-skip-unicode] - [-skip-warnings] - [-skip-writeable-got] - [-test-NAME] -@@ -863,6 +864,10 @@ code to support the test. - Check that the program was built by a production-ready compiler. - Disabled by '--skip-production'. - -+'Unicode' -+ This test checks for the presence of multibyte characters in symbol -+ names, which are unusual and potentially dangerous. -+ - The tool does support a couple of other command line options as well: - - '--skip-future' -Only in annobin-9.72/doc: annobin.info.orig -Only in annobin-9.72/doc: annobin.info.rej -diff -rup annobin.orig/doc/annobin.texi annobin-9.72/doc/annobin.texi ---- annobin.orig/doc/annobin.texi 2021-10-27 17:34:09.439721160 +0100 -+++ annobin-9.72/doc/annobin.texi 2021-10-27 17:34:19.230658399 +0100 -@@ -842,6 +842,7 @@ annocheck - [@b{--skip-stack-realign}] - [@b{--skip-textrel}] - [@b{--skip-threads}] -+ [@b{--skip-unicode}] - [@b{--skip-warnings}] - [@b{--skip-writeable-got}] - [@b{--test-@var{name}}] -@@ -983,6 +984,11 @@ Check that the program makes consistent - @item Production Ready Compiler - Check that the program was built by a production-ready compiler. - Disabled by @option{--skip-production}. -+ -+@item Unicode -+This test checks for the presence of multibyte characters in symbol -+names, which are unusual and potentially dangerous. -+ - @end table - - The tool does support a couple of other command line options as well: -Only in annobin-9.72/doc: annobin.texi.orig -diff -rup annobin.orig/gcc-plugin/Makefile.in annobin-9.72/gcc-plugin/Makefile.in ---- annobin.orig/gcc-plugin/Makefile.in 2021-10-27 17:34:09.443721134 +0100 -+++ annobin-9.72/gcc-plugin/Makefile.in 2021-10-27 17:34:19.230658399 +0100 -@@ -333,6 +333,7 @@ plugindir = @plugindir@ - prefix = @prefix@ - program_transform_name = @program_transform_name@ - psdir = @psdir@ -+runstatedir = @runstatedir@ - sbindir = @sbindir@ - sharedstatedir = @sharedstatedir@ - srcdir = @srcdir@ -diff -rup annobin.orig/scripts/Makefile.in annobin-9.72/scripts/Makefile.in ---- annobin.orig/scripts/Makefile.in 2021-10-27 17:34:09.441721146 +0100 -+++ annobin-9.72/scripts/Makefile.in 2021-10-27 17:34:19.230658399 +0100 -@@ -284,6 +284,7 @@ plugindir = @plugindir@ - prefix = @prefix@ - program_transform_name = @program_transform_name@ - psdir = @psdir@ -+runstatedir = @runstatedir@ - sbindir = @sbindir@ - sharedstatedir = @sharedstatedir@ - srcdir = @srcdir@ -diff -rup annobin.orig/tests/Makefile.am annobin-9.72/tests/Makefile.am ---- annobin.orig/tests/Makefile.am 2021-10-27 17:34:09.444721127 +0100 -+++ annobin-9.72/tests/Makefile.am 2021-10-27 17:34:19.230658399 +0100 -@@ -22,6 +22,7 @@ TESTS=compile-test \ - missing-notes-test \ - active-checks-test \ - property-note-test \ -+ unicode-test \ - hardening-fail-test - - if HAVE_DEBUGINFOD -diff -rup annobin.orig/tests/Makefile.in annobin-9.72/tests/Makefile.in ---- annobin.orig/tests/Makefile.in 2021-10-27 17:34:09.444721127 +0100 -+++ annobin-9.72/tests/Makefile.in 2021-10-27 17:34:19.230658399 +0100 -@@ -459,6 +459,7 @@ plugindir = @plugindir@ - prefix = @prefix@ - program_transform_name = @program_transform_name@ - psdir = @psdir@ -+runstatedir = @runstatedir@ - sbindir = @sbindir@ - sharedstatedir = @sharedstatedir@ - srcdir = @srcdir@ -@@ -479,7 +480,7 @@ TESTS = compile-test abi-test active-che - hardening-test instrumentation-test lto-test \ - missing-notes-test objcopy-test section-size-test \ - missing-notes-test active-checks-test property-note-test \ -- hardening-fail-test $(am__append_1) -+ unicode-test hardening-fail-test $(am__append_1) - all: all-am - - .SUFFIXES: -@@ -764,6 +765,13 @@ property-note-test.log: property-note-te - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ -+ "$$tst" $(AM_TESTS_FD_REDIRECT) -+unicode-test.log: unicode-test -+ @p='unicode-test'; \ -+ b='unicode-test'; \ -+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ -+ --log-file $$b.log --trs-file $$b.trs \ -+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) - debuginfod-test.log: debuginfod-test - @p='debuginfod-test'; \ -Only in annobin-9.72/tests: trick-hello.s -Only in annobin-9.72/tests: unicode-test diff --git a/SPECS/annobin.spec b/SPECS/annobin.spec index 441ef22..45aa502 100644 --- a/SPECS/annobin.spec +++ b/SPECS/annobin.spec @@ -1,8 +1,8 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.72 -Release: 1%{?dist}.2 +Version: 10.29 +Release: 3%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark # Maintainer: nickc@redhat.com @@ -56,7 +56,7 @@ Source: annobin-%{version}.tar.xz # Insert patches here, if needed. Patch01: annobin-nop.patch -Patch02: annobin.unicode.patch +Patch02: annobin-gaps-test.patch #--------------------------------------------------------------------------------- @@ -155,11 +155,11 @@ of the resulting files. %package annocheck Summary: A tool for checking the security hardening status of binaries -BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel +BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel make %if %{with debuginfod} BuildRequires: elfutils-debuginfod-client-devel -BuildRequires: make %endif +Requires: cpio rpm %description annocheck Installs the annocheck program which uses the notes generated by annobin to @@ -193,7 +193,6 @@ fi echo "Requires: (gcc >= %{gcc_major} and gcc < %{gcc_next})" %autosetup -p1 -chmod +x tests/unicode-test # The plugin has to be configured with the same arcane configure # scripts used by gcc. Hence we must not allow the Fedora build @@ -280,6 +279,7 @@ make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS" # Change the following line to "make check || :" on RHEL7 or if you need to see the # test suite logs in order to diagnose a test failure. make check + if [ -f tests/test-suite.log ]; then cat tests/test-suite.log fi @@ -298,10 +298,10 @@ fi %doc %{_datadir}/doc/annobin-plugin/annotation.proposal.txt %doc %{_infodir}/annobin.info.gz %doc %{_mandir}/man1/annobin.1.gz -%doc %{_mandir}/man1/built-by.1.gz -%doc %{_mandir}/man1/check-abi.1.gz -%doc %{_mandir}/man1/hardened.1.gz -%doc %{_mandir}/man1/run-on-binaries-in.1.gz +%exclude %{_mandir}/man1/built-by.1* +%exclude %{_mandir}/man1/check-abi.1* +%exclude %{_mandir}/man1/hardened.1* +%exclude %{_mandir}/man1/run-on-binaries-in.1* %if %{with clangplugin} %{ANNOBIN_CLANG_PLUGIN_DIR} @@ -319,11 +319,120 @@ fi #--------------------------------------------------------------------------------- %changelog -* Mon Nov 1 2021 Siddhesh Poyarekar - 9.72-1.2 -- Bump NVR and rebuild to use the new gcc. (#2017362) - -* Wed Oct 27 2021 Nick Clifton - 9.72-1.1 -- Annocheck: Add test for multibyte characters in symbol names. (#2017362) +* Tue Feb 08 2022 Nick Clifton - 10.29-3 +- NVR bump in order to allow rebuilding against latest gcc. (#2052060) + +* Mon Jan 24 2022 Nick Clifton - 10.29-2 +- Spec File: Add "Requires: rpm cpio" to annocheck sub-package. (#2043474) + +* Tue Nov 30 2021 Nick Clifton - 10.28-1 +- gcc-plugin: Fix bug creating empty attachments. (#2026944) +- Annocheck: Change MAYB result to SKIP for DT_RPATH. (#2026300) + +* Mon Nov 22 2021 Nick Clifton - 10.27-1 +- Annocheck: Skip missing fortify/warning notes for ARM32. +- gcc-plugin: Try another fix for ppc64le section grouping. (#2023437) +- gcc-plugin: Revert 10.22 change. (#2023437) +- Annocheck: Add exception for /usr/sbin/ldconfig. (#2022973) + +* Mon Nov 08 2021 Nick Clifton - 10.23-1 +- Annocheck: Add a test for unicode characters in identifiers. (#2017363) +- gcc-plugin: Default to link-order grouping for PPC64LE. (#2016458) + +* Wed Oct 27 2021 Nick Clifton - 10.21-3 +- annocheck: Disable LTO test when checking ldconfig (attempt 3). (#2017039) + +* Tue Oct 26 2021 Nick Clifton - 10.21-2 +- annocheck: Disable LTO test when checking ldconfig (attempt 2). (#2017039) + +* Tue Oct 26 2021 Nick Clifton - 10.21-1 +- annocheck: Disable LTO test when checking ldconfig. (#2017039) + +* Mon Oct 25 2021 Nick Clifton - 10.20-1 +- annocheck: Add more glibc function names. (#2017039) +- gcc-plugin: Fix attaching the .text section to the .text.group section. +- Complain about DT_RPATH for Fedora binaries. +- Better reporting of problems in object files. (#2013708) +- Add a requirement on llvm-libs for clang and llvm plugins. (#2014573) +- Fix configuring annocheck without gcc-plugin. +- Annocheck: Better reporting of debuginfod problems. +- Tests: Fix bugs in debuginfod test. + +* Mon Oct 18 2021 Nick Clifton - 10.15-2 +- Exclude man pages for uninstalled scripts. (#2013565) + +* Wed Oct 13 2021 Nick Clifton - 10.15-1 +- Annocheck: Add tests based upon recent bug fixes. +- Annocheck: Another tweak to glibc detection code. + +* Mon Oct 11 2021 Nick Clifton - 10.13-1 +- Annocheck: Fix memory corruptions when using --debug-path and when a corrupt note is found. (#20011438) +- Annocheck: Fix MAYB results for mixed GO/C files. +- Annocheck: Move some messages from VERBOSE to VERBOSE2. +- Annocheck: Scan zero-length tool notes. (#2011818) + +* Wed Oct 06 2021 Nick Clifton - 10.11-1 +- Annocheck: Fix covscan detected flaws. (#201129) +- plugins: Add more required build options. (#2011163) + +* Tue Oct 05 2021 Nick Clifton - 10.10-1 +- Annocheck: Fix cf-prot test to fail if the CET notes are missing. (#2010671) +- Annocheck: Skip gaps in the .plt section. (#2010675) +- Plugins: Add -g option when building LLVM and Clang. (#2010675) + +* Mon Oct 04 2021 Nick Clifton - 10.09-1 +- Annocheck: Add more cases of glibc startup functions. (#1981410) +- Annocheck: Fix covscan detected problems. +- Annocheck: Add --profile=el8. +- gcc-plugin: Conditionalize generation of branch protection note. +- Annocheck: Ignore gaps containing NOP instructions. + +* Wed Sep 29 2021 Nick Clifton - 10.06-1 +- Rebase to 10.06. (#2002351) +- GCC Plugin: Fix detection of running inside the LTO compiler. (#2004917) +- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries. +- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result. +- Annocheck: Do not set CFLAGS/LDFLAGS when building. Take from environment instead. +- Annocheck: Fix exit code when tests PASS. +- Documentation: Add node for each hardening test. +- Documentation: Install online. +- Annocheck: Annote FAIL and MAYB results with URL to documentation +- Annocheck: Add --no-urls and --provide-urls options +- Annocheck: Add --help- option. +- Annocheck: Fix fuzzing detected failures. +- Annocheck: Add --profile option. +- Docs: Document --profile option and rpminspect.yaml. +- Annocheck: Skip GO/CET checks. Fix fuzzing detected failures. +- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444) +- Annocheck: Fix memory corruption. (#1996963) +- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection. +- Annocheck: Add linker generated function for ppc64le exceptions. (#1981410) +- LLVM Plugin: Allow checks to be selected from the command line. +- Annocheck: Examine DW_AT_producer for -flto. +- Annocheck: Conditionalize detection of AArch64's PAC+BTI protection. +- Annocheck: Add linker generated function for s390x exceptions. (#1981410) +- Annocheck: Generate MAYB results for gaps in notes covering the .text section. (#1991943) +- Annocheck: Close DWARF file descriptors once the debug info is no longer needed. (#1981410) +- LLVM Plugin: Update to build with Clang v13. (Thanks to: Tom Stellard ) +- Annocheck: Fix memory corruption. (#1988715) +- Annocheck: Skip certain tests for kernel modules. +- Annocheck: Detect a missing CET note. (#1991931) +- Annocheck: Do not report future fails for AArch64 notes. +- Annocheck: Warn about multiple --debug-file, --debug-rpm and --debug-dir options. +- Annocheck: Process files in command line order. (#1988714) +- Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled. (#1984995) +- Annocheck: Add another test exceptions. +- Annocheck: Add some more test exceptions. +- Tests: Skip glibc-notes test if the assembler does not support --generate-missing-build-notes. (#1978573) +- Tests: Skip objcopy test if objcopy does not support --merge-notes. +- Annocheck: Fix spelling mistake in -mstack-realign failure message. (#1977349) +- gcc-plugin: Do not record global versions of stack protection settings in LTO mode, if not set. (#1958954) +- Annocheck: Remove limit on number of input files. +- clang/llvm plugins: Build with correct security options. +- Annocheck: Better detection of GO compiler version. +- Annocheck: Better support for symbolic links. +- Annocheck: In verbose mode, report the reason for skipping specific tests. (#1969584) +- Annocheck: Improve detection of shared libraries. (#1958954) * Mon May 17 2021 Nick Clifton - 9.72-1 - Rebase to 9.72. (#1960299)