Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 892837 - fix hardened specs to be safe against multiple inclusion
Summary: fix hardened specs to be safe against multiple inclusion
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: redhat-rpm-config
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Adam Jackson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 958290 (view as bug list)
Depends On:
Blocks: 853199 954347
TreeView+ depends on / blocked
 
Reported: 2013-01-08 00:30 UTC by Matthias Clasen
Modified: 2013-06-11 09:18 UTC (History)
9 users (show)

Fixed In Version: redhat-rpm-config-9.1.0-37.1.fc18
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-24 20:14:57 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Matthias Clasen 2013-01-08 00:30:23 UTC 
I was trying a hardened build of polkit, but the build fails when it gets to the introspection part. What probably happens is that the introspection mangles the CFLAGS, and ends up duplicating the -specs=... line. This in turn causes gcc to complain about %rename defining something that already exists.

Using something like:

*cc1_options:
+ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}

(and similar for ld) instead allows the build to succeed, and yields a fully relro polkit package.
Comment 1 Matthias Clasen 2013-04-30 20:53:18 UTC 
*** Bug 958290 has been marked as a duplicate of this bug. ***
Comment 2 Dhiru Kholia 2013-05-02 09:39:06 UTC 
Multiple packages are being affected by this bug. Both F18 and F19 are affected.

Why is fixing this almost trivial bug taking so long?
Comment 3 Richard Hughes 2013-05-03 20:28:23 UTC 
I'm having to fix this up in RHEL7 manually, it would be awesome to have the macro working. Thanks!
Comment 4 Dan Williams 2013-05-06 21:36:33 UTC 
Hitting this with NetworkManager as well, would be good to have this solved correctly instead of carrying a bunch of patches for a bunch of packages.
Comment 5 Dhiru Kholia 2013-05-08 15:02:04 UTC 
LibreOffice is affected too. Wasted many hours due to this bug.
Comment 6 Miloslav Trmač 2013-05-10 22:39:57 UTC 
At least for polkit, the compilation failure is caused by gdk-doc duplicating the -specs flags (#962005).

There's nothing obviously wrong with the -specs command in redhat-rpm-config AFAICS.  True, it is not idempotent - was it ever promised to be?
Comment 8 Panu Matilainen 2013-05-13 06:48:19 UTC 
Reassigning to ajax who added the hardening-stuff in the first place and thus likely has a better clue about the thing than me.
Comment 9 Adam Jackson 2013-05-13 15:17:54 UTC 
I'm... honestly not sure why we used %rename there, besides that I think that's the template Jakub(?) gave me to work with.  The + syntax is clearly more sane.

I've fixed this in git (bodhi update to follow in a moment).

However, when I tested it (both before and after) against libXext, a fairly trivial automake/libtool project, libtool seems to delight in just throwing away huge chunks of the link command line, including the -specs= part, because libtool is a net loss for humanity.  Sorry about that, but I don't see a reasonable workaround for it at the rpm macro level, it's really libtool's bug.
Comment 10 Fedora Update System 2013-05-13 15:26:37 UTC 
redhat-rpm-config-9.1.0-44.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/redhat-rpm-config-9.1.0-44.fc19
Comment 11 Fedora Update System 2013-05-14 03:45:22 UTC 
Package redhat-rpm-config-9.1.0-44.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing redhat-rpm-config-9.1.0-44.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8112/redhat-rpm-config-9.1.0-44.fc19
then log in and leave karma (feedback).
Comment 12 Dhiru Kholia 2013-05-14 11:02:32 UTC 
The fix works great. Thanks Adam!
Comment 13 Nathanael Noblet 2013-05-15 16:44:32 UTC 
So I just attempted to do this today, my build failed. Is it because the fix above isn't in the buildroot?
Comment 14 Adam Jackson 2013-05-15 21:06:20 UTC 
(In reply to comment #13)
> So I just attempted to do this today, my build failed. Is it because the fix
> above isn't in the buildroot?

It won't be in the buildroot until the update gets approved, correct.  That's what karma is for...
Comment 15 Richard Hughes 2013-05-17 12:10:31 UTC 
FWIW, I ended up addin the PIE and full RELRO stuff upstream in my projects, rather than using the specfile macro.
Comment 16 Christopher Meng 2013-05-18 02:03:11 UTC 
Fixed.
Comment 17 Christopher Meng 2013-05-18 02:45:25 UTC 
Rawhide seems fixed.

BUt f19 still comes across this:

http://koji.fedoraproject.org/koji/taskinfo?taskID=5394351
Comment 18 Christopher Meng 2013-05-21 06:55:40 UTC 
Hi,

It seems OK now.

But will you have a update for fedora 18?
Comment 19 Fedora Update System 2013-05-24 20:14:57 UTC 
redhat-rpm-config-9.1.0-44.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2013-05-29 15:43:28 UTC 
redhat-rpm-config-9.1.0-37.1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/redhat-rpm-config-9.1.0-37.1.fc18
Comment 21 Fedora Update System 2013-06-11 09:18:34 UTC 
redhat-rpm-config-9.1.0-37.1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.