[arch-commits] Commit in namcap/trunk (3 files)
Levente Polyak
anthraxx at archlinux.org
Mon Oct 22 20:14:49 UTC 2018
Date: Monday, October 22, 2018 @ 20:14:48
Author: anthraxx
Revision: 337064
upgpkg: namcap 3.2.8-3 (backport patches)
Fix broken window principle by backporting annoying false-positive fixes
- properly handle new bind-now full relro check
- ignore PIE check for .so files (dynlib)
- quote vars that can contain spaces
Added:
namcap/trunk/namcap-fix-full-relro.patch
namcap/trunk/namcap-ignore-so-no-pie.patch
Modified:
namcap/trunk/PKGBUILD
-------------------------------+
PKGBUILD | 27 +++++++++++++++++----------
namcap-fix-full-relro.patch | 38 ++++++++++++++++++++++++++++++++++++++
namcap-ignore-so-no-pie.patch | 26 ++++++++++++++++++++++++++
3 files changed, 81 insertions(+), 10 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2018-10-22 20:14:17 UTC (rev 337063)
+++ PKGBUILD 2018-10-22 20:14:48 UTC (rev 337064)
@@ -3,7 +3,7 @@
pkgname=namcap
pkgver=3.2.8
-pkgrel=2
+pkgrel=3
pkgdesc="A Pacman package analyzer"
arch=('any')
url="http://projects.archlinux.org/namcap.git/"
@@ -11,29 +11,36 @@
depends=('python' 'pyalpm>=0.5' 'licenses'
'binutils' 'elfutils' 'python-pyelftools')
makedepends=('python-setuptools')
-source=(https://sources.archlinux.org/other/${pkgname}/${pkgname}-${pkgver}.tar.gz missing-desktop-file-utils.patch)
+source=(https://sources.archlinux.org/other/${pkgname}/${pkgname}-${pkgver}.tar.gz
+ namcap-fix-full-relro.patch
+ namcap-ignore-so-no-pie.patch
+ missing-desktop-file-utils.patch)
sha512sums=('504b8294a86fdcc15946098fa57a4b6ca3bea0daf9ec51e7eab62078225b2102f527e123a9aeee33b8c4151adb8a59c5a682e25fd0330bd576d3da737f2a7d81'
+ '2ca2bebef6c2307b73081b424c1a6cc34f0087726c48bac7808b35d88ddab6d8668b09ebf964a46f48fde4ce2c2ab8b5fdcc5120864d412d24d66d623bd47b6c'
+ 'df8a8c389aa9d619650d6e472409e4480095e09d5ea60b232a865e1a654dd9440e2228f1f098302b529d6db89f9cd0d8d066881da2bc3ca9ec07b17368efd2cf'
'74efb1939053f41129cd811cf84abef8ff84ca4673cb62c3115b9d56830a57a48fed021b9807a74299c4c4cf3ec1880733f91dd5d06f4b9ac294fc78a9b5498e')
prepare() {
- cd ${srcdir}/${pkgname}-${pkgver}
- patch -Np1 -i ${srcdir}/missing-desktop-file-utils.patch
+ cd ${pkgname}-${pkgver}
+ patch -Np1 -i "${srcdir}/missing-desktop-file-utils.patch"
+ patch -Np1 -i "${srcdir}/namcap-fix-full-relro.patch"
+ patch -Np1 -i "${srcdir}/namcap-ignore-so-no-pie.patch"
}
build() {
- cd ${srcdir}/${pkgname}-${pkgver}
+ cd ${pkgname}-${pkgver}
python setup.py build
}
check() {
- cd ${srcdir}/${pkgname}-${pkgver}
- env PARSE_PKGBUILD_PATH=${srcdir}/${pkgname}-${pkgver} \
- PATH=${srcdir}/${pkgname}-${pkgver}:$PATH \
+ cd ${pkgname}-${pkgver}
+ env PARSE_PKGBUILD_PATH="${srcdir}/${pkgname}-${pkgver}" \
+ PATH="${srcdir}/${pkgname}-${pkgver}:$PATH" \
python setup.py test
}
package() {
- cd ${srcdir}/${pkgname}-${pkgver}
- python setup.py install --root=${pkgdir}
+ cd ${pkgname}-${pkgver}
+ python setup.py install --root="${pkgdir}"
}
Added: namcap-fix-full-relro.patch
===================================================================
--- namcap-fix-full-relro.patch (rev 0)
+++ namcap-fix-full-relro.patch 2018-10-22 20:14:48 UTC (rev 337064)
@@ -0,0 +1,38 @@
+From 4bf61fa3c5ecb928b2aaa526f8f56f3b5284d25f Mon Sep 17 00:00:00 2001
+From: Chih-Hsuan Yen <yan12125 at gmail.com>
+Date: Tue, 11 Sep 2018 22:28:37 +0800
+Subject: elffiles: also check DF_BIND_NOW when checking FULL RELRO
+
+Looks like DF_BIND_NOW has the same function as DT_BIND_NOW.
+
+Signed-off-by: Kyle Keen <keenerd at gmail.com>
+---
+ Namcap/rules/elffiles.py | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
+index d707a58..6cef680 100644
+--- a/Namcap/rules/elffiles.py
++++ b/Namcap/rules/elffiles.py
+@@ -140,11 +140,16 @@ class ELFGnuRelroRule(TarballRule):
+ description = "Check for FULL RELRO in ELF files."
+
+ def has_bind_now(self, elffile):
++ DF_BIND_NOW = 0x08
++
+ for section in elffile.iter_sections():
+ if not isinstance(section, DynamicSection):
+ continue
+- if any(tag.entry.d_tag == 'DT_BIND_NOW' for tag in section.iter_tags()):
+- return True
++ for tag in section.iter_tags():
++ if tag.entry.d_tag == 'DT_BIND_NOW':
++ return True
++ if tag.entry.d_tag == 'DT_FLAGS' and tag.entry.d_val & DF_BIND_NOW:
++ return True
+ return False
+
+ def analyze(self, pkginfo, tar):
+--
+cgit v1.2.1-1-g437b
+
Added: namcap-ignore-so-no-pie.patch
===================================================================
--- namcap-ignore-so-no-pie.patch (rev 0)
+++ namcap-ignore-so-no-pie.patch 2018-10-22 20:14:48 UTC (rev 337064)
@@ -0,0 +1,26 @@
+From 4ece4901d13b9fa590a538cc2133374d3c17df6f Mon Sep 17 00:00:00 2001
+From: Jelle van der Waa <jelle at vdwaa.nl>
+Date: Tue, 11 Sep 2018 18:21:39 +0200
+Subject: Ignore .so for no PIE check
+
+Signed-off-by: Kyle Keen <keenerd at gmail.com>
+---
+ Namcap/rules/elffiles.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
+index 6cef680..4ad1e66 100644
+--- a/Namcap/rules/elffiles.py
++++ b/Namcap/rules/elffiles.py
+@@ -228,6 +228,8 @@ class NoPIERule(TarballRule):
+ for entry in tar:
+ if not entry.isfile():
+ continue
++ if '.so' in entry.name:
++ continue
+ fp = tar.extractfile(entry)
+ if not is_elf(fp):
+ continue
+--
+cgit v1.2.1-1-g437b
+
More information about the arch-commits
mailing list