git » namcap.git » commit 3556178

(backport patches)

author Levente Polyak
2018-10-22 20:14:48 UTC
committer Levente Polyak
2018-10-22 20:14:48 UTC
parent 77b0515218dcb32f0d11c534ad90badae70e0d24
(backport patches)

Fix broken window principle by backporting annoying false-positive fixes
- properly handle new bind-now full relro check
- ignore PIE check for .so files (dynlib)
- quote vars that can contain spaces
PKGBUILD +17 -10
namcap-fix-full-relro.patch +38 -0
namcap-ignore-so-no-pie.patch +26 -0 
diff --git a/PKGBUILD b/PKGBUILD
index 8436b5f..690c746 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,7 +3,7 @@
 
 pkgname=namcap
 pkgver=3.2.8
-pkgrel=2
+pkgrel=3
 pkgdesc="A Pacman package analyzer"
 arch=('any')
 url="http://projects.archlinux.org/namcap.git/"
@@ -11,29 +11,36 @@ license=('GPL')
 depends=('python' 'pyalpm>=0.5' 'licenses'
          'binutils' 'elfutils' 'python-pyelftools')
 makedepends=('python-setuptools')
-source=(https://sources.archlinux.org/other/${pkgname}/${pkgname}-${pkgver}.tar.gz missing-desktop-file-utils.patch)
+source=(https://sources.archlinux.org/other/${pkgname}/${pkgname}-${pkgver}.tar.gz
+        namcap-fix-full-relro.patch
+        namcap-ignore-so-no-pie.patch
+        missing-desktop-file-utils.patch)
 sha512sums=('504b8294a86fdcc15946098fa57a4b6ca3bea0daf9ec51e7eab62078225b2102f527e123a9aeee33b8c4151adb8a59c5a682e25fd0330bd576d3da737f2a7d81'
+            '2ca2bebef6c2307b73081b424c1a6cc34f0087726c48bac7808b35d88ddab6d8668b09ebf964a46f48fde4ce2c2ab8b5fdcc5120864d412d24d66d623bd47b6c'
+            'df8a8c389aa9d619650d6e472409e4480095e09d5ea60b232a865e1a654dd9440e2228f1f098302b529d6db89f9cd0d8d066881da2bc3ca9ec07b17368efd2cf'
             '74efb1939053f41129cd811cf84abef8ff84ca4673cb62c3115b9d56830a57a48fed021b9807a74299c4c4cf3ec1880733f91dd5d06f4b9ac294fc78a9b5498e')
 
 prepare() {
-  cd ${srcdir}/${pkgname}-${pkgver}
-  patch -Np1 -i ${srcdir}/missing-desktop-file-utils.patch
+  cd ${pkgname}-${pkgver}
+  patch -Np1 -i "${srcdir}/missing-desktop-file-utils.patch"
+  patch -Np1 -i "${srcdir}/namcap-fix-full-relro.patch"
+  patch -Np1 -i "${srcdir}/namcap-ignore-so-no-pie.patch"
 }
 
 build() {
-  cd ${srcdir}/${pkgname}-${pkgver}
+  cd ${pkgname}-${pkgver}
   python setup.py build
 }
 
 check() {
-  cd ${srcdir}/${pkgname}-${pkgver}
-  env PARSE_PKGBUILD_PATH=${srcdir}/${pkgname}-${pkgver} \
-      PATH=${srcdir}/${pkgname}-${pkgver}:$PATH \
+  cd ${pkgname}-${pkgver}
+  env PARSE_PKGBUILD_PATH="${srcdir}/${pkgname}-${pkgver}" \
+      PATH="${srcdir}/${pkgname}-${pkgver}:$PATH" \
       python setup.py test
 }
 
 package() {
-  cd ${srcdir}/${pkgname}-${pkgver}
-  python setup.py install --root=${pkgdir}
+  cd ${pkgname}-${pkgver}
+  python setup.py install --root="${pkgdir}"
 }
 
diff --git a/namcap-fix-full-relro.patch b/namcap-fix-full-relro.patch
new file mode 100644
index 0000000..a11b63f
--- /dev/null
+++ b/namcap-fix-full-relro.patch
@@ -0,0 +1,38 @@
+From 4bf61fa3c5ecb928b2aaa526f8f56f3b5284d25f Mon Sep 17 00:00:00 2001
+From: Chih-Hsuan Yen <yan12125@gmail.com>
+Date: Tue, 11 Sep 2018 22:28:37 +0800
+Subject: elffiles: also check DF_BIND_NOW when checking FULL RELRO
+
+Looks like DF_BIND_NOW has the same function as DT_BIND_NOW.
+
+Signed-off-by: Kyle Keen <keenerd@gmail.com>
+---
+ Namcap/rules/elffiles.py | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
+index d707a58..6cef680 100644
+--- a/Namcap/rules/elffiles.py
++++ b/Namcap/rules/elffiles.py
+@@ -140,11 +140,16 @@ class ELFGnuRelroRule(TarballRule):
+ 	description = "Check for FULL RELRO in ELF files."
+ 
+ 	def has_bind_now(self, elffile):
++		DF_BIND_NOW = 0x08
++
+ 		for section in elffile.iter_sections():
+ 			if not isinstance(section, DynamicSection):
+ 				continue
+-			if any(tag.entry.d_tag == 'DT_BIND_NOW' for tag in section.iter_tags()):
+-				return True
++			for tag in section.iter_tags():
++				if tag.entry.d_tag == 'DT_BIND_NOW':
++					return True
++				if tag.entry.d_tag == 'DT_FLAGS' and tag.entry.d_val & DF_BIND_NOW:
++					return True
+ 		return False
+ 
+ 	def analyze(self, pkginfo, tar):
+-- 
+cgit v1.2.1-1-g437b
+
diff --git a/namcap-ignore-so-no-pie.patch b/namcap-ignore-so-no-pie.patch
new file mode 100644
index 0000000..a7d7e38
--- /dev/null
+++ b/namcap-ignore-so-no-pie.patch
@@ -0,0 +1,26 @@
+From 4ece4901d13b9fa590a538cc2133374d3c17df6f Mon Sep 17 00:00:00 2001
+From: Jelle van der Waa <jelle@vdwaa.nl>
+Date: Tue, 11 Sep 2018 18:21:39 +0200
+Subject: Ignore .so for no PIE check
+
+Signed-off-by: Kyle Keen <keenerd@gmail.com>
+---
+ Namcap/rules/elffiles.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Namcap/rules/elffiles.py b/Namcap/rules/elffiles.py
+index 6cef680..4ad1e66 100644
+--- a/Namcap/rules/elffiles.py
++++ b/Namcap/rules/elffiles.py
+@@ -228,6 +228,8 @@ class NoPIERule(TarballRule):
+ 		for entry in tar:
+ 			if not entry.isfile():
+ 				continue
++			if '.so' in entry.name:
++				continue
+ 			fp = tar.extractfile(entry)
+ 			if not is_elf(fp):
+ 				continue
+-- 
+cgit v1.2.1-1-g437b
+