commit: 0f246a2c5449e2345bd82436a3c8b273504ce56a
Author: Victor Skovorodnikov <victor3.14 <AT> yandex <DOT> com>
AuthorDate: Tue Jul 25 22:13:12 2023 +0000
Commit: Viorel Munteanu <ceamac <AT> gentoo <DOT> org>
CommitDate: Tue Jul 25 22:13:12 2023 +0000
URL: https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=0f246a2c
net-p2p/dogecoin-qt: Applying fix for Bug 910673
Signed-off-by: Victor Skovorodnikov <victor3.14 <AT> yandex.com>
net-p2p/dogecoin-qt/dogecoin-qt-1.14.6.ebuild | 14 +++++++++-
.../dogecoin-qt/files/1.14.6-hardened-all.patch | 18 +++++++++++++
.../files/1.14.6-hardened-minimal.patch | 31 ++++++++++++++++++++++
.../dogecoin-qt/files/1.14.6-hardened-no-pie.patch | 29 ++++++++++++++++++++
.../dogecoin-qt/files/1.14.6-hardened-no-ssp.patch | 19 +++++++++++++
net-p2p/dogecoin-qt/metadata.xml | 2 ++
6 files changed, 112 insertions(+), 1 deletion(-)
diff --git a/net-p2p/dogecoin-qt/dogecoin-qt-1.14.6.ebuild
b/net-p2p/dogecoin-qt/dogecoin-qt-1.14.6.ebuild
index b55f6b7d7..bd1c09029 100644
--- a/net-p2p/dogecoin-qt/dogecoin-qt-1.14.6.ebuild
+++ b/net-p2p/dogecoin-qt/dogecoin-qt-1.14.6.ebuild
@@ -12,7 +12,8 @@ LICENSE="MIT"
SLOT="0"
DB_VER="5.3"
KEYWORDS="~amd64"
-IUSE="cpu_flags_x86_avx2 dogecoind +prune tests utils +wallet zmq"
+# Please see Bug 910673 Comment 10
+IUSE="cpu_flags_x86_avx2 dogecoind +pie +prune +ssp tests utils +wallet zmq"
REQUIRED_USE="dogecoind? ( utils )"
DOGEDIR="/opt/${PN}"
DEPEND="
@@ -52,6 +53,17 @@ WORKDIR_="${WORKDIR}/dogecoin-${PV}"
S=${WORKDIR_}
src_prepare() {
+
+ if use pie && use ssp ; then
+ PATCHES+=( "${FILESDIR}"/"${PV}"-hardened-all.patch )
+ elif use pie && ! use ssp ; then
+ PATCHES+=( "${FILESDIR}"/"${PV}"-hardened-no-ssp.patch )
+ elif use ssp && ! use pie ; then
+ PATCHES+=( "${FILESDIR}"/"${PV}"-hardened-no-pie.patch )
+ else
+ PATCHES+=( "${FILESDIR}"/"${PV}"-hardened-minimal.patch )
+ fi
+
default
einfo "Generating autotools files..."
diff --git a/net-p2p/dogecoin-qt/files/1.14.6-hardened-all.patch
b/net-p2p/dogecoin-qt/files/1.14.6-hardened-all.patch
new file mode 100644
index 000000000..e625d8c6f
--- /dev/null
+++ b/net-p2p/dogecoin-qt/files/1.14.6-hardened-all.patch
@@ -0,0 +1,18 @@
+diff --git a/configure.ac b/configure.ac
+index 653fe71..a93502c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -506,13 +506,6 @@ if test x$use_hardening != xno; then
+
AX_CHECK_COMPILE_FLAG([-Wstack-protector],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS
-Wstack-protector"])
+
AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS
-fstack-protector-all"])
+
+- AX_CHECK_PREPROC_FLAG([-D_FORTIFY_SOURCE=2],[
+- AX_CHECK_PREPROC_FLAG([-U_FORTIFY_SOURCE],[
+- HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -U_FORTIFY_SOURCE"
+- ])
+- HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -D_FORTIFY_SOURCE=2"
+- ])
+-
+ AX_CHECK_LINK_FLAG([[-Wl,--dynamicbase]],
[HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--dynamicbase"])
+ AX_CHECK_LINK_FLAG([[-Wl,--nxcompat]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS
-Wl,--nxcompat"])
+ AX_CHECK_LINK_FLAG([[-Wl,--high-entropy-va]],
[HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--high-entropy-va"])
diff --git a/net-p2p/dogecoin-qt/files/1.14.6-hardened-minimal.patch
b/net-p2p/dogecoin-qt/files/1.14.6-hardened-minimal.patch
new file mode 100644
index 000000000..3642e0640
--- /dev/null
+++ b/net-p2p/dogecoin-qt/files/1.14.6-hardened-minimal.patch
@@ -0,0 +1,31 @@
+diff --git a/configure.ac b/configure.ac
+index 653fe71..1d60d30 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -504,14 +504,6 @@ fi
+
+ if test x$use_hardening != xno; then
+
AX_CHECK_COMPILE_FLAG([-Wstack-protector],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS
-Wstack-protector"])
+-
AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS
-fstack-protector-all"])
+-
+- AX_CHECK_PREPROC_FLAG([-D_FORTIFY_SOURCE=2],[
+- AX_CHECK_PREPROC_FLAG([-U_FORTIFY_SOURCE],[
+- HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -U_FORTIFY_SOURCE"
+- ])
+- HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -D_FORTIFY_SOURCE=2"
+- ])
+
+ AX_CHECK_LINK_FLAG([[-Wl,--dynamicbase]],
[HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--dynamicbase"])
+ AX_CHECK_LINK_FLAG([[-Wl,--nxcompat]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS
-Wl,--nxcompat"])
+@@ -519,11 +511,6 @@ if test x$use_hardening != xno; then
+ AX_CHECK_LINK_FLAG([[-Wl,-z,relro]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS
-Wl,-z,relro"])
+ AX_CHECK_LINK_FLAG([[-Wl,-z,now]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS
-Wl,-z,now"])
+
+- if test x$TARGET_OS != xwindows; then
+- AX_CHECK_COMPILE_FLAG([-fPIE],[PIE_FLAGS="-fPIE"])
+- AX_CHECK_LINK_FLAG([[-pie]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -pie"])
+- fi
+-
+ case $host in
+ *mingw*)
+ AC_CHECK_LIB([ssp], [main],, AC_MSG_ERROR(lib missing))
diff --git a/net-p2p/dogecoin-qt/files/1.14.6-hardened-no-pie.patch
b/net-p2p/dogecoin-qt/files/1.14.6-hardened-no-pie.patch
new file mode 100644
index 000000000..076f8655b
--- /dev/null
+++ b/net-p2p/dogecoin-qt/files/1.14.6-hardened-no-pie.patch
@@ -0,0 +1,29 @@
+diff --git a/configure.ac b/configure.ac
+index 653fe71..a49d74c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -506,24 +506,12 @@ if test x$use_hardening != xno; then
+
AX_CHECK_COMPILE_FLAG([-Wstack-protector],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS
-Wstack-protector"])
+
AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS
-fstack-protector-all"])
+
+- AX_CHECK_PREPROC_FLAG([-D_FORTIFY_SOURCE=2],[
+- AX_CHECK_PREPROC_FLAG([-U_FORTIFY_SOURCE],[
+- HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -U_FORTIFY_SOURCE"
+- ])
+- HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -D_FORTIFY_SOURCE=2"
+- ])
+-
+ AX_CHECK_LINK_FLAG([[-Wl,--dynamicbase]],
[HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--dynamicbase"])
+ AX_CHECK_LINK_FLAG([[-Wl,--nxcompat]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS
-Wl,--nxcompat"])
+ AX_CHECK_LINK_FLAG([[-Wl,--high-entropy-va]],
[HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--high-entropy-va"])
+ AX_CHECK_LINK_FLAG([[-Wl,-z,relro]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS
-Wl,-z,relro"])
+ AX_CHECK_LINK_FLAG([[-Wl,-z,now]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS
-Wl,-z,now"])
+
+- if test x$TARGET_OS != xwindows; then
+- AX_CHECK_COMPILE_FLAG([-fPIE],[PIE_FLAGS="-fPIE"])
+- AX_CHECK_LINK_FLAG([[-pie]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -pie"])
+- fi
+-
+ case $host in
+ *mingw*)
+ AC_CHECK_LIB([ssp], [main],, AC_MSG_ERROR(lib missing))
diff --git a/net-p2p/dogecoin-qt/files/1.14.6-hardened-no-ssp.patch
b/net-p2p/dogecoin-qt/files/1.14.6-hardened-no-ssp.patch
new file mode 100644
index 000000000..324451ad0
--- /dev/null
+++ b/net-p2p/dogecoin-qt/files/1.14.6-hardened-no-ssp.patch
@@ -0,0 +1,19 @@
+diff --git a/configure.ac b/configure.ac
+index 653fe71..bd4bd78 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -504,14 +504,6 @@ fi
+
+ if test x$use_hardening != xno; then
+
AX_CHECK_COMPILE_FLAG([-Wstack-protector],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS
-Wstack-protector"])
+-
AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS
-fstack-protector-all"])
+-
+- AX_CHECK_PREPROC_FLAG([-D_FORTIFY_SOURCE=2],[
+- AX_CHECK_PREPROC_FLAG([-U_FORTIFY_SOURCE],[
+- HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -U_FORTIFY_SOURCE"
+- ])
+- HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -D_FORTIFY_SOURCE=2"
+- ])
+
+ AX_CHECK_LINK_FLAG([[-Wl,--dynamicbase]],
[HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--dynamicbase"])
+ AX_CHECK_LINK_FLAG([[-Wl,--nxcompat]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS
-Wl,--nxcompat"])
diff --git a/net-p2p/dogecoin-qt/metadata.xml b/net-p2p/dogecoin-qt/metadata.xml
index a63cc794b..9c3d65e2c 100644
--- a/net-p2p/dogecoin-qt/metadata.xml
+++ b/net-p2p/dogecoin-qt/metadata.xml
@@ -13,7 +13,9 @@
</maintainer>
<use>
<flag name="dogecoind">Build with dogecoind daemon</flag>
+ <flag name="pie">Position Independent Executables - attempt to
harden resulting executables, for extra security</flag>
<flag name="prune">Enables automatic pruning of old blocks to
stay below 2.2GB target size (if ran from desktop)</flag>
+ <flag name="ssp">Apply stack protector to all functions, for
extra security</flag>
<flag name="tests">Build Dogecoin Core Qt with tests
option</flag>
<flag name="utils">Build with client utilities dogecoin-cli and
dogecoin-tx</flag>
<flag name="wallet">Build Dogecoin Core Qt with wallet</flag>
