* [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers @ 2016-06-16 10:59 Alexander Kanavin 2016-06-16 10:59 ` [PATCH 2/5] security_flags.inc: add python3-pycairo and libnewt-python to no-pie exception list Alexander Kanavin ` (4 more replies) 0 siblings, 5 replies; 11+ messages in thread From: Alexander Kanavin @ 2016-06-16 10:59 UTC (permalink / raw) To: openembedded-core These recipes no longer seem to need full exclusion from security hardening. The rest (glibc, gcc-runtime, valgrind, grub, grub-efi, uclibc) still do. [YOCTO #9489] Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> --- meta/conf/distro/include/security_flags.inc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index ea1d4e5..cd2b964 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -43,7 +43,7 @@ SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-flex = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-gcc = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-gcc-runtime = "" -SECURITY_CFLAGS_pn-gcc-sanitizers = "" +SECURITY_CFLAGS_pn-gcc-sanitizers = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-gdb = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-gmp = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-gnutls = "${SECURITY_NO_PIE_CFLAGS}" @@ -62,7 +62,7 @@ SECURITY_CFLAGS_pn-kexec-tools = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-iptables = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libaio = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libcap = "${SECURITY_NO_PIE_CFLAGS}" -SECURITY_CFLAGS_pn-libgcc = "" +SECURITY_CFLAGS_pn-libgcc = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libid3tag = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libnewt = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}" @@ -109,10 +109,8 @@ TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}" TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}" SECURITY_LDFLAGS_remove_pn-gcc-runtime = "-fstack-protector-strong" -SECURITY_LDFLAGS_remove_pn-gcc-sanitizers = "-fstack-protector-strong" SECURITY_LDFLAGS_remove_pn-glibc = "-fstack-protector-strong" SECURITY_LDFLAGS_remove_pn-glibc-initial = "-fstack-protector-strong" -SECURITY_LDFLAGS_remove_pn-libgcc = "-fstack-protector-strong" SECURITY_LDFLAGS_remove_pn-uclibc = "-fstack-protector-strong" SECURITY_LDFLAGS_remove_pn-uclibc-initial = "-fstack-protector-strong" SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}" -- 2.8.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 2/5] security_flags.inc: add python3-pycairo and libnewt-python to no-pie exception list 2016-06-16 10:59 [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers Alexander Kanavin @ 2016-06-16 10:59 ` Alexander Kanavin 2016-06-16 10:59 ` [PATCH 3/5] security_flags.inc: add -fPIC to SECURITY_NO_PIE_CFLAGS Alexander Kanavin ` (3 subsequent siblings) 4 siblings, 0 replies; 11+ messages in thread From: Alexander Kanavin @ 2016-06-16 10:59 UTC (permalink / raw) To: openembedded-core Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> --- meta/conf/distro/include/security_flags.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index cd2b964..a7be185 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -65,6 +65,7 @@ SECURITY_CFLAGS_pn-libcap = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libgcc = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libid3tag = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libnewt = "${SECURITY_NO_PIE_CFLAGS}" +SECURITY_CFLAGS_pn-libnewt-python = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libpcap = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-libpcre = "${SECURITY_NO_PIE_CFLAGS}" @@ -80,6 +81,7 @@ SECURITY_CFLAGS_pn-python-pycurl = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-python-smartpm = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-python-numpy = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-python3-numpy = "${SECURITY_NO_PIE_CFLAGS}" +SECURITY_CFLAGS_pn-python3-pycairo = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-python3 = "${SECURITY_NO_PIE_CFLAGS}" # Revert RPM to using internally supported values SECURITY_CFLAGS_pn-rpm = "${lcl_maybe_fortify} -fstack-protector" -- 2.8.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 3/5] security_flags.inc: add -fPIC to SECURITY_NO_PIE_CFLAGS 2016-06-16 10:59 [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers Alexander Kanavin 2016-06-16 10:59 ` [PATCH 2/5] security_flags.inc: add python3-pycairo and libnewt-python to no-pie exception list Alexander Kanavin @ 2016-06-16 10:59 ` Alexander Kanavin 2016-06-17 2:38 ` Andre McCurdy 2016-06-16 10:59 ` [PATCH 4/5] security_flags.inc: add epiphany " Alexander Kanavin ` (2 subsequent siblings) 4 siblings, 1 reply; 11+ messages in thread From: Alexander Kanavin @ 2016-06-16 10:59 UTC (permalink / raw) To: openembedded-core The packages that break due to -fpie can be still built with -fPIC. [YOCTO #9486] Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> --- meta/conf/distro/include/security_flags.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index a7be185..26804bd 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -13,7 +13,7 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security" SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" -SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" +SECURITY_NO_PIE_CFLAGS ?= "-fPIC -fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now" SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro" -- 2.8.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 3/5] security_flags.inc: add -fPIC to SECURITY_NO_PIE_CFLAGS 2016-06-16 10:59 ` [PATCH 3/5] security_flags.inc: add -fPIC to SECURITY_NO_PIE_CFLAGS Alexander Kanavin @ 2016-06-17 2:38 ` Andre McCurdy 2016-06-17 18:12 ` Alexander Kanavin 0 siblings, 1 reply; 11+ messages in thread From: Andre McCurdy @ 2016-06-17 2:38 UTC (permalink / raw) To: Alexander Kanavin; +Cc: OE Core mailing list On Thu, Jun 16, 2016 at 3:59 AM, Alexander Kanavin <alexander.kanavin@linux.intel.com> wrote: > The packages that break due to -fpie can be still built with -fPIC. > > [YOCTO #9486] > > Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> > --- > meta/conf/distro/include/security_flags.inc | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc > index a7be185..26804bd 100644 > --- a/meta/conf/distro/include/security_flags.inc > +++ b/meta/conf/distro/include/security_flags.inc > @@ -13,7 +13,7 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE > SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security" > > SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > -SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > +SECURITY_NO_PIE_CFLAGS ?= "-fPIC -fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" I don't think this does anything useful. An executable won't be position independent unless -pie is passed to the linker, so if linking with -pie doesn't work, forcing all object code to be position independent is just adding overhead with no benefit. > SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now" > SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro" > -- > 2.8.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 3/5] security_flags.inc: add -fPIC to SECURITY_NO_PIE_CFLAGS 2016-06-17 2:38 ` Andre McCurdy @ 2016-06-17 18:12 ` Alexander Kanavin 0 siblings, 0 replies; 11+ messages in thread From: Alexander Kanavin @ 2016-06-17 18:12 UTC (permalink / raw) To: Andre McCurdy; +Cc: OE Core mailing list On 06/17/2016 05:38 AM, Andre McCurdy wrote: >> SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" >> -SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" >> +SECURITY_NO_PIE_CFLAGS ?= "-fPIC -fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > > I don't think this does anything useful. An executable won't be > position independent unless -pie is passed to the linker, so if > linking with -pie doesn't work, forcing all object code to be position > independent is just adding overhead with no benefit. That's right; there is no security benefit in -fPIC alone. Sorry for not researching this fully. I have however disabled NO_PIE for all recipes that use it, and then re-enabled it for those that started to fail. This uncovered a few recipes where NO_PIE is no longer needed - at least on x86_64. Patch is coming :) Alex ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 4/5] security_flags.inc: add epiphany to SECURITY_NO_PIE_CFLAGS 2016-06-16 10:59 [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers Alexander Kanavin 2016-06-16 10:59 ` [PATCH 2/5] security_flags.inc: add python3-pycairo and libnewt-python to no-pie exception list Alexander Kanavin 2016-06-16 10:59 ` [PATCH 3/5] security_flags.inc: add -fPIC to SECURITY_NO_PIE_CFLAGS Alexander Kanavin @ 2016-06-16 10:59 ` Alexander Kanavin 2016-06-17 2:39 ` Andre McCurdy 2016-06-16 10:59 ` [PATCH 5/5] libmad: replace with mpg123 Alexander Kanavin 2016-06-17 2:56 ` [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers Andre McCurdy 4 siblings, 1 reply; 11+ messages in thread From: Alexander Kanavin @ 2016-06-16 10:59 UTC (permalink / raw) To: openembedded-core Otherwise there is a QA warning about relocations in .text Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> --- meta/conf/distro/include/security_flags.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index 26804bd..ea00bdd 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -38,6 +38,7 @@ SECURITY_CFLAGS_pn-glibc = "" SECURITY_CFLAGS_pn-glibc-initial = "" SECURITY_CFLAGS_pn-elfutils = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-enchant = "${SECURITY_NO_PIE_CFLAGS}" +SECURITY_CFLAGS_pn-epiphany = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-expect = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}" SECURITY_CFLAGS_pn-flex = "${SECURITY_NO_PIE_CFLAGS}" -- 2.8.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 4/5] security_flags.inc: add epiphany to SECURITY_NO_PIE_CFLAGS 2016-06-16 10:59 ` [PATCH 4/5] security_flags.inc: add epiphany " Alexander Kanavin @ 2016-06-17 2:39 ` Andre McCurdy 2016-06-17 18:16 ` Alexander Kanavin 0 siblings, 1 reply; 11+ messages in thread From: Andre McCurdy @ 2016-06-17 2:39 UTC (permalink / raw) To: Alexander Kanavin; +Cc: OE Core mailing list On Thu, Jun 16, 2016 at 3:59 AM, Alexander Kanavin <alexander.kanavin@linux.intel.com> wrote: > Otherwise there is a QA warning about relocations in .text Typically these warnings come from assembler and can't be fixed via CFLAGS. If this one _can_ be fixed via CFLAGS then it suggests a bug in the Epiphany build somewhere (e.g. reusing an object file intended for a static lib in an .so). Maybe it's better to track that down and fix properly instead of working around it by globally adding -fPIC to CFLAGS? > Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> > --- > meta/conf/distro/include/security_flags.inc | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc > index 26804bd..ea00bdd 100644 > --- a/meta/conf/distro/include/security_flags.inc > +++ b/meta/conf/distro/include/security_flags.inc > @@ -38,6 +38,7 @@ SECURITY_CFLAGS_pn-glibc = "" > SECURITY_CFLAGS_pn-glibc-initial = "" > SECURITY_CFLAGS_pn-elfutils = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-enchant = "${SECURITY_NO_PIE_CFLAGS}" > +SECURITY_CFLAGS_pn-epiphany = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-expect = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-flex = "${SECURITY_NO_PIE_CFLAGS}" > -- > 2.8.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 4/5] security_flags.inc: add epiphany to SECURITY_NO_PIE_CFLAGS 2016-06-17 2:39 ` Andre McCurdy @ 2016-06-17 18:16 ` Alexander Kanavin 0 siblings, 0 replies; 11+ messages in thread From: Alexander Kanavin @ 2016-06-17 18:16 UTC (permalink / raw) To: Andre McCurdy; +Cc: OE Core mailing list On 06/17/2016 05:39 AM, Andre McCurdy wrote: > Typically these warnings come from assembler and can't be fixed via > CFLAGS. If this one _can_ be fixed via CFLAGS then it suggests a bug > in the Epiphany build somewhere (e.g. reusing an object file intended > for a static lib in an .so). Maybe it's better to track that down and > fix properly instead of working around it by globally adding -fPIC to > CFLAGS? Thanks; I dropped the patch. Alex ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 5/5] libmad: replace with mpg123 2016-06-16 10:59 [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers Alexander Kanavin ` (2 preceding siblings ...) 2016-06-16 10:59 ` [PATCH 4/5] security_flags.inc: add epiphany " Alexander Kanavin @ 2016-06-16 10:59 ` Alexander Kanavin 2016-06-17 2:56 ` [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers Andre McCurdy 4 siblings, 0 replies; 11+ messages in thread From: Alexander Kanavin @ 2016-06-16 10:59 UTC (permalink / raw) To: openembedded-core mpg123 recipe is taken from meta-oe and updated to latest release. Also audiofile dependency is dropped as it's not actually used anywhere. [YOCTO #6020] Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> --- .../gstreamer/gstreamer1.0-plugins-ugly.inc | 2 +- .../libmad/libmad/add-pkgconfig.patch | 70 ---------------------- .../libmad/libmad/automake-foreign.patch | 12 ---- .../libmad/fix_for_mips_with_gcc-4.5.0.patch | 33 ---------- .../libmad/libmad/no-force-mem.patch | 18 ------ .../libmad/libmad/obsolete_automake_macros.patch | 14 ----- meta/recipes-multimedia/libmad/libmad_0.15.1b.bb | 36 ----------- meta/recipes-multimedia/mpg123/mpg123_1.23.4.bb | 63 +++++++++++++++++++ 8 files changed, 64 insertions(+), 184 deletions(-) delete mode 100644 meta/recipes-multimedia/libmad/libmad/add-pkgconfig.patch delete mode 100644 meta/recipes-multimedia/libmad/libmad/automake-foreign.patch delete mode 100644 meta/recipes-multimedia/libmad/libmad/fix_for_mips_with_gcc-4.5.0.patch delete mode 100644 meta/recipes-multimedia/libmad/libmad/no-force-mem.patch delete mode 100644 meta/recipes-multimedia/libmad/libmad/obsolete_automake_macros.patch delete mode 100644 meta/recipes-multimedia/libmad/libmad_0.15.1b.bb create mode 100644 meta/recipes-multimedia/mpg123/mpg123_1.23.4.bb diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly.inc b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly.inc index 4582e5b..708ad7a 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly.inc +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly.inc @@ -9,7 +9,7 @@ inherit gettext PACKAGECONFIG ??= " \ ${GSTREAMER_ORC} \ - a52dec lame mad mpeg2dec \ + a52dec lame mpg123 mpeg2dec \ " PACKAGECONFIG[a52dec] = "--enable-a52dec,--disable-a52dec,liba52" diff --git a/meta/recipes-multimedia/libmad/libmad/add-pkgconfig.patch b/meta/recipes-multimedia/libmad/libmad/add-pkgconfig.patch deleted file mode 100644 index b49dc8c..0000000 --- a/meta/recipes-multimedia/libmad/libmad/add-pkgconfig.patch +++ /dev/null @@ -1,70 +0,0 @@ -Here is a patch for adding pkg-config support to libmad. -It would make life a bit easier for distro maintainers if this was applied. -In case you didn't know, pkg-config is a tool for providing LDFLAGS and -CFLAGS for packages using shared libraries. It's on freedesktop.org. -Debian has already been distributing the pkg-config file mad.pc with -libmad for some time, and people developing on debian (notably xmms2 -developers) have started relying on this support being present, causing -some confusion for people installing from source and on some BSDs which -do not provide mad.pc (google: pkgconfig libmad). - -EMH - -Upstream-Status: Inappropriate [configuration] - ---h31gzZEtNLTqOjlF -Content-Type: text/plain; charset=us-ascii -Content-Disposition: attachment; filename="libmad-0.15.1b-pkgconfig.patch" - -diff -Naur libmad-0.15.1b.old/configure.ac libmad-0.15.1b/configure.ac ---- libmad-0.15.1b.old/configure.ac 2004-01-23 10:41:32.000000000 +0100 -+++ libmad-0.15.1b/configure.ac 2004-08-07 02:25:24.633462168 +0200 -@@ -429,5 +429,5 @@ - dnl AC_SUBST(LTLIBOBJS) - - AC_CONFIG_FILES([Makefile msvc++/Makefile \ -- libmad.list]) -+ libmad.list mad.pc]) - AC_OUTPUT -diff -Naur libmad-0.15.1b.old/mad.pc.in libmad-0.15.1b/mad.pc.in ---- libmad-0.15.1b.old/mad.pc.in 1970-01-01 01:00:00.000000000 +0100 -+++ libmad-0.15.1b/mad.pc.in 2004-08-07 02:04:59.617692872 +0200 -@@ -0,0 +1,14 @@ -+# libmad pkg-config source file -+ -+prefix=@prefix@ -+exec_prefix=@exec_prefix@ -+libdir=@libdir@ -+includedir=@includedir@ -+ -+Name: mad -+Description: MPEG Audio Decoder -+Version: @VERSION@ -+Requires: -+Conflicts: -+Libs: -L${libdir} -lmad -lm -+Cflags: -I${includedir} -diff -Naur libmad-0.15.1b.old/Makefile.am libmad-0.15.1b/Makefile.am ---- libmad-0.15.1b.old/Makefile.am 2004-02-17 03:02:03.000000000 +0100 -+++ libmad-0.15.1b/Makefile.am 2004-08-07 02:03:19.859858368 +0200 -@@ -24,6 +24,9 @@ - SUBDIRS = - DIST_SUBDIRS = msvc++ - -+pkgconfigdir = $(libdir)/pkgconfig -+pkgconfig_DATA = mad.pc -+ - lib_LTLIBRARIES = libmad.la - include_HEADERS = mad.h - -@@ -34,7 +37,8 @@ - minimad_LDADD = libmad.la - - EXTRA_DIST = mad.h.sed \ -- CHANGES COPYRIGHT CREDITS README TODO VERSION -+ CHANGES COPYRIGHT CREDITS README TODO VERSION \ -+ mad.pc.in - - exported_headers = version.h fixed.h bit.h timer.h stream.h frame.h \ - synth.h decoder.h - diff --git a/meta/recipes-multimedia/libmad/libmad/automake-foreign.patch b/meta/recipes-multimedia/libmad/libmad/automake-foreign.patch deleted file mode 100644 index 3e54424..0000000 --- a/meta/recipes-multimedia/libmad/libmad/automake-foreign.patch +++ /dev/null @@ -1,12 +0,0 @@ -Pass foreign to AM_INIT_AUTOMAKE so it doesn't enforce GNU strictness. - -Upstream-Status: Pending -Signed-off-by: Ross Burton <ross.burton@intel.com> - -diff --git a/configure.ac b/configure.ac -index e602fd3..e075b86 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -29 +29 @@ AC_CONFIG_SRCDIR([decoder.h]) --AM_INIT_AUTOMAKE -+AM_INIT_AUTOMAKE([foreign]) diff --git a/meta/recipes-multimedia/libmad/libmad/fix_for_mips_with_gcc-4.5.0.patch b/meta/recipes-multimedia/libmad/libmad/fix_for_mips_with_gcc-4.5.0.patch deleted file mode 100644 index 01c7aa3..0000000 --- a/meta/recipes-multimedia/libmad/libmad/fix_for_mips_with_gcc-4.5.0.patch +++ /dev/null @@ -1,33 +0,0 @@ -gcc 4.4 did this: The MIPS port no longer recognizes the h asm constraint. It was necessary to remove this constraint in order to avoid generating unpredictable code sequences. - -so the libmad build with gcc-4.5.0 was failing. - -Found a solution here: - -http://us.generation-nt.com/answer/bug-568418-libmad0-dev-mpg321-compilation-errors-mips-mipsel-architectures-help-169033451.html - -Upstream-Status: Pending - -2010/07/29 -Nitin A Kamble <nitin.a.kamble@intel.com> - -Index: libmad-0.15.1b/fixed.h -=================================================================== ---- libmad-0.15.1b.orig/fixed.h -+++ libmad-0.15.1b/fixed.h -@@ -297,6 +297,15 @@ mad_fixed_t mad_f_mul_inline(mad_fixed_t - - /* --- MIPS ---------------------------------------------------------------- */ - -+# elif defined(FPM_MIPS) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4)) -+ typedef unsigned int u64_di_t __attribute__ ((mode (DI))); -+# define MAD_F_MLX(hi, lo, x, y) \ -+ do { \ -+ u64_di_t __ll = (u64_di_t) (x) * (y); \ -+ hi = __ll >> 32; \ -+ lo = __ll; \ -+ } while (0) -+ - # elif defined(FPM_MIPS) - - /* diff --git a/meta/recipes-multimedia/libmad/libmad/no-force-mem.patch b/meta/recipes-multimedia/libmad/libmad/no-force-mem.patch deleted file mode 100644 index d5e6d20..0000000 --- a/meta/recipes-multimedia/libmad/libmad/no-force-mem.patch +++ /dev/null @@ -1,18 +0,0 @@ -This option no longer exists in gcc 3.4.1 - -RP - 18/07/2008 - -Upstream-Status: Inappropriate [configuration] - -Index: libmad-0.15.1b/configure.ac -=================================================================== ---- libmad-0.15.1b.orig/configure.ac 2008-07-18 15:45:30.000000000 +0100 -+++ libmad-0.15.1b/configure.ac 2008-07-18 15:45:37.000000000 +0100 -@@ -140,7 +140,6 @@ - case "$optimize" in - -O|"-O "*) - optimize="-O" -- optimize="$optimize -fforce-mem" - optimize="$optimize -fforce-addr" - : #x optimize="$optimize -finline-functions" - : #- optimize="$optimize -fstrength-reduce" diff --git a/meta/recipes-multimedia/libmad/libmad/obsolete_automake_macros.patch b/meta/recipes-multimedia/libmad/libmad/obsolete_automake_macros.patch deleted file mode 100644 index cc87d29..0000000 --- a/meta/recipes-multimedia/libmad/libmad/obsolete_automake_macros.patch +++ /dev/null @@ -1,14 +0,0 @@ -Upstream-Status: Submitted [https://sourceforge.net/tracker/?group_id=12349&atid=112349] - -Signed-off-by: Marko Lindqvist <cazfi74@gmail.com> -diff -Nurd libmad-0.15.1b/configure.ac libmad-0.15.1b/configure.ac ---- libmad-0.15.1b/configure.ac 2004-01-23 11:41:32.000000000 +0200 -+++ libmad-0.15.1b/configure.ac 2013-01-03 08:28:23.718693697 +0200 -@@ -28,7 +28,7 @@ - - AM_INIT_AUTOMAKE - --AM_CONFIG_HEADER([config.h]) -+AC_CONFIG_HEADERS([config.h]) - - dnl System type. diff --git a/meta/recipes-multimedia/libmad/libmad_0.15.1b.bb b/meta/recipes-multimedia/libmad/libmad_0.15.1b.bb deleted file mode 100644 index d431abd..0000000 --- a/meta/recipes-multimedia/libmad/libmad_0.15.1b.bb +++ /dev/null @@ -1,36 +0,0 @@ -SUMMARY = "MPEG Audio Decoder library" -HOMEPAGE = "http://sourceforge.net/projects/mad/" -BUGTRACKER = "http://sourceforge.net/tracker/?group_id=12349&atid=112349" -LICENSE = "GPLv2+" -LICENSE_FLAGS = "commercial" -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \ - file://COPYRIGHT;md5=8e55eb14894e782b84488d5a239bc23d \ - file://version.h;beginline=1;endline=8;md5=aa07311dd39288d4349f28e1de516454" -SECTION = "libs" -DEPENDS = "libid3tag" -PR = "r3" - -SRC_URI = "ftp://ftp.mars.org/pub/mpeg/libmad-${PV}.tar.gz \ - file://no-force-mem.patch \ - file://add-pkgconfig.patch \ - file://fix_for_mips_with_gcc-4.5.0.patch \ - file://obsolete_automake_macros.patch \ - file://automake-foreign.patch \ -" - -SRC_URI[md5sum] = "1be543bc30c56fb6bea1d7bf6a64e66c" -SRC_URI[sha256sum] = "bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690" - -S = "${WORKDIR}/libmad-${PV}" - -inherit autotools pkgconfig - -EXTRA_OECONF = "-enable-speed --enable-shared" -EXTRA_OECONF_append_arm = " --enable-fpm=arm" - -do_configure_prepend () { -# damn picky automake... - touch NEWS AUTHORS ChangeLog -} - -ARM_INSTRUCTION_SET = "arm" diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.23.4.bb b/meta/recipes-multimedia/mpg123/mpg123_1.23.4.bb new file mode 100644 index 0000000..3101023 --- /dev/null +++ b/meta/recipes-multimedia/mpg123/mpg123_1.23.4.bb @@ -0,0 +1,63 @@ +SUMMARY = "Audio decoder for MPEG-1 Layer 1/2/3" +DESCRIPTION = "The core of mpg123 is an MPEG-1 Layer 1/2/3 decoding library, which can be used by other programs. \ +mpg123 also comes with a command-line tool which can playback using ALSA, PulseAudio, OSS, and several other APIs, \ +and also can write the decoded audio to WAV." +HOMEPAGE = "http://mpg123.de/" +BUGTRACKER = "http://sourceforge.net/p/mpg123/bugs/" +SECTION = "multimedia" + +LICENSE = "LGPLv2.1" +LICENSE_FLAGS = "commercial" +LIC_FILES_CHKSUM = "file://COPYING;md5=1e86753638d3cf2512528b99079bc4f3" + +SRC_URI = "https://www.mpg123.de/download/${BP}.tar.bz2" + +SRC_URI[md5sum] = "dea9e3a815d127d04ebe9f6b80f229ce" +SRC_URI[sha256sum] = "3495e678dec9a60f29cbcd4fc698abc4c811ec60d1276e744f7a10ac35023b48" + +inherit autotools pkgconfig + +# The options should be mutually exclusive for configuration script. +# If both alsa and pulseaudio are specified (as in the default distro features) +# pulseaudio takes precedence. +PACKAGECONFIG_ALSA = "${@bb.utils.contains('DISTRO_FEATURES', 'alsa', 'alsa', '', d)}" +PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'pulseaudio', 'pulseaudio', '${PACKAGECONFIG_ALSA}', d)}" + +PACKAGECONFIG[alsa] = "--with-default-audio=alsa,,alsa-lib" +PACKAGECONFIG[esd] = ",,esound" +PACKAGECONFIG[jack] = ",,jack" +PACKAGECONFIG[openal] = ",,openal-soft" +PACKAGECONFIG[portaudio] = ",,portaudio-v19" +PACKAGECONFIG[pulseaudio] = "--with-default-audio=pulse,,pulseaudio" +PACKAGECONFIG[sdl] = ",,libsdl" + +# Following are possible sound output modules: +# alsa arts coreaudio dummy esd jack nas openal os2 oss portaudio pulse sdl sndio sun tinyalsa win32 win32_wasapi +AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'alsa', 'alsa', '', d)}" +AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'esd', 'esd', '', d)}" +AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'jack', 'jack', '', d)}" +AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'openal', 'openal', '', d)}" +AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'portaudio', 'portaudio', '', d)}" +AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'pulseaudio', 'pulse', '', d)}" +AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'sdl', 'sdl', '', d)}" + +EXTRA_OECONF = " \ + --enable-shared \ + --with-audio='${AUDIOMODS}' \ + --with-module-suffix=.so \ + ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-cpu=neon', '', d)} \ + ${@bb.utils.contains('TUNE_FEATURES', 'altivec', '--with-cpu=altivec', '', d)} \ +" + +# The x86 assembler optimisations contains text relocations and there are no +# upstream plans to fix them: http://sourceforge.net/p/mpg123/bugs/168/ +INSANE_SKIP_${PN}_append_x86 = " textrel" + +# Fails to build with thumb-1 (qemuarm) +#| {standard input}: Assembler messages: +#| {standard input}:47: Error: selected processor does not support Thumb mode `smull r5,r6,r7,r4' +#| {standard input}:48: Error: shifts in CMP/MOV instructions are only supported in unified syntax -- `mov r5,r5,lsr#24' +#... +#| make[3]: *** [equalizer.lo] Error 1 +ARM_INSTRUCTION_SET_armv4 = "arm" +ARM_INSTRUCTION_SET_armv5 = "arm" -- 2.8.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers 2016-06-16 10:59 [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers Alexander Kanavin ` (3 preceding siblings ...) 2016-06-16 10:59 ` [PATCH 5/5] libmad: replace with mpg123 Alexander Kanavin @ 2016-06-17 2:56 ` Andre McCurdy 2016-06-17 19:49 ` Alexander Kanavin 4 siblings, 1 reply; 11+ messages in thread From: Andre McCurdy @ 2016-06-17 2:56 UTC (permalink / raw) To: Alexander Kanavin; +Cc: OE Core mailing list On Thu, Jun 16, 2016 at 3:59 AM, Alexander Kanavin <alexander.kanavin@linux.intel.com> wrote: > These recipes no longer seem to need full exclusion from security hardening. Did you also confirm that for gcc 4.9 and 5.3? > The rest (glibc, gcc-runtime, valgrind, grub, grub-efi, uclibc) still do. > > [YOCTO #9489] > > Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> > --- > meta/conf/distro/include/security_flags.inc | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) > > diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc > index ea1d4e5..cd2b964 100644 > --- a/meta/conf/distro/include/security_flags.inc > +++ b/meta/conf/distro/include/security_flags.inc > @@ -43,7 +43,7 @@ SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-flex = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-gcc = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-gcc-runtime = "" > -SECURITY_CFLAGS_pn-gcc-sanitizers = "" > +SECURITY_CFLAGS_pn-gcc-sanitizers = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-gdb = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-gmp = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-gnutls = "${SECURITY_NO_PIE_CFLAGS}" > @@ -62,7 +62,7 @@ SECURITY_CFLAGS_pn-kexec-tools = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-iptables = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-libaio = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-libcap = "${SECURITY_NO_PIE_CFLAGS}" > -SECURITY_CFLAGS_pn-libgcc = "" > +SECURITY_CFLAGS_pn-libgcc = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-libid3tag = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-libnewt = "${SECURITY_NO_PIE_CFLAGS}" > SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}" > @@ -109,10 +109,8 @@ TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}" > TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}" > > SECURITY_LDFLAGS_remove_pn-gcc-runtime = "-fstack-protector-strong" > -SECURITY_LDFLAGS_remove_pn-gcc-sanitizers = "-fstack-protector-strong" > SECURITY_LDFLAGS_remove_pn-glibc = "-fstack-protector-strong" > SECURITY_LDFLAGS_remove_pn-glibc-initial = "-fstack-protector-strong" > -SECURITY_LDFLAGS_remove_pn-libgcc = "-fstack-protector-strong" > SECURITY_LDFLAGS_remove_pn-uclibc = "-fstack-protector-strong" > SECURITY_LDFLAGS_remove_pn-uclibc-initial = "-fstack-protector-strong" > SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}" > -- > 2.8.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers 2016-06-17 2:56 ` [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers Andre McCurdy @ 2016-06-17 19:49 ` Alexander Kanavin 0 siblings, 0 replies; 11+ messages in thread From: Alexander Kanavin @ 2016-06-17 19:49 UTC (permalink / raw) To: Andre McCurdy; +Cc: OE Core mailing list On 06/17/2016 05:56 AM, Andre McCurdy wrote: > On Thu, Jun 16, 2016 at 3:59 AM, Alexander Kanavin > <alexander.kanavin@linux.intel.com> wrote: >> These recipes no longer seem to need full exclusion from security hardening. > > Did you also confirm that for gcc 4.9 and 5.3? I just did; they build with both. Alex ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2016-06-17 19:49 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-06-16 10:59 [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers Alexander Kanavin 2016-06-16 10:59 ` [PATCH 2/5] security_flags.inc: add python3-pycairo and libnewt-python to no-pie exception list Alexander Kanavin 2016-06-16 10:59 ` [PATCH 3/5] security_flags.inc: add -fPIC to SECURITY_NO_PIE_CFLAGS Alexander Kanavin 2016-06-17 2:38 ` Andre McCurdy 2016-06-17 18:12 ` Alexander Kanavin 2016-06-16 10:59 ` [PATCH 4/5] security_flags.inc: add epiphany " Alexander Kanavin 2016-06-17 2:39 ` Andre McCurdy 2016-06-17 18:16 ` Alexander Kanavin 2016-06-16 10:59 ` [PATCH 5/5] libmad: replace with mpg123 Alexander Kanavin 2016-06-17 2:56 ` [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers Andre McCurdy 2016-06-17 19:49 ` Alexander Kanavin
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.