more hardening

Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>

5 files changed, 56 insertions, 8 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 1814b6f545f8..4f0de8e87c5d 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,14 +1,18 @@
 pkgbase = 7-zip
 	pkgdesc = File archiver with a high compression ratio
 	pkgver = 21.07
-	pkgrel = 2
+	pkgrel = 3
 	url = https://www.7-zip.org
 	arch = x86_64
 	license = LGPL
 	makedepends = uasm
 	source = https://7-zip.org/a/7z2107-src.7z
-	source = gcc-12.patch
+	source = 01-uasm.patch
+	source = 02-gcc-12.patch
+	source = 03-hardening.patch
 	sha256sums = d1074d56f415aab99d99e597a7b66dc455dba6349ae8a4c89df76475b6a1284c
+	sha256sums = 76cabefa3bdf9fa2b6a7af1fc549534684b17f6785a32b0e1bc1f459d401eb74
 	sha256sums = e4d34366e091b8404dd04f02bcad46518d2930ec0b4a420e1316db020234b085
+	sha256sums = 0fd25bfb4f9f330573f94c61c9708dc15791bb51a5b294a5ab81b0463de08453
 
 pkgname = 7-zip
diff --git a/01-uasm.patch b/01-uasm.patch
new file mode 100644
index 000000000000..709c8b547b3f
--- /dev/null
+++ b/01-uasm.patch
@@ -0,0 +1,11 @@
+--- a/CPP/7zip/7zip_gcc.mak	2021-12-25 15:00:00.000000000 +0100
++++ b/CPP/7zip/7zip_gcc.mak	2022-05-12 21:06:28.101951648 +0200
+@@ -7,7 +7,7 @@
+ 

+ MY_ARCH_2 = $(MY_ARCH)

+ 

+-MY_ASM = asmc

++MY_ASM = uasm

+ ifdef USE_JWASM

+ MY_ASM = jwasm

+ endif

diff --git a/gcc-12.patch b/02-gcc-12.patch
index 18f76e4a689d..18f76e4a689d 100644
--- a/gcc-12.patch
+++ b/02-gcc-12.patch
diff --git a/03-hardening.patch b/03-hardening.patch
new file mode 100644
index 000000000000..4c646bcec786
--- /dev/null
+++ b/03-hardening.patch
@@ -0,0 +1,29 @@
+--- a/CPP/7zip/7zip_gcc.mak	2021-12-25 15:00:00.000000000 +0100
++++ b/CPP/7zip/7zip_gcc.mak	2022-05-12 21:14:52.909954342 +0200
+@@ -126,7 +126,7 @@
+ 

+ 

+ 

+-CFLAGS = $(MY_ARCH_2) $(LOCAL_FLAGS) $(CFLAGS_BASE2) $(CFLAGS_BASE) $(CC_SHARED) -o $@

++CFLAGS = $(MY_ARCH_2) $(LOCAL_FLAGS) $(CFLAGS_BASE2) $(CFLAGS_BASE) -fstack-protector-strong $(CC_SHARED) -o $@

+ 

+ 

+ ifdef IS_MINGW

+@@ -154,7 +154,7 @@
+ #-Wno-invalid-offsetof

+ #-Wno-reorder

+ 

+-CXXFLAGS = $(MY_ARCH_2) $(LOCAL_FLAGS) $(CXXFLAGS_BASE2) $(CFLAGS_BASE) $(CXXFLAGS_EXTRA) $(CC_SHARED) -o $@ $(CXX_WARN_FLAGS)

++CXXFLAGS = $(MY_ARCH_2) $(LOCAL_FLAGS) $(CXXFLAGS_BASE2) $(CFLAGS_BASE) $(CXXFLAGS_EXTRA) -fstack-protector-strong $(CC_SHARED) -o $@ $(CXX_WARN_FLAGS)

+ 

+ STATIC_TARGET=

+ ifdef COMPL_STATIC

+@@ -167,7 +167,7 @@
+ $(O):

+ 	$(MY_MKDIR) $(O)

+ 

+-LFLAGS_ALL = -s $(MY_ARCH_2) $(LDFLAGS) $(LD_arch) $(OBJS) $(MY_LIBS) $(LIB2)

++LFLAGS_ALL = -s $(MY_ARCH_2) $(LDFLAGS) -Wl,-pie,-z,now,-z,noexecstack $(LD_arch) $(OBJS) $(MY_LIBS) $(LIB2)

+ $(PROGPATH): $(OBJS)

+ 	$(CXX) -o $(PROGPATH) $(LFLAGS_ALL)

+ 

diff --git a/PKGBUILD b/PKGBUILD
index 70f96ec3f37d..57cbca0c6fbf 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,21 +2,25 @@
 
 pkgname=7-zip
 pkgver=21.07
-pkgrel=2
+pkgrel=3
 pkgdesc="File archiver with a high compression ratio"
 url="https://www.7-zip.org"
 license=(LGPL)
 arch=(x86_64)
 makedepends=(uasm)
 source=(https://7-zip.org/a/7z2107-src.7z
-		gcc-12.patch)
+		01-uasm.patch
+		02-gcc-12.patch
+		03-hardening.patch)
 sha256sums=('d1074d56f415aab99d99e597a7b66dc455dba6349ae8a4c89df76475b6a1284c'
-            'e4d34366e091b8404dd04f02bcad46518d2930ec0b4a420e1316db020234b085')
+            '76cabefa3bdf9fa2b6a7af1fc549534684b17f6785a32b0e1bc1f459d401eb74'
+            'e4d34366e091b8404dd04f02bcad46518d2930ec0b4a420e1316db020234b085'
+            '0fd25bfb4f9f330573f94c61c9708dc15791bb51a5b294a5ab81b0463de08453')
 
 prepare() {
-	sed -i 's|MY_ASM = asmc|MY_ASM = uasm|g' CPP/7zip/7zip_gcc.mak
-	sed -i 's|LFLAGS_ALL = -s $(MY_ARCH_2) $(LDFLAGS) $(LD_arch) $(OBJS) $(MY_LIBS) $(LIB2)|LFLAGS_ALL = -s $(MY_ARCH_2) $(LDFLAGS) -Wl,-z,noexecstack $(LD_arch) $(OBJS) $(MY_LIBS) $(LIB2)|g' CPP/7zip/7zip_gcc.mak
-	patch -Np1 -i ../gcc-12.patch
+	patch -Np1 -i ../01-uasm.patch
+	patch -Np1 -i ../02-gcc-12.patch
+	patch -Np1 -i ../03-hardening.patch
 }
 
 build() {