1e60713a68296a0ff221befb48b2958fbf019ebf contrib: Fix test-security-check fail in Ubuntu 18.04 (Chun Kuan Lee)
Pull request description:
- Fix test-security-check fail in Ubuntu 18.04. Those flags are enabled by default, so we must specify `-no` to make the executable does 'not' have those attributes.
- Drop HIGH_ENTROPY_VA. After update our gitian system to Bionic, the compiler should support HIGH_ENTROPY_VA
Tree-SHA512: 78c1f2aae1253ddd52faa1af569b7151a503a217c7ccbe21b8004d8910c45d8a27ff04695eacbdadd7192d2c91c0d59941ca20c651dd2d5052b9999163a11ae4
37d363dd4acf7d41196d44b295593019add241c3 Tools: fix BIND_NOW check in security-check.py (Conrado Gouvea)
Pull request description:
Previously, the BIND_NOW check would work only if it was the first value in FLAGS.
Tree-SHA512: 39cd83f673a6b521803be5585ada516f2db4eede718f0c5aea3377825ed1adcefed5bbb41dd9a5f24a26f7d27116cfc81bde7e26283232593b72768c5ae3d321
78214588d Use for-loop instead of list comprehension (practicalswift)
823979436 Use the variable name _ for unused return values (practicalswift)
2e6080bbf Remove unused variables and/or function calls (practicalswift)
9b94054b7 Avoid reference to undefined name: stderr does not exist, sys.stderr does (practicalswift)
51cb6b822 Use print(...) instead of undefined printf(...) (practicalswift)
25cd520fc Use sys.exit(...) instead of exit(...): exit(...) should not be used in programs (practicalswift)
Pull request description:
Python cleanups:
* Avoid reference to undefined name: `stderr` does not exist, `sys.stderr` does
* Use `print(...)` instead of undefined `printf(...)`
* Avoid redefinition of variable (`tx`) in list comprehension
* Remove unused variables and/or function calls
* Use `sys.exit(...)` instead of `exit(...)`: [`exit(...)` should not be used in programs](https://github.com/bitcoin/bitcoin/pull/10753#discussion_r125935027)
Tree-SHA512: 1238dfbc1d20f7edadea5e5406a589f293065638f6234809f0d5b6ba746dffe3d276bc5884c7af388a6c798c61a8759faaccf57f381225644754c0f61914eb4b
* Merge #11881: Remove Python2 support
1874058 Make base58 python contrib code work with python3 (Evan Klitzke)
bc6fdf2 Change all python files to use Python3 (John Newbery)
Pull request description:
Following discussion here: https://github.com/bitcoin/bitcoin/pull/11843#issuecomment-351033742
It's easier for maintainers if all python tools/scripts support only a single version of Python. There are only a few scripts that aren't explicitly python3 at this point, so this PR changes those remaining scripts to explicitly require python3.
Tree-SHA512: 5d38eef6e0fc7d8515e23a1f4c75e8b4160fd0fe23cba52a1f41689b114e54a9e503e0724829e8b41982ef98f2d113df80d9e238213b74f09ceaed0344a19e24
* Merge #12829: Python3 fixup
f50975b [contrib] fixup symbol-check.py Python3 support (John Newbery)
5de2b18 [contrib] fixup security-check.py Python3 support (John Newbery)
Pull request description:
security-check.py and symbol-check.py were broken by #11881. Fix them.
Tree-SHA512: 86de3d6dc3292b1ae4cc04c2d7d7dbbf39c9270551d7b224b8d8b19e3184c30c897dbf823200403706d06bb405c0decad5cfd690cb2c0312992a235a4ffcf6bf
62c2915 build: supply `-Wl,--high-entropy-va` (Wladimir J. van der Laan)
9a75d29 devtools: Check for high-entropy ASLR in 64-bit PE executables (Wladimir J. van der Laan)
- fix parsing of BIND_NOW with older readelf
- add _IO_stdin_used to ignored exports
For details see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109
- add check-symbols and check-security make targets
These are not added to the default checks because some of them depend on
release-build configs.
- always link librt for glibc back-compat builds
glibc absorbed clock_gettime in 2.17. librt (its previous location) is safe to
link in anyway for back-compat.
Fixes#7420
- add security/symbol checks to gitian
Github-Pull: #7424
Rebased-From: cd27bf51e0475813ba5bf3d3eaf78ea8ce872118a81c87fafc
Perform the following ELF security checks:
- PIE: Check for position independent executable (PIE), allowing for address space randomization
- NX: Check that no sections are writable and executable (including the stack)
- RELRO: Check for read-only relocations, binding at startup
- Canary: Check for use of stack canary
Also add a check to symbol-check.py that checks that only the subset of
allowed libraries is imported (to avoid incompatibilities).
