From 677893973e5e3cac2a1eb8a691aad6f5feccf69c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Wed, 5 Jun 2024 16:11:54 +0200 Subject: [PATCH] Make sure fortification flags are applied This is example of current build options: ~~~ gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fPIC -m64 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-strict-overflow -fvisibility=hidden -fexcess-precision=standard -DRUBY_EXPORT -I. -I.ext/include/x86_64-linux -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/include -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1 -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/prism -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/enc/unicode/15.0.0 -o dmyext.o -c /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/dmyext.c ~~~ Please note that there are included Fedora options: ~~~ -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 ~~~ as well as upstream options: ~~~ -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 ~~~ The problem is that the configure script cannot properly detect `_FORTIFY_SOURCE=3` and instead of replacing that option, it includes new definition \[[1]\]. This happens since Fedora started to use `_FORTIFY_SOURCE=3` option. To mitigate this issue, upstream fortification was disabled (this might or might not stay disabled "forever"). These are the build options with this change applied for comparison: ~~~ gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fPIC -m64 -fstack-protector-strong -fno-strict-overflow -fvisibility=hidden -fexcess-precision=standard -DRUBY_EXPORT -I. -I.ext/include/x86_64-linux -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/include -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1 -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/prism -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/enc/unicode/15.0.0 -o dmyext.o -c /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/dmyext.c ~~~ [1]: https://bugs.ruby-lang.org/issues/20520 --- ruby.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ruby.spec b/ruby.spec index 41ed693..a358e18 100644 --- a/ruby.spec +++ b/ruby.spec @@ -792,6 +792,7 @@ pushd %{_vpath_builddir} --enable-shared \ --with-ruby-version='' \ --enable-multiarch \ + --disable-fortify-source `# Should not really be needed: https://bugs.ruby-lang.org/issues/20520` \ %{?with_yjit: --enable-yjit} \ popd @@ -1724,6 +1725,7 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \ * Tue May 28 2024 Vít Ondruch - 3.3.1-8 - Adjust the test to updated `checksec` output. Resolves: rhbz#2282953 +- Make sure fortification flags are applied. * Tue Apr 23 2024 Vít Ondruch - 3.3.1-7 - Upgrade to Ruby 3.3.1.