Make sure fortification flags are applied
This is example of current build options: ~~~ gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fPIC -m64 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-strict-overflow -fvisibility=hidden -fexcess-precision=standard -DRUBY_EXPORT -I. -I.ext/include/x86_64-linux -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/include -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1 -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/prism -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/enc/unicode/15.0.0 -o dmyext.o -c /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/dmyext.c ~~~ Please note that there are included Fedora options: ~~~ -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 ~~~ as well as upstream options: ~~~ -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 ~~~ The problem is that the configure script cannot properly detect `_FORTIFY_SOURCE=3` and instead of replacing that option, it includes new definition \[[1]\]. This happens since Fedora started to use `_FORTIFY_SOURCE=3` option. To mitigate this issue, upstream fortification was disabled (this might or might not stay disabled "forever"). These are the build options with this change applied for comparison: ~~~ gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fPIC -m64 -fstack-protector-strong -fno-strict-overflow -fvisibility=hidden -fexcess-precision=standard -DRUBY_EXPORT -I. -I.ext/include/x86_64-linux -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/include -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1 -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/prism -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/enc/unicode/15.0.0 -o dmyext.o -c /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/dmyext.c ~~~ [1]: https://bugs.ruby-lang.org/issues/20520
This commit is contained in:
parent
d9051618e3
commit
677893973e
@ -792,6 +792,7 @@ pushd %{_vpath_builddir}
|
|||||||
--enable-shared \
|
--enable-shared \
|
||||||
--with-ruby-version='' \
|
--with-ruby-version='' \
|
||||||
--enable-multiarch \
|
--enable-multiarch \
|
||||||
|
--disable-fortify-source `# Should not really be needed: https://bugs.ruby-lang.org/issues/20520` \
|
||||||
%{?with_yjit: --enable-yjit} \
|
%{?with_yjit: --enable-yjit} \
|
||||||
|
|
||||||
popd
|
popd
|
||||||
@ -1724,6 +1725,7 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
|
|||||||
* Tue May 28 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.1-8
|
* Tue May 28 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.1-8
|
||||||
- Adjust the test to updated `checksec` output.
|
- Adjust the test to updated `checksec` output.
|
||||||
Resolves: rhbz#2282953
|
Resolves: rhbz#2282953
|
||||||
|
- Make sure fortification flags are applied.
|
||||||
|
|
||||||
* Tue Apr 23 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.1-7
|
* Tue Apr 23 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.1-7
|
||||||
- Upgrade to Ruby 3.3.1.
|
- Upgrade to Ruby 3.3.1.
|
||||||
|
Loading…
Reference in New Issue
Block a user