Make sure fortification flags are applied

This is example of current build options:

~~~
gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fPIC -m64 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-strict-overflow -fvisibility=hidden -fexcess-precision=standard -DRUBY_EXPORT -I. -I.ext/include/x86_64-linux -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/include -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1 -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/prism -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/enc/unicode/15.0.0      -o dmyext.o -c /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/dmyext.c
~~~

Please note that there are included Fedora options:

~~~
-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3
~~~

as well as upstream options:

~~~
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
~~~

The problem is that the configure script cannot properly detect
`_FORTIFY_SOURCE=3` and instead of replacing that option, it includes
new definition \[[1]\]. This happens since Fedora started to use
`_FORTIFY_SOURCE=3` option. To mitigate this issue, upstream
fortification was disabled (this might or might not stay disabled
"forever").

These are the build options with this change applied for comparison:

~~~
gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fPIC -m64 -fstack-protector-strong -fno-strict-overflow -fvisibility=hidden -fexcess-precision=standard -DRUBY_EXPORT -I. -I.ext/include/x86_64-linux -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/include -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1 -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/prism -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/enc/unicode/15.0.0      -o dmyext.o -c /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/dmyext.c
~~~

[1]: https://bugs.ruby-lang.org/issues/20520
This commit is contained in:
Vít Ondruch 2024-06-05 16:11:54 +02:00
parent d9051618e3
commit 677893973e

View File

@ -792,6 +792,7 @@ pushd %{_vpath_builddir}
--enable-shared \ --enable-shared \
--with-ruby-version='' \ --with-ruby-version='' \
--enable-multiarch \ --enable-multiarch \
--disable-fortify-source `# Should not really be needed: https://bugs.ruby-lang.org/issues/20520` \
%{?with_yjit: --enable-yjit} \ %{?with_yjit: --enable-yjit} \
popd popd
@ -1724,6 +1725,7 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
* Tue May 28 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.1-8 * Tue May 28 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.1-8
- Adjust the test to updated `checksec` output. - Adjust the test to updated `checksec` output.
Resolves: rhbz#2282953 Resolves: rhbz#2282953
- Make sure fortification flags are applied.
* Tue Apr 23 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.1-7 * Tue Apr 23 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.1-7
- Upgrade to Ruby 3.3.1. - Upgrade to Ruby 3.3.1.