Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 645450 - dev-db/mariadb: does not respect CFLAGS (fno-stack-protector)
Summary: dev-db/mariadb: does not respect CFLAGS (fno-stack-protector)
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Linux MySQL bugs team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-23 13:37 UTC by Agostino Sarubbo
Modified: 2023-07-01 13:20 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2018-01-23 13:37:14 UTC
While is good for a security purpose, the package does not respect the fno-stack-protector CFLAG
To test, compile it with CFLAGS/CXXFLAGS fno-stack-protector and run:
checksec --file /usr/sbin/mysqld

The checksec command line tool is from app-admin/checksec.

It is also overwriting the fortify_source flag
Comment 1 Brian Evans (RETIRED) gentoo-dev 2018-01-23 14:04:42 UTC
Beginning in MariaDB 10.1, the option SECURITY_HARDENED [1]  was added to always set pie, PIC, -fstack-protector, and -D_FORTIFY_SOURCE=2 when the compiler version was >= 4.6.

If this is unwanted, I could certainly force it off.

I did not consider it previously as it seemed to be doing the right thing.

[1] https://github.com/MariaDB/server/blob/10.1/CMakeLists.txt#L217
Comment 2 Brian Evans (RETIRED) gentoo-dev 2018-05-18 19:38:03 UTC
Marking this NEEDINFO until there is a response on the best course of action
Comment 3 Agostino Sarubbo gentoo-dev 2018-05-19 14:12:18 UTC
Is fine have those flags, but the user's flags should be passed after the build system flags so they can be overwritten.
Comment 4 LAP 2023-07-01 13:20:07 UTC
(In reply to Agostino Sarubbo from comment #3)
> Is fine have those flags, but the user's flags should be passed after the
> build system flags so they can be overwritten.
>

To allow the user to decide for himself if he wants address sanitation and/or hardening, two other local USE flags could be stablished, call them "asan" and "harden".

Then, depending upon the USE flag selected, the ebuild would need to set the cmake options accordingly. For example if the user selects "-asan" and "-harden":

mycmakeargs+=(
  -DSECURITY_HARDENED=OFF
  -DWITH_UBSAN=OFF
  -DWITH_ASAN=OFF
)

I've tested this on my sytem and there are no issues.