https://blogs.gentoo.org/ago/2020/07/04/gentoo-tinderbox/ Issue: app-admin/clsync-0.4.5 redefines _FORTIFY_SOURCE. Discovered on: amd64 (internal ref: hardened_tinderbox) NOTE: (HARDENED-SYSTEM) in the summary means that the bug was found on a machine that runs an hardened profile with -D_FORTIFY_SOURCE=3 and -D_GLIBCXX_ASSERTIONS (https://www.gentoo.org/support/news-items/2023-01-01-hardening-fortify-assertions.html) but this bug MAY or MAY NOT BE related to the changes related to hardened.
Created attachment 849684 [details] build.log build log and emerge --info
clsync is designed to set -D_FORTIFY_SOURCE according to user security preferences during configure stage. It is possible to disable -D_FORTIFY_SOURCE enforcement with --disable-paranoid configure option, but the price will be lower security level, because other security features will be disabled as well. I think adding -D_FORTIFY_SOURCE=3 to --enable-paranoid=2 will be reasonable solution, though I don't want to remove -D_FORTIFY_SOURCE control from configure at all, since many OSes don't do this properly.
(In reply to Andrew Savchenko from comment #2) > clsync is designed to set -D_FORTIFY_SOURCE according to user security > preferences during configure stage. It is possible to disable > -D_FORTIFY_SOURCE enforcement with --disable-paranoid configure option, but > the price will be lower security level, because other security features will > be disabled as well. What other features? It's quite common for us to need to pass such things in Gentoo because they either override or lower protection compared to defaults. > > I think adding -D_FORTIFY_SOURCE=3 to --enable-paranoid=2 will be reasonable > solution, though I don't want to remove -D_FORTIFY_SOURCE control from > configure at all, since many OSes don't do this properly. In Gentoo, we always have F_S=2 as a minimum, so it's fine to patch it locally.
(In reply to Sam James from comment #3) > (In reply to Andrew Savchenko from comment #2) > > clsync is designed to set -D_FORTIFY_SOURCE according to user security > > preferences during configure stage. It is possible to disable > > -D_FORTIFY_SOURCE enforcement with --disable-paranoid configure option, but > > the price will be lower security level, because other security features will > > be disabled as well. > > What other features? It's quite common for us to need to pass such things in > Gentoo because they either override or lower protection compared to defaults. AS_IF( [test $paranoid -ge 1], [ CPPFLAGS="${CPPFLAGS} -D_FORTIFY_SOURCE=2 -DPARANOID" CFLAGS="${CFLAGS} -fstack-protector-all -Wall --param ssp-buffer-size=4" LDFLAGS="${LDFLAGS} -Xlinker -zrelro" AX_CHECK_COMPILE_FLAG([-fstack-check], [CFLAGS="${CFLAGS} -fstack-check"]) ] ) AS_IF([test $paranoid -eq 2], [CPPFLAGS="${CPPFLAGS} -DVERYPARANOID"]) -DPARANOID and -DVERYPARANOID control various run-time sanity checks or other safety measures, within the code. At paranoid level 2 expensive checks are enabled in clsync which correlates well with -D_FORTIFY_SOURCE=3 as they are expensive as well compared to -D_FORTIFY_SOURCE=2 (e.g. run-time vs build-time). > > > > I think adding -D_FORTIFY_SOURCE=3 to --enable-paranoid=2 will be reasonable > > solution, though I don't want to remove -D_FORTIFY_SOURCE control from > > configure at all, since many OSes don't do this properly. > > In Gentoo, we always have F_S=2 as a minimum, so it's fine to patch it > locally. As a default != as a minimum.
(In reply to Andrew Savchenko from comment #4) > (In reply to Sam James from comment #3) > > (In reply to Andrew Savchenko from comment #2) > > > clsync is designed to set -D_FORTIFY_SOURCE according to user security > > > preferences during configure stage. It is possible to disable > > > -D_FORTIFY_SOURCE enforcement with --disable-paranoid configure option, but > > > the price will be lower security level, because other security features will > > > be disabled as well. > > > > What other features? It's quite common for us to need to pass such things in > > Gentoo because they either override or lower protection compared to defaults. > > AS_IF( > > [test $paranoid -ge 1], > > [ > > CPPFLAGS="${CPPFLAGS} -D_FORTIFY_SOURCE=2 -DPARANOID" > > CFLAGS="${CFLAGS} -fstack-protector-all -Wall --param > ssp-buffer-size=4" > > LDFLAGS="${LDFLAGS} -Xlinker -zrelro" > > AX_CHECK_COMPILE_FLAG([-fstack-check], [CFLAGS="${CFLAGS} > -fstack-check"]) > > ] > > ) > > AS_IF([test $paranoid -eq 2], [CPPFLAGS="${CPPFLAGS} -DVERYPARANOID"]) > > -DPARANOID and -DVERYPARANOID control various run-time sanity checks or > other safety measures, within the code. At paranoid level 2 expensive checks > are enabled in clsync which correlates well with -D_FORTIFY_SOURCE=3 as they > are expensive as well compared to -D_FORTIFY_SOURCE=2 (e.g. run-time vs > build-time). Sounds like you could just add -DPARANOID in the ebuild then. The rest of that is either default or a bad idea (-fstack-check is considered obsolete and we already set -fstack-clash-protection). We already set an SSP buffer size of 4. > > > > > > > I think adding -D_FORTIFY_SOURCE=3 to --enable-paranoid=2 will be reasonable > > > solution, though I don't want to remove -D_FORTIFY_SOURCE control from > > > configure at all, since many OSes don't do this properly. > > > > In Gentoo, we always have F_S=2 as a minimum, so it's fine to patch it > > locally. > > As a default != as a minimum. I don't know what your point is. If a user sets -U..., that's their own doing.
(In reply to Sam James from comment #5) > Sounds like you could just add -DPARANOID in the ebuild then. It is already enabled by default via USE="+hardened", but it sets -D_FORTIFY_SOURCE=2 which causes this bug. > The rest of > that > is either default or a bad idea (-fstack-check is considered obsolete and we > already set -fstack-clash-protection). > > We already set an SSP buffer size of 4. I know, but configure.ac is made to be universal, not Gentoo-specific. Not everywhere SSP buffer is set that way as well as other options. I probably need to add gcc feature test, because unconditionally using -D_FORTIFY_SOURCE=3 will break builds for users with older gcc.