Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 892900 - app-admin/clsync-0.4.5 redefines _FORTIFY_SOURCE
Summary: app-admin/clsync-0.4.5 redefines _FORTIFY_SOURCE
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Andrew Savchenko
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 847148
  Show dependency tree
 
Reported: 2023-02-02 08:15 UTC by Agostino Sarubbo
Modified: 2023-02-03 18:27 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
build.log (build.log,67.85 KB, text/plain)
2023-02-02 08:15 UTC, Agostino Sarubbo
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2023-02-02 08:15:30 UTC
https://blogs.gentoo.org/ago/2020/07/04/gentoo-tinderbox/

Issue: app-admin/clsync-0.4.5 redefines _FORTIFY_SOURCE.
Discovered on: amd64 (internal ref: hardened_tinderbox)

NOTE:
(HARDENED-SYSTEM) in the summary means that the bug was found on a machine that runs an hardened profile with -D_FORTIFY_SOURCE=3 and -D_GLIBCXX_ASSERTIONS (https://www.gentoo.org/support/news-items/2023-01-01-hardening-fortify-assertions.html) but this bug MAY or MAY NOT BE related to the changes related to hardened.
Comment 1 Agostino Sarubbo gentoo-dev 2023-02-02 08:15:32 UTC
Created attachment 849684 [details]
build.log

build log and emerge --info
Comment 2 Andrew Savchenko gentoo-dev 2023-02-03 14:09:32 UTC
clsync is designed to set -D_FORTIFY_SOURCE according to user security preferences during configure stage. It is possible to disable -D_FORTIFY_SOURCE enforcement with --disable-paranoid configure option, but the price will be lower security level, because other security features will be disabled as well.

I think adding -D_FORTIFY_SOURCE=3 to --enable-paranoid=2 will be reasonable solution, though I don't want to remove -D_FORTIFY_SOURCE control from configure at all, since many OSes don't do this properly.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-03 14:52:53 UTC
(In reply to Andrew Savchenko from comment #2)
> clsync is designed to set -D_FORTIFY_SOURCE according to user security
> preferences during configure stage. It is possible to disable
> -D_FORTIFY_SOURCE enforcement with --disable-paranoid configure option, but
> the price will be lower security level, because other security features will
> be disabled as well.

What other features? It's quite common for us to need to pass such things in Gentoo because they either override or lower protection compared to defaults.

> 
> I think adding -D_FORTIFY_SOURCE=3 to --enable-paranoid=2 will be reasonable
> solution, though I don't want to remove -D_FORTIFY_SOURCE control from
> configure at all, since many OSes don't do this properly.

In Gentoo, we always have F_S=2 as a minimum, so it's fine to patch it locally.
Comment 4 Andrew Savchenko gentoo-dev 2023-02-03 15:32:16 UTC
(In reply to Sam James from comment #3)
> (In reply to Andrew Savchenko from comment #2)
> > clsync is designed to set -D_FORTIFY_SOURCE according to user security
> > preferences during configure stage. It is possible to disable
> > -D_FORTIFY_SOURCE enforcement with --disable-paranoid configure option, but
> > the price will be lower security level, because other security features will
> > be disabled as well.
> 
> What other features? It's quite common for us to need to pass such things in
> Gentoo because they either override or lower protection compared to defaults.

AS_IF(                                                                                                                                                        
    [test $paranoid -ge 1],                                                                                                                                   
    [                                                                                                                                                         
        CPPFLAGS="${CPPFLAGS} -D_FORTIFY_SOURCE=2 -DPARANOID"                                                                                                 
        CFLAGS="${CFLAGS} -fstack-protector-all -Wall --param ssp-buffer-size=4"                                                                              
        LDFLAGS="${LDFLAGS} -Xlinker -zrelro"                                                                                                                 
        AX_CHECK_COMPILE_FLAG([-fstack-check], [CFLAGS="${CFLAGS} -fstack-check"])                                                                            
    ]                                                                                                                                                         
)                                                                                                                                                             
AS_IF([test $paranoid -eq 2], [CPPFLAGS="${CPPFLAGS} -DVERYPARANOID"])      

-DPARANOID and -DVERYPARANOID control various run-time sanity checks or other safety measures, within the code. At paranoid level 2 expensive checks are enabled in clsync which correlates well with -D_FORTIFY_SOURCE=3 as they are expensive as well compared to -D_FORTIFY_SOURCE=2 (e.g. run-time vs build-time).

> > 
> > I think adding -D_FORTIFY_SOURCE=3 to --enable-paranoid=2 will be reasonable
> > solution, though I don't want to remove -D_FORTIFY_SOURCE control from
> > configure at all, since many OSes don't do this properly.
> 
> In Gentoo, we always have F_S=2 as a minimum, so it's fine to patch it
> locally.

As a default != as a minimum.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-03 15:38:51 UTC
(In reply to Andrew Savchenko from comment #4)
> (In reply to Sam James from comment #3)
> > (In reply to Andrew Savchenko from comment #2)
> > > clsync is designed to set -D_FORTIFY_SOURCE according to user security
> > > preferences during configure stage. It is possible to disable
> > > -D_FORTIFY_SOURCE enforcement with --disable-paranoid configure option, but
> > > the price will be lower security level, because other security features will
> > > be disabled as well.
> > 
> > What other features? It's quite common for us to need to pass such things in
> > Gentoo because they either override or lower protection compared to defaults.
> 
> AS_IF(                                                                      
> 
>     [test $paranoid -ge 1],                                                 
> 
>     [                                                                       
> 
>         CPPFLAGS="${CPPFLAGS} -D_FORTIFY_SOURCE=2 -DPARANOID"               
> 
>         CFLAGS="${CFLAGS} -fstack-protector-all -Wall --param
> ssp-buffer-size=4"                                                          
> 
>         LDFLAGS="${LDFLAGS} -Xlinker -zrelro"                               
> 
>         AX_CHECK_COMPILE_FLAG([-fstack-check], [CFLAGS="${CFLAGS}
> -fstack-check"])                                                            
> 
>     ]                                                                       
> 
> )                                                                           
> 
> AS_IF([test $paranoid -eq 2], [CPPFLAGS="${CPPFLAGS} -DVERYPARANOID"])      
> 
> -DPARANOID and -DVERYPARANOID control various run-time sanity checks or
> other safety measures, within the code. At paranoid level 2 expensive checks
> are enabled in clsync which correlates well with -D_FORTIFY_SOURCE=3 as they
> are expensive as well compared to -D_FORTIFY_SOURCE=2 (e.g. run-time vs
> build-time).

Sounds like you could just add -DPARANOID in the ebuild then. The rest of that
is either default or a bad idea (-fstack-check is considered obsolete and we
already set -fstack-clash-protection).

We already set an SSP buffer size of 4.

> 
> > > 
> > > I think adding -D_FORTIFY_SOURCE=3 to --enable-paranoid=2 will be reasonable
> > > solution, though I don't want to remove -D_FORTIFY_SOURCE control from
> > > configure at all, since many OSes don't do this properly.
> > 
> > In Gentoo, we always have F_S=2 as a minimum, so it's fine to patch it
> > locally.
> 
> As a default != as a minimum.

I don't know what your point is. If a user sets -U..., that's their own doing.
Comment 6 Andrew Savchenko gentoo-dev 2023-02-03 18:27:54 UTC
(In reply to Sam James from comment #5)
> Sounds like you could just add -DPARANOID in the ebuild then.

It is already enabled by default via USE="+hardened", but it sets -D_FORTIFY_SOURCE=2 which causes this bug.

> The rest of
> that
> is either default or a bad idea (-fstack-check is considered obsolete and we
> already set -fstack-clash-protection).
> 
> We already set an SSP buffer size of 4.

I know, but configure.ac is made to be universal, not Gentoo-specific. Not everywhere SSP buffer is set that way as well as other options.

I probably need to add gcc feature test, because unconditionally using -D_FORTIFY_SOURCE=3 will break builds for users with older gcc.