Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 259417 (fortify-source)

Summary: [Tracker] >=sys-devel/gcc-4.3.3 -D_FORTIFY_SOURCE=2 and -Wformat-security porting
Product: Gentoo Linux Reporter: Peter Alfredsen (RETIRED) <loki_val>
Component: Current packagesAssignee: Gentoo Toolchain Maintainers <toolchain>
Status: RESOLVED FIXED    
Severity: normal CC: gengor, kanelxake, nikoli, patrick, please.no.spam.here, zorry
Priority: High Keywords: Tracker
Version: 2008.0   
Hardware: All   
OS: Linux   
URL: http://archives.gentoo.org/gentoo-dev/msg_8efa8bf5aad1fd2d724f4ba001b26ff7.xml
See Also: https://bugs.gentoo.org/show_bug.cgi?id=713576
https://bugs.gentoo.org/show_bug.cgi?id=847148
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 363453, 363565, 430616, 443718, 511478, 512392, 512400, 512408, 520964, 521002, 521032, 521034, 521248, 521282, 528106, 541722, 542128, 542130, 542244, 542272, 559692, 576590, 578554, 213833, 218567, 232079, 232081, 232084, 232100, 232102, 232968, 233001, 238060, 253786, 256638, 256660, 256668, 256782, 256914, 256955, 257016, 257047, 257139, 257177, 257265, 257290, 257340, 257506, 257823, 257963, 257968, 258075, 258295, 258382, 258487, 258752, 259013, 259045, 259305, 259340, 259699, 260070, 260074, 260081, 260180, 260183, 260185, 260186, 260451, 260539, 260674, 260717, 260817, 260840, 260847, 260849, 260873, 260886, 260925, 260941, 260983, 260985, 261099, 261100, 261144, 261145, 261147, 261187, 261276, 261283, 261299, 261320, 261438, 261676, 264094, 264112, 264286, 264395, 267013, 268531, 272540, 273170, 273176, 274119, 274308, 274379, 276730, 276872, 277158, 277459, 278986, 284155, 285374, 287746, 294824, 296618, 301795, 301879, 310847, 317695, 319789, 320785, 321983, 323057, 325281, 329039, 329043, 329049, 329051, 332255, 335115, 336599, 336601, 336603, 336604, 336605, 336606, 336607, 336609, 336611, 336754, 336755, 336855, 336887, 336941, 336988, 337020, 337059, 337087, 337090, 337181, 337188, 337224, 337233, 337239, 337314, 337363, 337365, 337366, 337410, 337415, 337422, 337436, 337444, 337446, 337478, 337520, 337527, 337565, 337676, 337745, 337775, 337779, 337849, 337851, 337867, 337874, 337889, 337897, 337903, 338147, 338151, 338163, 338179, 338180, 338619, 338730, 338819, 338823, 338863, 338905, 338936, 338971, 339004, 339107, 339109, 339122, 339196, 339242, 339248, 339259, 339355, 339360, 339364, 339405, 339451, 339455, 339456, 339481, 339539, 339541, 339545, 339652, 339702, 339706, 339746, 339750, 339808, 339842, 339898, 339900, 339901, 339917, 340085, 340141, 340143, 340145, 340147, 340148, 340149, 340166, 340167, 340196, 340249, 340251, 340253, 340255, 340357, 340439, 340441, 340579, 340665, 340671, 340789, 340829, 340833, 340901, 340905, 340909, 340911, 340969, 341089, 341103, 341115, 341185, 341223, 341525, 341715, 342307, 342309, 342799, 342857, 342907, 343133, 343341, 343575, 343577, 343587, 349464, 349786, 350999, 351013, 351290, 351452, 351478, 351689, 351996, 354337, 354493, 356635, 357127, 358195, 358569, 359779, 361951, 362325, 362327, 362737, 363357, 363533, 363537, 363543, 364683, 365681, 369007, 370949, 378115, 387557, 389835, 418161, 421383, 421717, 421809, 421843, 423061, 423619, 423673, 423941, 424962, 424976, 428734, 430030, 430248, 430704, 431114, 431258, 431800, 432500, 432702, 434198, 434220, 434264, 434418, 435012, 438206, 438420, 439524, 442286, 443144, 449868, 450990, 451006, 452110, 454662, 454850, 454922, 456348, 458046, 458458, 464708, 465748, 475190, 477586, 486480, 488794, 508852, 512390, 512394, 512396, 512398, 512402, 512404, 512406, 512410, 512412, 512414, 512426, 517524, 517526, 517576, 517578, 517582, 517584, 517586, 517588, 517608, 517610, 517612, 517614, 517622, 517662, 517664, 518840, 520306, 520308, 520470, 520472, 520474, 520476, 520478, 520492, 520494, 520498, 520502, 520504, 520506, 520508, 520518, 520520, 520524, 520526, 520556, 520560, 520562, 520564, 520568, 520574, 520578, 520580, 520586, 520588, 520590, 520596, 520602, 520620, 520628, 520956, 520960, 520962, 520966, 520970, 520972, 520974, 520978, 520984, 520986, 520988, 520992, 520994, 520996, 520998, 521000, 521004, 521006, 521008, 521010, 521012, 521014, 521016, 521018, 521020, 521022, 521024, 521026, 521028, 521030, 521038, 521054, 521056, 521062, 521066, 521068, 521076, 521078, 521080, 521082, 521084, 521086, 521088, 521090, 521096, 521098, 521100, 521104, 521108, 521110, 521112, 521114, 521116, 521118, 521120, 521122, 521124, 521128, 521242, 521246, 521250, 521252, 521256, 521258, 521260, 521262, 521264, 521266, 521268, 521270, 521272, 521326, 521360, 524810, 524934, 528110, 528678, 530630, 530636, 530638, 531702, 533690, 533694, 536114, 536116, 536118, 536120, 536122, 536136, 537226, 538342, 539102, 539104, 539228, 539230, 539232, 539320, 540466, 540470, 540636, 541212, 541724, 541984, 541986, 541988, 541992, 541994, 541996, 541998, 542000, 542002, 542004, 542104, 542122, 542124, 542132, 542134, 542138, 542140, 542274, 542276, 542278, 542280, 542666, 542672, 543014, 543016, 543018, 543032, 544316, 544352, 544354, 544356, 544358, 544362, 544364, 544366, 544370, 544374, 544644, 544670, 545316, 545966, 545978, 546406, 546408, 546528, 546546, 547082, 547084, 549250, 550044, 550456, 550524, 550534, 550628, 551786, 551790, 551794, 553314, 553340, 554636, 556444, 556568, 556806, 556830, 556846, 557120, 557132, 557140, 557144, 557410, 558326, 560032, 560838, 560840, 563490, 565140, 568970, 569720, 570696, 571894, 572702, 573510, 577430, 578968, 579428, 579442, 582916, 582928, 583534, 585530, 585878, 587222, 593658, 595168, 596496, 606498, 632628, 634994, 657668, 807766    
Bug Blocks:    

Description Peter Alfredsen (RETIRED) gentoo-dev 2009-02-17 21:58:51 UTC 
In gcc-4.3.3, -D_FORTIFY_SOURCE=2 and -Wformat-is added automagically to C[XX]FLAGS
  - Please file a NEW bug for each package affected by this change and make it BLOCK this one.
  - Do NOT use this bug for issues with >=GCC 4.3.3 itself.  File a new bug and
assign it to toolchain.

Hardened has already done this for some time, so a few bugs have been moved from the gcc-4.3 tracker to this one to keep better track of things.
Comment 1 SpanKY gentoo-dev 2009-02-24 07:29:54 UTC 
any package broken by -Wformat-security is broken regardless ... no package should be building with -Werror and afaik, that's the only way to trigger a failure with that
Comment 2 Peter Alfredsen (RETIRED) gentoo-dev 2009-02-25 11:28:16 UTC 
*** Bug 260236 has been marked as a duplicate of this bug. ***
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-30 19:18:16 UTC 
*** Bug 347267 has been marked as a duplicate of this bug. ***
Comment 4 SpanKY gentoo-dev 2014-09-11 05:31:55 UTC 
i don't think any of these format-security bugs are useful.  if you want to convince upstream to make their code base nice, then that'd be great.  but i see no real value in Gentoo carrying patches, and i'm inclined to start closing them as UPSTREAM.
Comment 5 Anthony Basile gentoo-dev 2014-10-17 11:44:33 UTC 
(In reply to SpanKY from comment #4)
> i don't think any of these format-security bugs are useful.  if you want to
> convince upstream to make their code base nice, then that'd be great.  but i
> see no real value in Gentoo carrying patches, and i'm inclined to start
> closing them as UPSTREAM.

I didn't even know this tracker was here.  As Peter said, hardened has lived with this a long time without too much difficulty and I really don't want to see a bunch of patches causing an unnecessary maintenance burndon.

I say, let's close these upstream and suggest using append-cppflags if necessary to change the -D_FORTIFY_SOURCE=2.  As already stated -Wformat-security will just warn.
Comment 6 Mr. Bones. (RETIRED) gentoo-dev 2015-03-24 16:59:48 UTC 
(In reply to SpanKY from comment #4)
>  i'm inclined to start closing them as UPSTREAM.

Please go ahead.  The bugspam is getting excessive and will continue as long as this bug is open.
Comment 7 Ryan Hill (RETIRED) gentoo-dev 2015-08-05 06:08:30 UTC 
We could add -Wformat-security to portage's post-build qa checks.  This would both raise its visibility and tell people that upstream is the proper place to report any warnings to.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-12-23 13:30:51 UTC 
Gentoo carries -D_FORTIFY_SOURCE=2/-Wformat-security patches for a long while including every stable compiler. Closing thus bug. Feel free to create a separate tracker for -Werror=format-security failures. Those don't block gcc stabilization.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-09-01 08:14:38 UTC 
For completeness, as we're doing some research into when flags were enabled by default in gentoo:

commit 313ace55dfacaf43ca2abdf5ef2926e44c59b399
Author: Mike Frysinger <vapier@gentoo.org>
Date:   Tue Jan 27 21:31:29 2009 +0000

    initial 4.3.3 patchset based on last 4.3.2 patchset

was the first to add 4.3.5/gentoo/10_all_gcc-default-format-security.patch to gcc-patches.git.