Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 645450

Summary: dev-db/mariadb: does not respect CFLAGS (fno-stack-protector)
Product: Gentoo Linux Reporter: Agostino Sarubbo <ago>
Component: Current packagesAssignee: Gentoo Linux MySQL bugs team <mysql-bugs>
Status: CONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2018-01-23 13:37:14 UTC
While is good for a security purpose, the package does not respect the fno-stack-protector CFLAG
To test, compile it with CFLAGS/CXXFLAGS fno-stack-protector and run:
checksec --file /usr/sbin/mysqld

The checksec command line tool is from app-admin/checksec.

It is also overwriting the fortify_source flag
Comment 1 Brian Evans (RETIRED) gentoo-dev 2018-01-23 14:04:42 UTC
Beginning in MariaDB 10.1, the option SECURITY_HARDENED [1]  was added to always set pie, PIC, -fstack-protector, and -D_FORTIFY_SOURCE=2 when the compiler version was >= 4.6.

If this is unwanted, I could certainly force it off.

I did not consider it previously as it seemed to be doing the right thing.

[1] https://github.com/MariaDB/server/blob/10.1/CMakeLists.txt#L217
Comment 2 Brian Evans (RETIRED) gentoo-dev 2018-05-18 19:38:03 UTC
Marking this NEEDINFO until there is a response on the best course of action
Comment 3 Agostino Sarubbo gentoo-dev 2018-05-19 14:12:18 UTC
Is fine have those flags, but the user's flags should be passed after the build system flags so they can be overwritten.
Comment 4 LAP 2023-07-01 13:20:07 UTC
(In reply to Agostino Sarubbo from comment #3)
> Is fine have those flags, but the user's flags should be passed after the
> build system flags so they can be overwritten.
>

To allow the user to decide for himself if he wants address sanitation and/or hardening, two other local USE flags could be stablished, call them "asan" and "harden".

Then, depending upon the USE flag selected, the ebuild would need to set the cmake options accordingly. For example if the user selects "-asan" and "-harden":

mycmakeargs+=(
  -DSECURITY_HARDENED=OFF
  -DWITH_UBSAN=OFF
  -DWITH_ASAN=OFF
)

I've tested this on my sytem and there are no issues.