Summary: | www-servers/nginx-1.27.0 (and 1.26.1): compile issue when using modSecurity | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Stevan Bajić <stevan> |
Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | luke5083, satmd, zhixu.liu |
Priority: | Normal | Keywords: | PATCH, PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/owasp-modsecurity/ModSecurity-nginx/issues/325 https://github.com/gentoo/gentoo/pull/38343 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 870412 | ||
Attachments: |
Patch for ModSecurity 1.3.0 + gcc 14
Changed ebuild |
Description
Stevan Bajić
2024-06-05 08:19:50 UTC
CFLAGS="-O2 -pipe -g -Wno-everything" emerge -Ov1gk nginx I had been using this option to ignore the compiler error on warning (previous) for a long time. (In reply to Zhixu Liu from comment #1) > CFLAGS="-O2 -pipe -g -Wno-everything" emerge -Ov1gk nginx > > I had been using this option to ignore the compiler error on warning > (previous) for a long time. That's not a good idea. Created attachment 896024 [details, diff]
Patch for ModSecurity 1.3.0 + gcc 14
Created attachment 896025 [details]
Changed ebuild
The error results from the module's nginx configuration tests using printf() without including stdio.h. I'm suspecting gcc 14 being more strict in that regard together with compiler flags maybe. Either way, it's safe and sane to include stdio.h for the feature test. I'm providing - the patch itself (syntax made matching to upstream examples) - a changed ebuild (conditionally using eapply for the patch) The patched ebuild + file has been tested on ~amd64. Upstream bug report: https://github.com/owasp-modsecurity/ModSecurity-nginx/issues/325 (In reply to Sam James from comment #2) > (In reply to Zhixu Liu from comment #1) > > CFLAGS="-O2 -pipe -g -Wno-everything" emerge -Ov1gk nginx > > > > I had been using this option to ignore the compiler error on warning > > (previous) for a long time. > > That's not a good idea. I don't 100% agree, the reason is: 1. The code is compiled fine w/ old compiler, failed because newer compiler (especially clang) have more restricted check. I have been faced with many such kinds of problem (package compile failed) sinace switch the compiler to clang, but no problem when using gcc. 2. In general, this is a issue should be handled in development stage, not a runtime issue (not 100%), since the code should had been running and tested w/ older compiler. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e98d8ef5572fae7d42e80acbb2464e70eb0ab5e7 commit e98d8ef5572fae7d42e80acbb2464e70eb0ab5e7 Author: Z. Liu <zhixu.liu@gmail.com> AuthorDate: 2024-08-30 09:19:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-02 02:54:28 +0000 www-servers/nginx: add patch for http_security from upstream see https://github.com/owasp-modsecurity/ModSecurity-nginx/commit/7d37ace7431ea9704faa98f29876bcd72ef4b1ff Closes: https://bugs.gentoo.org/933598 Signed-off-by: Z. Liu <zhixu.liu@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/38343 Signed-off-by: Sam James <sam@gentoo.org> .../nginx/files/http_security-nginx-1.26.2.patch | 26 ++++++++++++++++++++++ ...inx-1.26.2-r1.ebuild => nginx-1.26.2-r2.ebuild} | 6 +++++ ...inx-1.27.1-r1.ebuild => nginx-1.27.1-r2.ebuild} | 6 +++++ 3 files changed, 38 insertions(+) |