Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 156800 - cmake-2.4.6 fails on hardened - stack smashing attack
Summary: cmake-2.4.6 fails on hardened - stack smashing attack
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Development (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL: http://www.cmake.org/Bug/bug.php?op=s...
Whiteboard:
Keywords:
Depends on:
Blocks: 135265 163487
  Show dependency tree
 
Reported: 2006-12-01 06:20 UTC by Attila Tóth
Modified: 2007-11-10 09:29 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Changes O2 to Os to make it compile on hardened (cmake_worksforme.diff,699 bytes, patch)
2007-04-17 21:07 UTC, Attila Tóth
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Attila Tóth 2006-12-01 06:20:24 UTC
architectures tested: x86 (athlon-mp, pentium-m)
CFLAGS: -O2 -march=i686 -mtune={athlon-mp|pentium-m} -pipe
environment:
Gentoo Base System version 1.12.6
make.profile: hardened/x86/2.6
grsecurity RBAC and PaX are enabled and activated
all core components (toolchain, essential libraries) are stable (non-~x86)
The problem is triggered while bootsrapping during the compilation.
The output of emerge:
>>>
-- Check for working C compiler: /usr/lib/ccache/bin/i686-pc-linux-gnu-gcc
cmake: stack smashing attack in function void cmGlobalUnixMakefileGenerator3::WriteConvenienceRules2(std::ostream&, cmLocalUnixMakefileGenerator3*, bool)()
./bootstrap: line 1274: 25998 Aborted                 "${cmake_bootstrap_dir}/cmake" "${cmake_source_dir}" "-C${cmake_bootstrap_dir}/InitialCacheFlags.cmake" "-G${cmake_bootstrap_generator}"
---------------------------------------------
Error when bootstrapping CMake:
Problem while running initial CMake
---------------------------------------------

!!! ERROR: dev-util/cmake-2.4.3 failed.
Call stack:
  ebuild.sh, line 1546:   Called dyn_compile
  ebuild.sh, line 937:   Called src_compile
  cmake-2.4.3.ebuild, line 23:   Called die
<<<
While grsec.log says:
>>>
Dec  1 15:00:41 hostname grsec: (admin:S:/) signal 6 sent to /var/tmp/portage/cmake-2.4.3/work/cmake-2.4.3/Bootstrap.cmk/cmake[cmake:25998] uid/euid:0/0 gid/egid:0/0, parent /var/tmp/portage/cmake-2.4.3/work/cmake-2.4.3/bootstrap[bootstrap:18623] uid/euid:0/0 gid/egid:0/0
Dec  1 15:00:41 hostname grsec: (admin:S:/) denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/cmake-2.4.3/work/cmake-2.4.3/Bootstrap.cmk/cmake[cmake:25998] uid/euid:0/0 gid/egid:0/0, parent /var/tmp/portage/cmake-2.4.3/work/cmake-2.4.3/bootstrap[bootstrap:18623] uid/euid:0/0 gid/egid:0/0
<<<

The previous verion of cmake compiled flawlessly.

Regards,
Dw.
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-12-01 06:28:11 UTC
emerge --info please.
Comment 2 Attila Tóth 2006-12-01 11:52:48 UTC
Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.18-hardened-r1 i686)
=================================================================
System uname: 2.6.18-hardened-r1 i686 Intel(R) Celeron(R) M processor         1.40GHz
Gentoo Base System version 1.12.6
Last Sync: Fri, 01 Dec 2006 09:30:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -mtune=pentium-m -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -mtune=pentium-m -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.inf.elte.hu/ http://gentoo.inode.at/"
LANG="hu_HU"
LC_ALL="hu_HU"
LINGUAS="hu"
MAKEOPTS="-j2"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="7zip X X509 a52 aac aalib acl acpi aiglx alsa amr aotuv apache2 asf audiofile bash-completion bcmath bdf berkdb binfilter bitmap-fonts blas bluetooth branding browserplugin bzip2 cairo cdda cddb cdparanoia cdr cdrom chardet checkpath cli crypt css cups curl dba dbm dbus dga dhcp discard-path divx divx4linux djbfft djvu dlloader dmi dri dts dv dvd dvdr dvdread dvi eds elibc_glibc encode evo exif expat extensions fame ffmpeg fftw firefox flac flash flatfile fontconfig foomaticdb force-cgi-redirect fortran ftp gd gif gimp gimpprint gmedia gmp gnet gnome gphoto2 gpm graphviz gs gstreamer gtk gtk2 gtkhtml hal hardened hub i8x0 iconv idea idn imagemagick imap imlib input_devices_keyboard input_devices_mouse irda jabber java javascript jingle jpeg jpeg2k kernel_linux lapack latin1 lcms libcaca libplot linguas_hu lirc lm_sensors logitech-mouse lzo lzw mad matroska mbox mcal memlimit mikmod mjpeg mmap mmx mng mode-owner motif mozcalendar mp3 mp4 mpeg mysql mysqli nautilus ncurses network nls nopop3d nsplugin ntfs ogg oggvorbis openexr opengl pam pam_chroot pam_console pam_timestamp pccts pcmcia pda pdf pear perl php pic plotutils png posix ppds python quicktime rc5 readline real realmedia reiserfs rle rtc sasl scanner screen sdl sensord session sftplogging sharedext sharedmem sid skins slang smp sms sndfile soap sockets speex spell spf sse sse2 ssl svg syslog sysvipc t1lib tcl tcltk tcpd tetex tga theora tiff tk tlen tokenizer toolbar tools transcode truetype truetype-fonts type1-fonts udev underscores unicode urandom usb userland_GNU userlocales v4l v4l2 vcd video_cards_i810 video_cards_i830 video_cards_v4l vidix virus-scan visualization vlm vorbis win32codecs wma wmf wmp wxwindows x264 x86 xine xml xml2 xmlrpc xorg xpm xsl xv xvid zip zlib zvbi"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 3 Attila Tóth 2006-12-01 11:57:24 UTC
Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.18-hardened-r1 i686)
=================================================================
System uname: 2.6.18-hardened-r1 i686 AMD Athlon(TM) MP 1600+
Gentoo Base System version 1.12.6
Last Sync: Fri, 01 Dec 2006 09:30:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r2, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -mtune=athlon-mp -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -mtune=athlon-mp -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.inf.elte.hu/ http://gentoo.inode.at/"
LANG="hu_HU"
LC_ALL="hu_HU"
LINGUAS="hu"
MAKEOPTS="-j3"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext 7zip X X509 a52 aac aalib acl acpi aiglx alsa amr aotuv apache2 asf audiofile bash-completion bcmath bdf berkdb binfilter bitmap-fonts blas bluetooth branding browserplugin bzip2 cairo cdda cddb cdparanoia cdr cdrom chardet checkpath cli contentcache crypt css cups curl dba dbm dbus dga dhcp disassembler discard-path divx divx4linux djbfft djvu dlloader dmi dri dts dv dvd dvdr dvdread dvi eds elibc_glibc encode evo exif expat extensions fam fame ffmpeg fftw firefox flac flash flatfile follow-xff fontconfig foomaticdb force-cgi-redirect fortran ftp gd gif gimp gimpprint gmedia gmp gnet gnome gphoto2 gpm graphviz gs gstreamer gtk gtk2 gtkhtml hal hardened hub iconv idea idn iksemel imagemagick imap imlib inode input_devices_keyboard input_devices_mouse irda jabber java java-internal javascript jingle jpeg jpeg2k kernel_linux lapack latin1 lcms libcaca libplot linguas_hu lirc lm_sensors logitech-mouse lzo lzw mad matroska mbox mcal memlimit mhash mikmod milter ming mjpeg mmap mmx mmxext mng mode-owner motif mozcalendar mp3 mp4 mpeg mysql mysqli nautilus ncurses network nls nopop3d nsplugin ntfs odbc ogg oggvorbis openexr opengl overload pam pam_chroot pam_console pam_timestamp pccts pcmcia pcntl pcre pda pdf pear perl php pic plotutils png posix ppds python quicktime rc5 readline real realmedia reiserfs rle rtc sasl scanner screen sdl sensord session sftplogging sharedext sharedmem sid skins slang smp sms sndfile soap sockets speex spell spf sse ssl svg syslog sysvipc t1lib tcl tcltk tcpd tetex tga theora tiff tk tlen tokenizer toolbar tools transcode truetype truetype-fonts type1-fonts udev underscores unicode urandom usb userland_GNU userlocales v4l v4l2 vcd video_cards_radeon video_cards_v4l vidix virus-scan visualization vlm vorbis win32codecs wma wmf wmp wxwindows x264 x86 xine xml xml2 xmlrpc xorg xpm xsl xv xvid zip zlib zvbi"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 4 Tony Vroon gentoo-dev 2006-12-18 02:53:49 UTC
This seems related to the failure that I am seeing, although it manifests itself in a slightly different way. In my case, the compiler sees a stack smashing attack and the compile is aborted:

strap.cmk -DKWSYS_NAMESPACE=cmsys -c /var/tmp/portage/cmake-2.4.3/work/cmake-2.4.3/Source/kwsys/ProcessUNIX.c -o ProcessUNIX.o
i686-pc-linux-gnu-g++  -O2 -march=pentium4 -pipe -I/var/tmp/portage/cmake-2.4.3/work/cmake-2.4.3/Source   -I/var/tmp/portage/cmake-2.4.3/work/cmake-2.4.3/Bootstrap.cmk  cmake.o cmakemain.o cmakewizard.o cmCommandArgumentLexer.o cmCommandArgumentParser.o cmCommandArgumentParserHelper.o cmDepends.o cmDependsC.o cmMakeDepend.o cmMakefile.o cmGeneratedFileStream.o cmGlobalGenerator.o cmLocalGenerator.o cmInstallGenerator.o cmInstallFilesGenerator.o cmInstallScriptGenerator.o cmInstallTargetGenerator.o cmSourceFile.o cmSystemTools.o cmFileTimeComparison.o cmGlobalUnixMakefileGenerator3.o cmLocalUnixMakefileGenerator3.o cmMakefileExecutableTargetGenerator.o cmMakefileLibraryTargetGenerator.o cmMakefileTargetGenerator.o cmMakefileUtilityTargetGenerator.o cmBootstrapCommands.o cmCommands.o cmTarget.o cmTest.o cmCustomCommand.o cmCacheManager.o cmListFileCache.o cmOrderLinkDirectories.o cmListFileLexer.o Directory.o Glob.o RegularExpression.o SystemTools.o ProcessUNIX.o -o cmake
loading initial cache file /var/tmp/portage/cmake-2.4.3/work/cmake-2.4.3/Bootstrap.cmk/InitialCacheFlags.cmake
-- Check for working C compiler: /usr/lib/ccache/bin/i686-pc-linux-gnu-gcc
cmake: stack smashing attack in function void cmGlobalUnixMakefileGenerator3::WriteConvenienceRules2(std::ostream&, cmLocalUnixMakefileGenerator3*, bool)()
./bootstrap: line 1274: 31214 Aborted                 "${cmake_bootstrap_dir}/cmake" "${cmake_source_dir}" "-C${cmake_bootstrap_dir}/InitialCacheFlags.cmake" "-G${cmake_bootstrap_generator}"
---------------------------------------------
Error when bootstrapping CMake:
Problem while running initial CMake
---------------------------------------------

!!! ERROR: dev-util/cmake-2.4.3 failed.
Call stack:
  ebuild.sh, line 1546:   Called dyn_compile
  ebuild.sh, line 937:   Called src_compile
  cmake-2.4.3.ebuild, line 23:   Called die

!!! ./bootstrap failed
!!! If you need support, post the topmost build error, and the call stack if relevant.


Portage 2.1.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.17-hardened-r1xtrafs i686)
=================================================================
System uname: 2.6.17-hardened-r1xtrafs i686 Intel(R) Xeon(TM) CPU 3.20GHz
Gentoo Base System version 1.12.6
Last Sync: Sun, 17 Dec 2006 00:20:02 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.3.5-r2, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/init.d /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=pentium4 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildpkg ccache distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
MAKEOPTS="-j4"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
PORTDIR_OVERLAY="/srv/gentoo/overlay"
USE="x86 apache2 bash-completion cracklib crypt elf elibc_glibc hardened input_devices_keyboard input_devices_mouse ipv6 kernel_linux mmx ncurses nolvmstatic pam perl readline serial sse sse2 ssl userland_GNU zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 5 Tony Vroon gentoo-dev 2006-12-18 02:59:49 UTC
Apologies for the oversight. I have exactly the same failure, not just something similar. I just noticed the same messages in dmesg as Attila reported.
Comment 6 Chris Frage 2007-01-03 20:20:35 UTC
Hello,
happy new year, lately, with a workaround:

Using -Os instead of -O2 results in a clean build.
Comment 7 Charlie Shepherd (RETIRED) gentoo-dev 2007-01-26 20:09:26 UTC
(In reply to comment #6)
> Using -Os instead of -O2 results in a clean build.

Doesn't work here.

-- Check for working C compiler: /usr/bin/cc
cmake: stack smashing attack in function void cmGlobalGenerator::CreateDefaultGlobalTargets(cmTargets*)()
./bootstrap: line 1301: 12282 Aborted                 "${cmake_bootstrap_dir}/cmake" "${cmake_source_dir}" "-C${cmake_bootstrap_dir}/InitialCacheFlags.cmake" "-G${cmake_bootstrap_generator}" ${cmake_bootstrap_system_libs}
---------------------------------------------
Error when bootstrapping CMake:
Problem while running initial CMake
---------------------------------------------

Reported upstream.
Comment 8 solar (RETIRED) gentoo-dev 2007-01-26 20:23:15 UTC
ssp and c++ are very hit and miss. This may not be an upstream problem at all. personally I'd just relax ssp on this package (well all of KDE/QT stuff really).
Comment 9 Cédric Krier gentoo-dev 2007-03-06 19:26:36 UTC
It compiles for me when I switch to gcc profile hardenednopiessp
Comment 10 Christian Heim (RETIRED) gentoo-dev 2007-03-16 14:05:38 UTC
And it works fine for me with the new toolchain.
Comment 11 Wolfram Schlich (RETIRED) gentoo-dev 2007-03-20 18:26:34 UTC
(In reply to comment #10)
> And it works fine for me with the new toolchain.

"the new toolchain"?
Comment 12 Attila Tóth 2007-04-17 20:26:40 UTC
(In reply to comment #10)
> And it works fine for me with the new toolchain.
> 

The new toolchain is in fact not hardened-ready at this time. If you are using a real (means pie & ssp) hardened profile, you can't have the new toolchain (cos it's hard masked) - except for if you are a toolchain developer or want to play around with it. A regular user - including me - won't risk the system with development staged toolchains. I know, that an SELinux enabled boxen can be installed using the new toolchain, but whoever decide to go that way, will miss a serious point of security, IMHO. So those who stick to the stable hardened toolchain won't be cured by the new one and still affected by this bug.

As is it was reported on the hardened mailing list, the new toolchain will be available only with some forthcoming glibc version in the future. The reason for this, that it has been completely rewritten in the mean time. I hope for better C++ hardening related to the proposed changes.

It's good to know, that the new toolchain doesn't suffer this problem, but it's not really hardened, so it's possible, that the problem will reappear with the introduction of hardened features in the new toolchain.
Comment 13 Attila Tóth 2007-04-17 21:07:35 UTC
Created attachment 116565 [details, diff]
Changes O2 to Os to make it compile on hardened

Based on comment #6 I've mades some changes to the current stable ebuild to make it compile on hardened
Comment 14 Attila Tóth 2007-04-17 21:09:10 UTC
(In reply to comment #6)
> Hello,
> happy new year, lately, with a workaround:
> 
> Using -Os instead of -O2 results in a clean build.
> 

Thanks Chris, it works for me.
I've created the attachment for those, who have similar problems on Hardened Gentoo.

Regards,
Dw.
Comment 15 Carsten Lohrke (RETIRED) gentoo-dev 2007-04-25 16:03:11 UTC
hardened toolchain problem
Comment 16 Kevin F. Quinn (RETIRED) gentoo-dev 2007-04-25 21:15:43 UTC
Our favourite issue - gcc-3/C++/SSP :/
Comment 17 Kevin F. Quinn (RETIRED) gentoo-dev 2007-05-12 18:47:58 UTC
Just to note; this works fine for me with hardened gcc-4.1.2 (currently only in my overlay - hopefully should hit the tree soon).
Comment 18 Attila Tóth 2007-05-13 18:29:05 UTC
(In reply to comment #17)
> Just to note; this works fine for me with hardened gcc-4.1.2 (currently only in
> my overlay - hopefully should hit the tree soon).
> 

Hi Kevin,

It's always good to hear, that some real experts achieve great progression.
Thank you (and your colleagues) very much. So we could expect some time consuming upgrades in the near future - which is a good news in this case, isn't it?

Regards,
Dw.
Comment 19 Wulf Krueger (RETIRED) gentoo-dev 2007-06-07 16:04:02 UTC
 (In reply to comment #17)
> Just to note; this works fine for me with hardened gcc-4.1.2 (currently only in
> my overlay - hopefully should hit the tree soon).

Does this mean this is fixed now? (I have no idea about hardened stuff.)
Comment 20 Christian Heim (RETIRED) gentoo-dev 2007-06-07 16:16:51 UTC
(In reply to comment #19)
>  (In reply to comment #17)
> > Just to note; this works fine for me with hardened gcc-4.1.2 (currently only in
> > my overlay - hopefully should hit the tree soon).
> 
> Does this mean this is fixed now? (I have no idea about hardened stuff.)

No, as I said to you last week in IRC, the hardened gcc-4.1.2 is not yet available in the tree ...
Comment 21 Wolfram Schlich (RETIRED) gentoo-dev 2007-07-07 13:34:35 UTC
What's the current status of hardened-gcc-4?
Comment 22 Christian Heim (RETIRED) gentoo-dev 2007-07-07 14:09:53 UTC
(In reply to comment #21)
> What's the current status of hardened-gcc-4?

It's waiting for vapier to complete the testing/integration (see http://thread.gmane.org/gmane.linux.gentoo.devel/50094/focus=50167).
Comment 23 Steffen 'j0inty' Stollfuß 2007-07-12 19:28:04 UTC
Hy people,

I had read the posting above and patched my ebuild file with the replage-flags line.

But I get always again this error.

Report to http://bugs.gentoo.org/
./bootstrap: line 1301: 12024 Killed                  "${cmake_bootstrap_dir}/cmake" "${cmake_source_dir}" "-C${cmake_bootstrap_dir}/InitialCacheFlags.cmake" "-G${cmake_bootstrap_generator}" ${cmake_bootstrap_system_libs}
---------------------------------------------
Error when bootstrapping CMake:
Problem while running initial CMake
---------------------------------------------

!!! ERROR: dev-util/cmake-2.4.6-r1 failed.
Call stack:
  ebuild.sh, line 1621:   Called dyn_compile
  ebuild.sh, line 973:   Called qa_call 'src_compile'
  ebuild.sh, line 44:   Called src_compile
  cmake-2.4.6-r1.ebuild, line 36:   Called die

!!! ./bootstrap failed
!!! If you need support, post the topmost build error, and the call stack if relevant.
!!! A complete build log is located at '/var/tmp/portage/dev-util/cmake-2.4.6-r1/temp/build.log'.


pandora ~ # emerge --info
Portage 2.1.2.9 (hardened/x86/2.6, gcc-3.4.6, glibc-2.5-r4, 2.6.20-hardened-r5 i686)
=================================================================
System uname: 2.6.20-hardened-r5 i686 Pentium III (Katmai)
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 12 Jul 2007 16:50:01 +0000
ccache version 2.4 [disabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.3.5-r3, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium3 -mtune=i686 -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/fax /var/bind /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=pentium3 -mtune=i686 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.intergenia.de/ ftp://pandemonium.tiscali.de/pub/gentoo/ ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo"
LINGUAS="de en_GB"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://194.97.4.250/gentoo-portage"
USE="alsa apache2 apm bash_completion berkdb crypt cups fat fax foomaticdb hardened java lm_sensors midi mmx mysql nls nptl nptlonly oss pam php pic ppds readline reiserfs sasl server sse ssl symlink tcpd threads unicode urandom usb vhosts x86 xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en_GB" USERLAND="GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY


What do you mean with "update the toolchain" ? Is it enough to upgrade the gcc to version 4.1.2 ? I need cmake to compile gammu and setting up a sms gateway.

regards
J0ointy.sL
Comment 24 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2007-08-11 17:22:52 UTC
(In reply to comment #20)
...
> No, as I said to you last week in IRC, the hardened gcc-4.1.2 is not yet
> available in the tree ...
> 

Any news on this?
Comment 25 Navid Zamani 2007-08-12 16:16:30 UTC
i still get the same problem, and therefore can't update my system :(
the patch does not work for me. i get checksum errors for the ebuild-file afterwards and would be more happy with a real solution (meaning one that is solvable with a sync and a re-emerge)

(just to clarify things: i have a hardened system too and therefore of course can't use a newer version or gcc 4.x)
Comment 26 Jan Kundrát (RETIRED) gentoo-dev 2007-08-15 21:16:55 UTC
(In reply to comment #25)
> the patch does not work for me. i get checksum errors for the ebuild-file

`ebuild /path/to/the/file/you/touched manifest` to fix it

> (just to clarify things: i have a hardened system too and therefore of course
> can't use a newer version or gcc 4.x)

You can always temporarily switch to the non-hardened compiler for this package.
Comment 27 Christian Heim (RETIRED) gentoo-dev 2007-10-10 19:44:47 UTC
Once you guys sync up, it should be fixed for 2.4.6-r1, and all the 2.4.7* ebuilds.
Comment 28 Attila Tóth 2007-10-11 06:12:30 UTC
(In reply to comment #27)
> Once you guys sync up, it should be fixed for 2.4.6-r1, and all the 2.4.7*
> ebuilds.
> 

Maybe I got it wrong and this message wasn't addressed to me, but for me 2.4.6-r2 still fails the same way (stack smashing attack) while bootstrapping during the ebuild.
Is this intended to be applied for the stable hardened-toolchain users also?
Or I synced to early?

Regards,
Dw.
Comment 29 Christian Heim (RETIRED) gentoo-dev 2007-11-10 09:28:44 UTC
(In reply to comment #28)
> (In reply to comment #27)
> > Once you guys sync up, it should be fixed for 2.4.6-r1, and all the 2.4.7*
> > ebuilds.
> > 
> 
> Maybe I got it wrong and this message wasn't addressed to me, but for me
> 2.4.6-r2 still fails the same way (stack smashing attack) while bootstrapping
> during the ebuild.
> Is this intended to be applied for the stable hardened-toolchain users also?
> Or I synced to early?

2.4.6-r2 isn't a tree version, as you can see from http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-util/cmake/?hideattic=0.

The above comment was targeted at stable using people, yes.