Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 949403 - gnome-base/librsvg-2.58.5: librsvg-2.so library incompatible with x86_64 CET/shadow stack
Summary: gnome-base/librsvg-2.58.5: librsvg-2.so library incompatible with x86_64 CET/...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal normal
Assignee: Gentoo Linux Gnome Desktop Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 949404
  Show dependency tree
 
Reported: 2025-02-07 21:17 UTC by Maciej S. Szmigiero
Modified: 2025-02-17 20:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Maciej S. Szmigiero 2025-02-07 21:17:31 UTC 
The built librsvg-2.so library from gnome-base/librsvg-2.58.5 lacks CET/shadow stack markings:
> $ readelf -n /usr/lib64/librsvg-2.so | grep -a SHSTK
> (empty)
It looks like Rust 1.60+ has an appropriate option to enable such markings:
https://github.com/rust-lang/rust/blob/master/src/doc/unstable-book/src/compiler-flags/cf-protection.md

Maybe a "cet" USE flag should be added to dev-lang/rust ebuild to enable it by default, much like "cet" USE flag does such for sys-devel/gcc?

I have previously reported this upstream, but upstream closed the issue responding that the build flags "are generally overridden by those who distribute the binary":
https://gitlab.gnome.org/GNOME/librsvg/-/issues/1151#note_2343581
Comment 1 Matt Turner gentoo-dev 2025-02-17 20:03:34 UTC 
FWIW, I build with

> RUSTFLAGS="... -Z cf-protection=full"

and I have

> $ readelf -n /usr/lib64/librsvg-2.so | grep -a SHSTK
>      Properties: x86 feature: IBT, SHSTK

The problem is that the `-Z cf-protection=...` flag is only available available in rust if USE=nightly is set.