259417 – (fortify-source) [Tracker] >=sys-devel/gcc-4.3.3 -D_FORTIFY_SOURCE=2 and -Wformat-security porting

Bug 259417 (fortify-source) - [Tracker] >=sys-devel/gcc-4.3.3 -D_FORTIFY_SOURCE=2 and -Wformat-security porting

Summary: [Tracker] >=sys-devel/gcc-4.3.3 -D_FORTIFY_SOURCE=2 and -Wformat-security por...

Status:	RESOLVED FIXED

Alias:	fortify-source

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Toolchain Maintainers

URL:	http://archives.gentoo.org/gentoo-dev...
Whiteboard:
Keywords:	Tracker

Duplicates (1):	gcc-4.3.3 (view as bug list)
Depends on:	363453 363565 430616 443718 511478 512392 512400 512408 520964 521002 521032 521034 521248 521282 528106 541722 542128 542130 542244 542272 559692 576590 578554 213833 218567 232079 232081 232084 232100 232102 232968 233001 238060 253786 256638 256660 256668 256782 256914 256955 257016 257047 257139 257177 257265 257290 257340 257506 257823 257963 257968 258075 258295 258382 258487 258752 259013 259045 259305 259340 259699 260070 260074 260081 260180 260183 260185 260186 260451 260539 260674 260717 260817 260840 260847 260849 260873 260886 260925 260941 260983 260985 261099 261100 261144 261145 261147 261187 261276 261283 261299 261320 261438 261676 264094 264112 264286 264395 267013 268531 272540 273170 273176 274119 274308 274379 276730 276872 277158 277459 278986 284155 285374 287746 294824 296618 301795 301879 310847 317695 319789 320785 321983 323057 325281 329039 329043 329049 329051 332255 335115 336599 336601 336603 336604 336605 336606 336607 336609 336611 336754 336755 336855 336887 336941 336988 337020 337059 337087 337090 337181 337188 337224 337233 337239 337314 337363 337365 337366 337410 337415 337422 337436 337444 337446 337478 337520 337527 337565 337676 337745 337775 337779 337849 337851 337867 337874 337889 337897 337903 338147 338151 338163 338179 338180 338619 338730 338819 338823 338863 338905 338936 338971 339004 339107 339109 339122 339196 339242 339248 339259 339355 339360 339364 339405 339451 339455 339456 339481 339539 339541 339545 339652 339702 339706 339746 339750 339808 339842 339898 339900 339901 339917 340085 340141 340143 340145 340147 340148 340149 340166 340167 340196 340249 340251 340253 340255 340357 340439 340441 340579 340665 340671 340789 340829 340833 340901 340905 340909 340911 340969 341089 341103 341115 341185 341223 341525 341715 342307 342309 342799 342857 342907 343133 343341 343575 343577 343587 349464 349786 350999 351013 351290 351452 351478 351689 351996 354337 354493 356635 357127 358195 358569 359779 361951 362325 362327 362737 363357 363533 363537 363543 364683 365681 369007 370949 378115 387557 389835 418161 421383 421717 421809 421843 423061 423619 423673 423941 424962 424976 428734 430030 430248 430704 431114 431258 431800 432500 432702 434198 434220 434264 434418 435012 438206 438420 439524 442286 443144 449868 450990 451006 452110 454662 454850 454922 456348 458046 458458 464708 465748 475190 477586 486480 488794 PR61164 512390 512394 512396 512398 512402 512404 512406 512410 512412 512414 512426 517524 517526 517576 517578 517582 517584 517586 517588 517608 517610 517612 517614 517622 517662 517664 518840 520306 520308 520470 520472 520474 520476 520478 520492 520494 520498 520502 520504 520506 520508 520518 520520 520524 520526 520556 520560 520562 520564 520568 520574 520578 520580 520586 520588 520590 520596 520602 520620 520628 520956 520960 520962 520966 520970 520972 520974 520978 520984 520986 520988 520992 520994 520996 520998 521000 521004 521006 521008 521010 521012 521014 521016 521018 521020 521022 521024 521026 521028 521030 521038 521054 521056 521062 521066 521068 521076 521078 521080 521082 521084 521086 521088 521090 521096 521098 521100 521104 521108 521110 521112 521114 521116 521118 521120 521122 521124 521128 521242 521246 521250 521252 521256 521258 521260 521262 521264 521266 521268 521270 521272 521326 521360 524810 524934 528110 528678 530630 530636 530638 531702 533690 533694 536114 536116 536118 536120 536122 536136 537226 538342 539102 539104 539228 539230 539232 539320 540466 540470 540636 541212 541724 541984 541986 541988 541992 541994 541996 541998 542000 542002 542004 542104 542122 542124 542132 542134 542138 542140 542274 542276 542278 542280 542666 542672 543014 543016 543018 543032 544316 544352 544354 544356 544358 544362 544364 544366 544370 544374 544644 544670 545316 545966 545978 546406 546408 546528 546546 547082 547084 549250 550044 550456 550524 550534 550628 551786 551790 551794 553314 553340 554636 556444 556568 556806 556830 556846 557120 557132 557140 557144 557410 558326 560032 560838 560840 563490 565140 568970 569720 570696 571894 572702 573510 577430 578968 579428 579442 582916 582928 583534 585530 585878 587222 593658 595168 596496 606498 632628 634994 657668 807766
Blocks:
	Show dependency tree

Reported:	2009-02-17 21:58 UTC by Peter Alfredsen (RETIRED)
Modified:	2023-09-01 08:14 UTC (History)
CC List:	6 users (show)

See Also:	format-security 847148
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Alfredsen (RETIRED) gentoo-dev

2009-02-17 21:58:51 UTC

In gcc-4.3.3, -D_FORTIFY_SOURCE=2 and -Wformat-is added automagically to C[XX]FLAGS
  - Please file a NEW bug for each package affected by this change and make it BLOCK this one.
  - Do NOT use this bug for issues with >=GCC 4.3.3 itself.  File a new bug and
assign it to toolchain.

Hardened has already done this for some time, so a few bugs have been moved from the gcc-4.3 tracker to this one to keep better track of things.

Comment 1 SpanKY gentoo-dev

2009-02-24 07:29:54 UTC

any package broken by -Wformat-security is broken regardless ... no package should be building with -Werror and afaik, that's the only way to trigger a failure with that

Comment 2 Peter Alfredsen (RETIRED) gentoo-dev

2009-02-25 11:28:16 UTC

*** Bug 260236 has been marked as a duplicate of this bug. ***

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2010-11-30 19:18:16 UTC

*** Bug 347267 has been marked as a duplicate of this bug. ***

Comment 4 SpanKY gentoo-dev

2014-09-11 05:31:55 UTC

i don't think any of these format-security bugs are useful.  if you want to convince upstream to make their code base nice, then that'd be great.  but i see no real value in Gentoo carrying patches, and i'm inclined to start closing them as UPSTREAM.

Comment 5 Anthony Basile gentoo-dev

2014-10-17 11:44:33 UTC

(In reply to SpanKY from comment #4)
> i don't think any of these format-security bugs are useful.  if you want to
> convince upstream to make their code base nice, then that'd be great.  but i
> see no real value in Gentoo carrying patches, and i'm inclined to start
> closing them as UPSTREAM.

I didn't even know this tracker was here.  As Peter said, hardened has lived with this a long time without too much difficulty and I really don't want to see a bunch of patches causing an unnecessary maintenance burndon.

I say, let's close these upstream and suggest using append-cppflags if necessary to change the -D_FORTIFY_SOURCE=2.  As already stated -Wformat-security will just warn.

Comment 6 Mr. Bones. (RETIRED) gentoo-dev

2015-03-24 16:59:48 UTC

(In reply to SpanKY from comment #4)
>  i'm inclined to start closing them as UPSTREAM.

Please go ahead.  The bugspam is getting excessive and will continue as long as this bug is open.

Comment 7 Ryan Hill (RETIRED) gentoo-dev

2015-08-05 06:08:30 UTC

We could add -Wformat-security to portage's post-build qa checks.  This would both raise its visibility and tell people that upstream is the proper place to report any warnings to.

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2019-12-23 13:30:51 UTC

Gentoo carries -D_FORTIFY_SOURCE=2/-Wformat-security patches for a long while including every stable compiler. Closing thus bug. Feel free to create a separate tracker for -Werror=format-security failures. Those don't block gcc stabilization.

Comment 9 Sam James archtester

2023-09-01 08:14:38 UTC

For completeness, as we're doing some research into when flags were enabled by default in gentoo:

commit 313ace55dfacaf43ca2abdf5ef2926e44c59b399
Author: Mike Frysinger <vapier@gentoo.org>
Date:   Tue Jan 27 21:31:29 2009 +0000

    initial 4.3.3 patchset based on last 4.3.2 patchset

was the first to add 4.3.5/gentoo/10_all_gcc-default-format-security.patch to gcc-patches.git.