Bug#1067672: openvas-scanner: Use distro-wide _FORTIFY_SOURCE instead of hard-coded from upstream

Mon, 25 Mar 2024 04:45:18 -0700 

Source: openvas-scanner
Severity: normal
Tags: patch
X-Debbugs-Cc: florent.jacq...@canonical.com

Hi,

We had a recent FTBFS in Ubuntu due to upstream hardcoding the FORTIFY_SOURCE 
flag in its build-system. Would you consider the following patch enabling 
distro-wide hardening, instead of upstream's?

Thanks



-- System Information:
Debian Release: trixie/sid
  APT prefers noble
  APT policy: (500, 'noble'), (500, 'mantic'), (500, 'jammy'), (400, 
'noble-proposed')
Architecture: amd64 (x86_64)

Kernel: Linux 6.8.0-11-generic (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=sh: 0: getcwd() failed: 
No such file or directory
UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

From: Florent 'Skia' Jacquet <florent.jacq...@canonical.com>
Date: Fri, 22 Mar 2024 17:19:59 +0100
Subject: Don't redefine FORTIFY_SOURCE
Bug-Ubuntu: 
https://bugs.launchpad.net/ubuntu/+source/openvas-scanner/+bug/2058758

Index: openvas-scanner-22.7.9/CMakeLists.txt
===================================================================
--- openvas-scanner-22.7.9.orig/CMakeLists.txt
+++ openvas-scanner-22.7.9/CMakeLists.txt
@@ -208,7 +208,7 @@ if (ENABLE_COVERAGE)
   set (COVERAGE_FLAGS "--coverage")
 endif (ENABLE_COVERAGE)
 
-set (HARDENING_FLAGS            "-Wformat -Wformat-security 
-D_FORTIFY_SOURCE=2 -fstack-protector")
+set (HARDENING_FLAGS            "-Wformat -Wformat-security -fstack-protector")
 set (LINKER_HARDENING_FLAGS     "-Wl,-z,relro -Wl,-z,now")
 # The "-D_FILE_OFFSET_BITS=64 -DLARGEFILE_SOURCE=1" is necessary for GPGME!
 set (GPGME_C_FLAGS              "-D_FILE_OFFSET_BITS=64 -DLARGEFILE_SOURCE=1")
Index: openvas-scanner-22.7.9/debian/rules
===================================================================
--- openvas-scanner-22.7.9.orig/debian/rules
+++ openvas-scanner-22.7.9/debian/rules
@@ -1,5 +1,7 @@
 #!/usr/bin/make -f
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
 DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 
 %:

Reply via email to