1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1091671: liboprf: unconditionally sets FORTIFY_SOURCE=2 flag

    From Stefan Marsiske@21:1/5 to All on Thu Jan 2 16:30:01 2025
    this is a bug, the rest of liboprf was already using level 3. thank you for pointing this out.

    fixed upstream: https://github.com/stef/liboprf/commit/ce3f2aa7bb113dc2ca385e602344e0db3925c09c

    On Sun, Dec 29, 2024 at 03:28:03PM +0100, Joost van Baal-Ilić wrote:
    Hi Gianfranco,

    Thank you for this report + patch!

    Stefan: what do you think about it? Would you like to apply it upstream?
    Or would you prefer to keep the default on FORTIFY_SOURCE=2?

    Gianfranco: I'll wait on Stefan's reply and then decide on how to tackle this in the Debian packaging.

    Bye,

    Joost


    On Sun, Dec 29, 2024 at 03:12:34PM +0100, Gianfranco Costamagna wrote:
    Package: liboprf
    Version: 0.4.0-1
    Severity: normal
    Tags: patch



    Hello, looks like the code is setting FORTIFY_SOURCE=2 directly from makefile, not allowing to override
    it from outside.
    This is a build issue when people defaults e.g. to 3, something already done by some distros, e.g. Ubuntu.

    I took the liberty to patch the code and commit the patch on git

    Description: Don't force fortify_source, we default to 3 in some architectures
    Author: Gianfranco Costamagna <locutusofborg@debian.org>
    Last-Update: 2024-12-11

    --- liboprf-0.4.0.orig/src/noise_xk/example/makefile
    +++ liboprf-0.4.0/src/noise_xk/example/makefile
    @@ -6,7 +6,7 @@ CFLAGS += -I../.. -I../include -I ../in
    -Wno-unknown-warning-option -Wno-unused-but-set-variable \
    -Wno-unused-parameter -Wno-infinite-recursion -fPIC \
    -g -fwrapv -D_BSD_SOURCE -D_DEFAULT_SOURCE -DWITH_SODIUM \
    - -O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2 \
    + -O2 -fstack-protector-strong \
    -fasynchronous-unwind-tables -fpic -Werror=format-security \
    -Werror=implicit-function-declaration -Wl,-z,defs -Wl,-z,relro \
    -ftrapv -Wl,-z,noexecstack
    --- liboprf-0.4.0.orig/src/noise_xk/makefile
    +++ liboprf-0.4.0/src/noise_xk/makefile
    @@ -7,7 +7,7 @@ CFLAGS += -Iinclude -I include/karmel -
    -Wno-unknown-warning-option -Wno-unused-but-set-variable \
    -Wno-unused-parameter -Wno-infinite-recursion -fpic \
    -g -fwrapv -D_BSD_SOURCE -D_DEFAULT_SOURCE -DWITH_SODIUM \
    - -O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2 \
    + -O2 -fstack-protector-strong \
    -fasynchronous-unwind-tables -fpic \
    -Werror=format-security -Werror=implicit-function-declaration \
    -ftrapv


    Thanks,

    Gianfranco

    ---end quoted text---

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Joost van =?utf-8?Q?Baal-Ili=C4=87?@21:1/5 to Stefan Marsiske on Thu Jan 2 16:50:01 2025
    Hi Stefan,

    On Thu, Jan 02, 2025 at 04:15:24PM +0100, Stefan Marsiske wrote:
    this is a bug, the rest of liboprf was already using level 3. thank you for pointing this out.

    Aha!

    fixed upstream: https://github.com/stef/liboprf/commit/ce3f2aa7bb113dc2ca385e602344e0db3925c09c

    Cool, I'll cherry pick this (or are you planning to ship a new upstream release?) & do a new upload in due time.

    Bye,

    Joost

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stefan Marsiske@21:1/5 to All on Thu Jan 2 17:20:02 2025
    hey,

    On Thu, Jan 02, 2025 at 04:44:32PM +0100, Joost van Baal-Ilić wrote:
    fixed upstream: https://github.com/stef/liboprf/commit/ce3f2aa7bb113dc2ca385e602344e0db3925c09c

    Cool, I'll cherry pick this (or are you planning to ship a new upstream release?) & do a new upload in due time.

    yes, i just pushed a bunch of fixes for other failing test cases also. check this: https://github.com/stef/liboprf/releases/tag/v0.5.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)