Hi all, In order for FORTIFY_SOURCE [1] to take effect there are two requirements: 1.) use correct optflags as defined by the guidelines [2], and 2.) include header files when using function that can potentially be fortified by replacing with macros. [1] http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html [2] http://fedoraproject.org/wiki/Packaging/Guidelines#head-8b14098227aebff1cf6188939e9d0877295ac448 The second problem is not specifically FORTIFY_SOURCE related; you should really include respective headers, many routines can really be macros; such as open(). POSIX allows this iirc. Now -- your action is needed. Please look at the list [3] to see if your package passed a simple test [4]: [3] http://people.redhat.com/lkundrak/check-fortify/ [4] https://bugzilla.redhat.com/attachment.cgi?id=298147 If not, do the following: 1.) See [5] for rough explanation of the problem and what can you do with that 2.) Search the build.log from your latest build for calls of "gcc" without the typical optflags (look for -DFORTIFY_SOURCE=2). In case you see those you don't pass the compiler flags correctly. Examples: [6] [7] 3.) If you see warnings about implicit declarations of functions in build.log, the application omitted some header files. If you have more time, try to rebuild your package with "-Werror-implicit-function-declaration" added to %optflags in your ~/.rpmmacros to see if you rely on implicit declarations where you should include the header files with macros and/or prototypes instead. [5] http://ovecka.be/~lkundrak/blog/entries/fortify-check.html [6] http://koji.fedoraproject.org/packages/hal-cups-utils/0.6.15/1.fc9/data/logs/i386/build.log [7] http://koji.fedoraproject.org/packages/iptraf/3.0.1/3.fc9/data/logs/i386/build.log Should you find any errors, or have comments or questions, don't hesitate to mail me. Thanks, -- Lubomir Kundrak (Red Hat Security Response Team) -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
