Bug 1956998
| Summary: | annocheck reports that pigz is compiled without -fstack-protector-strong, -D_FORTIFY_SOURCE=2, and -fPIE/-fPIC | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jan Pazdziora <jpazdziora> |
| Component: | pigz | Assignee: | Prarit Bhargava <prarit> |
| Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | bnater, hwkernel-mgr, jjaburek, jpazdziora, lpol, prarit, qe-baseos-daemons, rhack, rlemosor |
| Target Milestone: | beta | Keywords: | TestCaseNotNeeded, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pigz-2.5-4.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:52:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2044387 | ||
|
Description
Jan Pazdziora
2021-05-04 20:04:32 UTC
Any reason why the Makefile sets its own flags rather than using the defaults from rpm macros, for example via %{optflags}, per https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc?
This document might also be useful: https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/rawhide/f/buildflags.md. I see that pigz.spec already does %make_build CFLAGS="$RPM_OPT_FLAGS" so it might be just a matter of using %make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" or %make_build CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}" (In reply to Jan Pazdziora from comment #7) > This document might also be useful: > https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/rawhide/f/ > buildflags.md. > > I see that pigz.spec already does > > %make_build CFLAGS="$RPM_OPT_FLAGS" > > so it might be just a matter of using > > %make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" > > or > > %make_build CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}" Yep. My above comment was kind of to myself :) P. QE: This is a small change. Before these changes, [03:40 PM root@intel-purley-04 SPECS]# rpm -ivh pigz-2.5-3.el9.x86_64.rpm [03:40 PM root@intel-purley-04 SPECS]# rpm -ql pigz | xargs annocheck -v --ignore-gaps | grep FAIL: | grep pigz <snip> Hardened: /usr/bin/pigz: FAIL: pie test because not built with '-Wl,-pie' (gcc/clang) or '-buildmode pie' (go) Hardened: /usr/bin/pigz: FAIL: bind-now test because not linked with -Wl,-z,now Hardened: /usr/bin/unpigz: FAIL: pie test because not built with '-Wl,-pie' (gcc/clang) or '-buildmode pie' (go) Hardened: /usr/bin/unpigz: FAIL: bind-now test because not linked with -Wl,-z,now <snip> Note, you will see warnings from static /usr/lib/.build-id/ files. These are okay. After the change [03:43 PM root@intel-purley-04 SPECS]# rpm -ivh pigz-2.5-4.el9.x86_64.rpm [03:43 PM root@intel-purley-04 SPECS]# rpm -ql pigz | xargs annocheck -v --ignore-gaps | grep FAIL: | grep pigz You will not see any warnings from /usr/bin/pigz. QE can you set ITM and provide qa_ack? Thanks, P. QE? ping? P. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: pigz), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3944 |