Bug 2022365

Summary: Annocheck fails due incorrect flags during compilation/linking
Product: Red Hat Enterprise Linux 9 Reporter: Zdenek Dohnal <zdohnal>
Component: cupsAssignee: Zdenek Dohnal <zdohnal>
Status: CLOSED ERRATA QA Contact: Petr Dancak <pdancak>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: bnater, psklenar
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cups-2.3.3op2-10.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:56:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zdenek Dohnal 2021-11-11 13:23:41 UTC 
annocheck in gating reported the following errors for cups-2.3.3op2-9.el9 (http://artifacts.osci.redhat.com/testing-farm/9b2ae282-2447-43e7-8ac7-5b52ff035932/work-rpminspect3IbVOb/rpminspect/execute/data/annocheck/output.txt):

Hardened: /usr/lib64/libcupsimage.so.2: FAIL: fortify test because no indication that the necessary option was used (and a C compiler was detected) 
Hardened: /usr/lib64/libcupsimage.so.2: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-fortify.html

Hardened: /usr/lib64/libcupsimage.so.2: FAIL: warnings test because no indication that the necessary option was used (and a C compiler was detected) 
Hardened: /usr/lib64/libcupsimage.so.2: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-warnings.html

Hardened: /usr/lib64/libcupsimage.so.2: FAIL: stack-prot test because insufficient protection enabled 
Hardened: /usr/lib64/libcupsimage.so.2: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-stack-prot.html

And the following warning is shown when I run annocheck in 1mt:

Hardened: ./usr/lib/cups/filter/gziptoany: MAYB: test: stack-clash because no notes found regarding this test
Hardened: ./usr/lib/cups/filter/gziptoany: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-stack-clash.html


I needed to fix -fstack-protector-strong upstream https://github.com/OpenPrinting/cups/pull/285 , and other problems are fixed by adjusting compilation macros:

export DSOFLAGS="$DSOFLAGS $RPM_LD_FLAGS"
export CFLAGS="$CFLAGS $RPM_OPT_FLAGS -DLDAP_DEPRECATED=1"
export CXXFLAGS="$CXXFLAGS $RPM_OPT_FLAGS -DLDAP_DEPRECATED=1"
export LDFLAGS="$LDFLAGS $RPM_LD_FLAGS -Wall -fstack-clash-protection -D_FORTIFY_SOURCE=2"
Comment 9 errata-xmlrpc 2022-05-17 15:56:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: cups), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3970