Bug 2211694

Summary: annocheck: false positive in fortify test for i686 binaries.
Product: [Fedora] Fedora Reporter: Jesus Checa <jchecahi>
Component: annobinAssignee: Nick Clifton <nickc>
Status: MODIFIED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: fweimer, jakub, nickc, sipoyare, yahmad
Target Milestone: ---Keywords: Bugfix, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
URL: https://artifacts.dev.testing-farm.io/03533289-6f2e-43cc-a169-5d4a793d8ae0/
Whiteboard:
Fixed In Version: annobin-12.12-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jesus Checa 2023-06-01 14:10:32 UTC 
As seen in https://artifacts.dev.testing-farm.io/03533289-6f2e-43cc-a169-5d4a793d8ae0/ annocheck reports fortify as failed in i686 binaries with one of these two messages:

-------------- 
Hardened: /usr/bin/valgrind: FAIL: fortify test because no indication that the necessary option was used (and a C compiler was detected) (source: final scan)
----- or -----
Hardened: /usr/bin/valgrind-listener: FAIL: fortify test because -D_FORTIFY_SOURCE=[2|3] was not present on the command line (function: setsockopt) (source: annobin notes)
--------------

The binaries are coming from valgrind-3.21.0-5.fc39 (https://koji.fedoraproject.org/koji/buildinfo?buildID=2207502). However this test passes for the binaries inside valgrind-3.21.0-4.fc39 (https://koji.fedoraproject.org/koji/buildinfo?buildID=2202010), and these were compiled and linked with the exact same flags.

I also ran annocheck directly on the files of both valgrind builds to check that this is not caused by rpminspect: 

--------------
[/var/tmp/rpminspect/local.lbRZ70/root]
$ annocheck --ignore-unknown --skip-lto --profile=rawhide after/i686/usr/bin/valgrind --debug-file=after/i686/usr/lib/debug/usr/bin/valgrind-3.21.0-5.fc39.i386.debug 
annocheck: Version 12.10.
Hardened: using profile: rawhide.
Hardened: valgrind: FAIL: fortify test because no indication that the necessary option was used (and a C compiler was detected) 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
Hardened: valgrind: Overall: FAIL.
[/var/tmp/rpminspect/local.lbRZ70/root]
$ annocheck --ignore-unknown --skip-lto --profile=rawhide before/i686/usr/bin/valgrind --debug-file=before/i686/usr/lib/debug/usr/bin/valgrind-3.21.0-4.fc39.i386.debug 
annocheck: Version 12.10.
Hardened: using profile: rawhide.
Hardened: valgrind: PASS.
--------------

Reproducible: Always

Steps to Reproduce:
1. rpminspect-fedora -v -a i686 -T annocheck valgrind-3.21.0-5.fc39

Actual Results:  
fortify test failed in /usr/bin/valgrind, /usr/bin/valgrind-listener, /usr/bin/vgdb

Expected Results:  
fortify test pass.
Comment 1 Nick Clifton 2023-06-01 14:14:28 UTC 
The problem is that the new annobin string notes have been moved into the separate debuginfo file, but annocheck was not examining it...
Comment 2 Nick Clifton 2023-06-02 14:05:43 UTC 
Should be fixed in annobin-12.12-1.fc39
Comment 3 Fedora Release Engineering 2023-08-16 08:10:02 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.