Bug 2251884

Summary: Set -fstack-protector-strong for improved security.
Product: [Fedora] Fedora Reporter: pmquinn5
Component: chromiumAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: spotrh, than, tpopela, yaneti
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: chromium-120.0.6099.62-1.fc39 chromium-120.0.6099.62-2.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-08 01:39:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description pmquinn5 2023-11-28 08:55:04 UTC
Based on the following quote from this upstream thread https://crbug.com/533294:

> We do want -fstack-protector-strong enabled. Chrome OS has been using it for years, and it does provide real-world mitigations. Android will be globally using it soon (there is active work on removing the last few problems there).

And the following patch from GrapheneOS's Vanadium:

https://github.com/GrapheneOS/Vanadium/blob/main/patches/0003-switch-to-fstack-protector-strong.patch

Including the above patch would provide proactive security improvement over the existing -fstack-protector setting.

The reason this was not done upstream looks to be because of this:

> The size difference for a stripped Chromium branded chrome binary is 107700176 -> 110489552. 2.7 MB / 2.6% increase.

This seems insignificant relative to the security benefit.

Reproducible: Always

Comment 1 Than Ngo 2023-12-02 20:50:27 UTC
(In reply to pmquinn5 from comment #0)
> Based on the following quote from this upstream thread
> https://crbug.com/533294:
> 
> > We do want -fstack-protector-strong enabled. Chrome OS has been using it for years, and it does provide real-world mitigations. Android will be globally using it soon (there is active work on removing the last few problems there).
> 
> And the following patch from GrapheneOS's Vanadium:
> 
> https://github.com/GrapheneOS/Vanadium/blob/main/patches/0003-switch-to-
> fstack-protector-strong.patch
> 
> Including the above patch would provide proactive security improvement over
> the existing -fstack-protector setting.
> 
> The reason this was not done upstream looks to be because of this:
> 
> > The size difference for a stripped Chromium branded chrome binary is 107700176 -> 110489552. 2.7 MB / 2.6% increase.
> 
> This seems insignificant relative to the security benefit.
> 

i agree with you. The next chromium will be built with this compiler flag. Thanks!

Comment 2 Fedora Update System 2023-12-06 19:48:21 UTC
FEDORA-2023-5d1b8507b8 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5d1b8507b8

Comment 3 Fedora Update System 2023-12-07 01:49:39 UTC
FEDORA-2023-5d1b8507b8 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-5d1b8507b8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5d1b8507b8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2023-12-07 08:21:04 UTC
FEDORA-2023-a32ad3e643 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a32ad3e643

Comment 5 Fedora Update System 2023-12-08 01:39:18 UTC
FEDORA-2023-5d1b8507b8 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 6 Fedora Update System 2023-12-08 02:37:43 UTC
FEDORA-2023-a32ad3e643 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a32ad3e643`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a32ad3e643

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2023-12-09 02:47:05 UTC
FEDORA-2023-a32ad3e643 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.