/sbin/rstpctl and /sbin/rstpd in rstp-04012009git-21.fc28.x86_64 have not been linked with the standard Fedora linker flags (LDFLAGS) from redhat-rpm-config. Looking at the build log, there is no linker flags injection at all: gcc -o rstpctl ctl_main.o ctl_cli_wrap.o ctl_socket_client.o See https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md for information on RPM macros and environment variables provided by the build environment.
Sorry, the changes did not have the intended effect: # checksec --file /sbin/rstpd RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 6 12 /sbin/rstpd # checksec --file /sbin/rstpctl RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 6 7 /sbin/rstpctl # rpm -qf /sbin/rstpd rstp-04012009git-22.fc29.x86_64
Thats odd, i added __global_ldflags to the cflags line in the spec file and it was exported: export 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' And the inclusion of redhat-hardend-ld should have picked up the pie bits.
Looks like a makefile bug. From the build log: gcc -o rstpd brstate.o libnetlink.o epoll_loop.o bridge_track.o packet.o ctl_socket.o netif_utils.o main.o brmon.o -L ./rstplib -lrstp So the makefile doesn't seem to use $(LDFLAGS) at all, or maybe it's not passed down from the outer make.
oh, you're right, the cflags are picked up, but nothing during the link. I can fix that.
Would you please put the fix into Fedora 28, too? Thanks.
rstp-04012009git-23.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0feb6e4a1a
rstp-04012009git-23.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0feb6e4a1a
Not sure why I didn't see this earlier. Maybe due to the Beta freeze, which prevented Fedora 28 updates. There is still no LDFLAGS injection in rstp-04012009git-23.fc28: gcc -o rstpctl ctl_main.o ctl_cli_wrap.o ctl_socket_client.o
changed CFLAGS export to pickup build_cflags rather than __globlal_ldflags, which was in error, but the LDFLAGS were correct, they appear to be picking up the build_ldflags just fine in this scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=26271668 I've updated the package for the CFLAGS issue
rstp-04012009git-24.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d64b2e1b72
rstp-04012009git-24.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d64b2e1b72
(In reply to Neil Horman from comment #9) > changed CFLAGS export to pickup build_cflags rather than __globlal_ldflags, > which was in error, but the LDFLAGS were correct, they appear to be picking > up the build_ldflags just fine in this scratch build: > https://koji.fedoraproject.org/koji/taskinfo?taskID=26271668 > > I've updated the package for the CFLAGS issue There's still no LDFLAGS inheritance for the linker invocations in the scratch build: gcc -o rstpctl ctl_main.o ctl_cli_wrap.o ctl_socket_client.o Seems to affect rstp-04012009git-24.fc28 as well. Sorry. 8-(
I honestly don't see what you're talking about florian. In my scratch build above from comment 9, I see this line: gcc -o rstpd brstate.o libnetlink.o epoll_loop.o bridge_track.o packet.o ctl_socket.o netif_utils.o main.o brmon.o -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L ./rstplib -lrstp That looks to me like its picking up the relro, now and specs flags. What more are you looking for?
(In reply to Neil Horman from comment #13) > I honestly don't see what you're talking about florian. In my scratch build > above from comment 9, I see this line: > gcc -o rstpd brstate.o libnetlink.o epoll_loop.o bridge_track.o packet.o > ctl_socket.o netif_utils.o main.o brmon.o -Wl,-z,relro -Wl,-z,now > -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L ./rstplib -lrstp > > That looks to me like its picking up the relro, now and specs flags. What > more are you looking for? The line I quoted was about rstpctl, not rstpd. Apparently, only one of them was fixed.
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.