Bug 1616185 - meson: Loss of -pie compared to traditional builds [rhel-7]
Summary: meson: Loss of -pie compared to traditional builds [rhel-7]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: meson
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Kalev Lember
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-15 08:18 UTC by Cedric Buissart
Modified: 2018-10-30 10:28 UTC (History)
7 users (show)

Fixed In Version: fwupd-1.0.8-4.el7 libappstream-glib-0.7.8-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1618722 (view as bug list)
Environment:
Last Closed: 2018-10-30 10:27:21 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3140 0 None None None 2018-10-30 10:28:00 UTC

Description Cedric Buissart 2018-08-15 08:18:36 UTC
Description of problem:

Autotools, during the ./configure process, was checking if the compiler & linker were PIE-compatible.
Meson, however, seems to prefer the simple default of enabling PIC.

PIC is good for shared libraries, but wont ensure that the executable itself is fully position independent.

This is a problem because it causes hardening regression in our build system when a project migrates from autotools to meson.

Ideally, Meson should automagically enable PIE (`-pie -fPIE` on gcc) on executable without maintainer having to manually adapt the CFLAGS & so on.

Comment 6 Kalev Lember 2018-09-03 12:00:33 UTC
Sorry for the late reply, I was on a long PTO. I believe hughsie was investigating the fwupd and libappstream-glib regressions in the matching RHEL8 ticket, https://bugzilla.redhat.com/show_bug.cgi?id=1618722 and the fix should be applicable to RHEL7 as well.

Comment 7 Kalev Lember 2018-09-05 09:22:16 UTC
I spent some time today investigating this and looks like we can work this around by setting "%global _hardened_build 1" in fwupd and libappstream-glib spec files (longer explanation in the 8.0 ticket, https://bugzilla.redhat.com/show_bug.cgi?id=1618722). Can I get exception/blocker acks for this, please? I'll use it for rebuilding fwupd and libappstream-glib.

Comment 11 errata-xmlrpc 2018-10-30 10:27:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3140


Note You need to log in before you can comment on or make changes to this bug.