RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2023392 - Environment CFLAGS are not respected by the libdnf plugin
Summary: Environment CFLAGS are not respected by the libdnf plugin
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2022-01-11
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: subscription-manager
Version: ---
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.6
Assignee: Pino Toscano
QA Contact: Red Hat subscription-manager QE Team
URL:
Whiteboard:
Depends On: 2023391
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-15 15:36 UTC by Pino Toscano
Modified: 2022-05-10 16:39 UTC (History)
4 users (show)

Fixed In Version: subscription-manager-1.28.25-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2023391
Environment:
Last Closed: 2022-05-10 15:22:58 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github candlepin subscription-manager pull 2888 0 None Merged [1.28] 2023392: libdnf: respect environment CFLAGS 2021-11-18 15:11:52 UTC
Red Hat Issue Tracker ENT-4516 0 None None None 2021-11-15 15:36:51 UTC
Red Hat Issue Tracker RHELPLAN-102808 0 None None None 2021-11-15 15:41:42 UTC
Red Hat Product Errata RHBA-2022:2047 0 None None None 2022-05-10 15:23:17 UTC

Description Pino Toscano 2021-11-15 15:36:52 UTC 
+++ This bug was initially created as a clone of Bug #2023391 +++

The libdnf plugin is written in C and built with CMake; unfortunately, the project CMakeLists.txt overwrites the C build flags:

  if (CMAKE_COMPILER_IS_GNUCC)
      set (CMAKE_C_FLAGS "-Wall -fPIC -Wextra -pedantic -Wno-long-long -std=c99")
      if (CMAKE_BUILD_TYPE STREQUAL "Debug")
          set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -ggdb -O0 --coverage")
      elseif( CMAKE_BUILD_TYPE STREQUAL "Release" )
          set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DNDEBUG -g -O3 -fno-strict-aliasing")
      endif ()
  endif (CMAKE_COMPILER_IS_GNUCC)

This causes the loss of CFLAGS exported in the build environment, or even passed to the cmake command line at configure time. This causes the lack of the distribution build flags for the built plugin.

This can be checked in two ways:
a) checking the build logs: in a verbose build, all the environment CFLAGS should appear in the gcc command line that build the sources for the libdnf plugin
b) with annocheck: annocheck --ignore-unknown --verbose product-id.so

Actual result:
annocheck shows at least two failures:
Hardened: usr/lib64/libdnf/plugins/product-id.so: FAIL: cf-protection test because no .note.gnu.property section = no control flow information 
Hardened: usr/lib64/libdnf/plugins/product-id.so: FAIL: property-note test because no .note.gnu.property section found 

Expected result:
- build log that shows the environment CFLAGS as used during the build
- no errors reported by annocheck
Comment 1 Rehana 2022-01-24 11:51:29 UTC 
Reproducing on :
----------------
subscription management server: 3.2.22-1
subscription management rules: 5.41
subscription-manager: 1.28.21-3.el8

# annocheck --ignore-unknown --verbose --skip-lto /usr/lib64/libdnf/plugins/product-id.so
annocheck: Version 9.65.
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: pie test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: writeable-got test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: dynamic-segment test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: bind-now test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: info: set binary producer to Gas version 2.
Hardened: /usr/lib64/libdnf/plugins/product-id.so: info: notes produced by assembler plugin version 1
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-stack test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-relro test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: notes test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: branch-protection test because not an AArch64 binary 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: FAIL: cf-protection test because no .note.gnu.property section = no control flow information 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: entry test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: fortify test because no compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: glibcxx-assertions test because no compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: go-revision test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: only-go test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: optimization test because not compiled code 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: pic test because not compiled code 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: FAIL: property-note test because no .note.gnu.property section found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: run-path test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: rwx-seg test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: short-enum test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: stack-clash test because no compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: stack-prot test because no compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: stack-realign test because no compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: textrel test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: threads test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: warnings test because no compiled code found 

Pre-testing on :
----------------
subscription management server: 3.2.22-1
subscription management rules: 5.41
subscription-manager: 1.28.25-1.el8

# rpm -qa subscription-manager --changelog | grep 2023392
- 2023392: libdnf: respect environment CFLAGS (ptoscano)

# annocheck --ignore-unknown --verbose --skip-lto /usr/lib64/libdnf/plugins/product-id.so
annocheck: Version 10.29.
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: pie test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: writable-got test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: cf-protection test because correct flags found in .note.gnu.property note 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: property-note test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: dynamic-segment test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: bind-now test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: stack-prot test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: pic test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: fortify test because fortify note found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: glibcxx-assertions test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: optimization test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: warnings test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: stack-clash test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: entry test because shared libraries do not use entry points 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-relro test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: notes test because no gaps found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: not-branch-protection test because not an AArch64 binary 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: not-dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: go-revision test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: only-go test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: production test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: run-path test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: rwx-seg test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: short-enums test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: stack-realign test because not an x86 executable 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: textrel test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: threads test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: unicode test 
Hardened: product-id.so: Overall: PASS.

Notice the Overall result is PASS. Based on the above results pre-verifying the bug.
Comment 4 Rehana 2022-01-31 09:38:06 UTC 
Verifying on :
==============

# subscription-manager version
server type: This system is currently not registered.
subscription management server: 3.2.22-1
subscription management rules: 5.41
subscription-manager: 1.28.25-1.el8

# rpm -qa subscription-manager --changelog | grep 2023392
- 2023392: libdnf: respect environment CFLAGS (ptoscano)

# annocheck --ignore-unknown --verbose --skip-lto /usr/lib64/libdnf/plugins/product-id.so
annocheck: Version 10.29.
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: pie test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: writable-got test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: cf-protection test because correct flags found in .note.gnu.property note 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: property-note test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: dynamic-segment test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: bind-now test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: stack-prot test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: pic test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: fortify test because fortify note found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: glibcxx-assertions test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: optimization test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: warnings test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: stack-clash test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: entry test because shared libraries do not use entry points 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-relro test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: notes test because no gaps found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: not-branch-protection test because not an AArch64 binary 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: not-dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: go-revision test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: only-go test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: production test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: run-path test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: rwx-seg test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: short-enums test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: stack-realign test because not an x86 executable 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: textrel test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: threads test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: unicode test 
Hardened: product-id.so: Overall: PASS.
Comment 6 errata-xmlrpc 2022-05-10 15:22:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2047
Note You need to log in before you can comment on or make changes to this bug.