2024930 – Environment CFLAGS are not respected by the certificate C extension

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2024930 - Environment CFLAGS are not respected by the certificate C extension

Summary: Environment CFLAGS are not respected by the certificate C extension

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2022-01-11
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.6
Assignee:	Pino Toscano
QA Contact:	Red Hat subscription-manager QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:	2024929
Blocks:
TreeView+	depends on / blocked

Reported:	2021-11-19 14:41 UTC by Pino Toscano
Modified:	2022-05-10 16:39 UTC (History)
CC List:	4 users (show)
Fixed In Version:	subscription-manager-1.28.25-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2024929
Environment:
Last Closed:	2022-05-10 15:22:58 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	candlepin subscription-manager pull 2891	None	Merged	2024930: build: fix build on 'build' target	2021-12-02 12:44:37 UTC
Red Hat Issue Tracker	RHELPLAN-103289	None	None	None	2021-11-19 14:42:36 UTC
Red Hat Product Errata	RHBA-2022:2047	None	None	None	2022-05-10 15:23:17 UTC

Description Pino Toscano 2021-11-19 14:41:52 UTC

+++ This bug was initially created as a clone of Bug #2024929 +++

Due to a tabs vs spaces issue in the top-level Makefile, the "all" target does not build (via setup.py) the C certificate extension as it is supposed to. Instead, that extension is built by dependency only later on in the install phase. Since the build flags (CFLAGS, LDFLAGS) are exported only during the build phase and not during the install phase, this means that that extension is built without the environment compiler and linker flags.

This can be checked in two ways:
a) checking the build logs: in a verbose build, all the environment CFLAGS should appear in the gcc command line that builds certificate.c
b) with annocheck (the filename depends on OS and architecture): annocheck --ignore-unknown --verbose _certificate.*.so

Actual results:
annocheck shows some skipped tests due to the lack of annobin (injected via custom CFLAGS):
Hardened: /usr/lib64/python3.9/site-packages/rhsm/_certificate.cpython-39-x86_64-linux-gnu.so: skip: fortify test because no C/C++ compiled code found 
Hardened: /usr/lib64/python3.9/site-packages/rhsm/_certificate.cpython-39-x86_64-linux-gnu.so: skip: glibcxx-assertions test because no C/C++ compiled code found 
Hardened: /usr/lib64/python3.9/site-packages/rhsm/_certificate.cpython-39-x86_64-linux-gnu.so: skip: lto test because not compiled C/C++ code 
Hardened: /usr/lib64/python3.9/site-packages/rhsm/_certificate.cpython-39-x86_64-linux-gnu.so: skip: optimization test because not C/C++ compiled code 
Hardened: /usr/lib64/python3.9/site-packages/rhsm/_certificate.cpython-39-x86_64-linux-gnu.so: skip: pic test because not C/C++ compiled code 
Hardened: /usr/lib64/python3.9/site-packages/rhsm/_certificate.cpython-39-x86_64-linux-gnu.so: skip: stack-clash test because no compiled code found 
Hardened: /usr/lib64/python3.9/site-packages/rhsm/_certificate.cpython-39-x86_64-linux-gnu.so: skip: stack-prot test because no compiled code found 
Hardened: /usr/lib64/python3.9/site-packages/rhsm/_certificate.cpython-39-x86_64-linux-gnu.so: skip: warnings test because no C/C++ compiled code found 

Expected results:
- build log that shows the environment CFLAGS & LDFLAGS as used during the build & linking of certificate.c
- no skipped tests due to "no C/C++ compiled code found" reported by annocheck

Comment 1 Rehana 2022-01-24 11:55:18 UTC

Reproducing the issue on : 
==========================

subscription management server: 3.2.22-1
subscription management rules: 5.41
subscription-manager: 1.28.21-3.el8

# annocheck --ignore-unknown --verbose --skip-lto /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so 
annocheck: Version 9.65.
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: pie test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: writeable-got test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: cf-protection test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: property-note test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: dynamic-segment test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: bind-now test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: info: set binary producer to Gas version 2.
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: info: notes produced by assembler plugin version 1
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: gnu-stack test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: gnu-relro test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: notes test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: branch-protection test because not an AArch64 binary 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: entry test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: fortify test because no compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: glibcxx-assertions test because no compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: go-revision test because no GO compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: only-go test because no GO compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: optimization test because not compiled code 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: pic test because not compiled code 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: run-path test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: rwx-seg test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: short-enum test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: stack-clash test because no compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: stack-prot test because no compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: stack-realign test because no compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: textrel test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: threads test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: warnings test because no compiled code found

Pre-testing on :
================
subscription management server: 3.2.22-1
subscription management rules: 5.41
subscription-manager: 1.28.25-1.el8

# annocheck --ignore-unknown --verbose --skip-lto /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so
annocheck: Version 10.29.
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: pie test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: writable-got test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: cf-protection test because correct flags found in .note.gnu.property note 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: property-note test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: dynamic-segment test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: bind-now test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: stack-prot test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: pic test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: fortify test because fortify note found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: glibcxx-assertions test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: optimization test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: warnings test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: stack-clash test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: entry test because shared libraries do not use entry points 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: gnu-relro test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: notes test because no gaps found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: not-branch-protection test because not an AArch64 binary 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: not-dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: go-revision test because no GO compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: only-go test because no GO compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: production test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: run-path test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: rwx-seg test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: short-enums test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: stack-realign test because not an x86 executable 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: textrel test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: threads test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: unicode test 
Hardened: _certificate.cpython-36m-x86_64-linux-gnu.so: Overall: PASS.

^^ Notice the overall result is now PASS. Based on the above observations , pre-verifying the bug.

Comment 4 Rehana 2022-01-31 09:39:16 UTC

Verifying on :
============

# subscription-manager version
^[[Aserver type: This system is currently not registered.
subscription management server: 3.2.22-1
subscription management rules: 5.41
subscription-manager: 1.28.25-1.el8

# rpm -qa subscription-manager --changelog | grep 2024930
- 2024930: build: fix build on 'build' target (ptoscano)

# annocheck --ignore-unknown --verbose --skip-lto /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so
annocheck: Version 10.29.
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: pie test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: writable-got test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: cf-protection test because correct flags found in .note.gnu.property note 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: property-note test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: dynamic-segment test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: bind-now test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: stack-prot test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: pic test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: fortify test because fortify note found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: glibcxx-assertions test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: optimization test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: warnings test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: stack-clash test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: entry test because shared libraries do not use entry points 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: gnu-relro test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: notes test because no gaps found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: not-branch-protection test because not an AArch64 binary 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: not-dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: go-revision test because no GO compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: only-go test because no GO compiled code found 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: production test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: run-path test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: rwx-seg test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: short-enums test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: skip: stack-realign test because not an x86 executable 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: textrel test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: threads test 
Hardened: /usr/lib64/python3.6/site-packages/rhsm/_certificate.cpython-36m-x86_64-linux-gnu.so: PASS: unicode test 
Hardened: _certificate.cpython-36m-x86_64-linux-gnu.so: Overall: PASS.

Comment 6 errata-xmlrpc 2022-05-10 15:22:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2047

Note You need to log in before you can comment on or make changes to this bug.