Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2044889

Summary: annocheck FAIL: stack-prot test (qatzip)
Product: Red Hat Enterprise Linux 9 Reporter: Rui Ormonde <rlemosor>
Component: qatzipAssignee: Vladislav Dronov <vdronov>
Status: CLOSED ERRATA QA Contact: Vilém Maršík <vmarsik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: rvr, vdronov, zheng.ma
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qatzip-1.0.7-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 13:10:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2044387    

Description Rui Ormonde 2022-01-25 10:35:46 UTC 
Failed test: stack-prot test

Test results:
\n Hardened: qzip: FAIL: stack-prot test because insufficient protection enabled

Applicable RPMs:
qatzip-1.0.6-5.el9.x86_64.rpm; qatzip-libs-1.0.6-5.el9.x86_64.rpm

Recommendation: Please fix the build system for the package or else add a skip of tests to the rpminspect.yaml file. For more details please see https://sourceware.org/annobin/annobin.html/Test-stack-prot.html and https://sourceware.org/annobin/annobin.html/Waiving-Hardened-Results.html#Waiving-Hardened-Results.

Why this bug was filed: All packages in RHEL 9 built with gcc (g++, etc.) are required to use a common set of flags provided by the distribution. These flags turn on important security and performance features so it is critical that any package that lacks these flags be repaired. A scanning tool named annocheck, part of the annobin package, was used to scan RHEL 9 packages. This BZ was created because binary packages of this component with the mentioned NVRs were not built with the requisite flags for one or more RHEL 9 architectures.

How to reproduce the failure: You could try running annocheck locally against your builds: https://developers.redhat.com/blog/2019/02/04/annocheck-examining-the-contents-of-binary-files.

Annocheck resources:
* annobin documentation: https://sourceware.org/annobin/annobin.html/index.html
* annocheck on the customer portal: https://access.redhat.com/documentation/en-us/red_hat_developer_toolset/9/html/user_guide/chap-annobin

Contacts:
* Instant messaging: #tools on IRC
* Email: use tools for generic questions. Otherwise, use go-tools and llvm-clang-list for Go and Clang/LLVM specific questions.
* annobin-annocheck maintainer: Nick Clifton (nickc)
Comment 4 Vladislav Dronov 2022-02-10 13:05:20 UTC 
the test action plan: just run the annocheck test and ensure '-fstack-protector-strong' error is missing. the other annocheck warnings can be ignored here.

[OLDER VERSION WITH THE ERROR]

mkdir qatzip-stack-prot
cd qatzip-stack-prot/
wget http://download.eng.brq.redhat.com/rhel-9/nightly/RHEL-9/latest-RHEL-9/compose/AppStream/x86_64/os/Packages/qatzip{,-libs}-1.0.6-5.el9.x86_64.rpm
rpm2cpio < qatzip-1.0.6-5.el9.x86_64.rpm | cpio -icdumv
rpm2cpio < qatzip-libs-1.0.6-5.el9.x86_64.rpm | cpio -icdumv
annocheck usr/


annocheck: Version 9.27.
Hardened: qzip: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: qzip: FAIL: The binary was compiled without -fstack-protector-strong.    <<< THIS
Hardened: qzip: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.
Hardened: libqatzip.so.1.0.6: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: libqatzip.so.1.0.6: MAYB: The -fstack-protector setting was not recorded.    <<< THIS
Hardened: libqatzip.so.1.0.6: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.

[FIXED C9S BUILD, no "compiled without -fstack-protector-strong" error]

rm -rf *.rpm usr/ *.rpm.1
wget https://kojihub.stream.rdu2.redhat.com/kojifiles/work/tasks/6817/946817/qatzip{,-libs}-1.0.7-1.el9.x86_64.rpm
rpm2cpio < qatzip-1.0.7-1.el9.x86_64.rpm | cpio -icdumv
rpm2cpio < qatzip-libs-1.0.7-1.el9.x86_64.rpm | cpio -icdumv
annocheck usr/


annocheck: Version 9.27.
Hardened: qzip: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: qzip: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.
Hardened: libqatzip.so.1.0.7: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: libqatzip.so.1.0.7: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.

[FIXED RHEL9 BUILD, no "compiled without -fstack-protector-strong" error]

rm -rf *.rpm usr/ *.rpm.1
wget http://download.eng.bos.redhat.com/brewroot/work/tasks/603/42930603/qatzip{,-libs}-1.0.7-1.el9.x86_64.rpm
rpm2cpio < qatzip-1.0.7-1.el9.x86_64.rpm | cpio -icdumv
rpm2cpio < qatzip-libs-1.0.7-1.el9.x86_64.rpm | cpio -icdumv
annocheck usr/

annocheck: Version 9.27.
Hardened: qzip: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: qzip: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.
Hardened: libqatzip.so.1.0.7: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: libqatzip.so.1.0.7: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.
Comment 6 Vladislav Dronov 2022-02-10 13:40:12 UTC 
this build issue required qatzip rebuild. the new build is:

[CI] [GATING] [DONE] qatzip-1.0.7-1.el9 passed gating because all required tests passed

C9S build: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=946815
RHEL9 Task: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42930591
RHEL9 Build: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1881651
CI Dashboard: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/42930591
Comment 14 errata-xmlrpc 2022-05-17 13:10:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: qatzip), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2468