RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2044889 - annocheck FAIL: stack-prot test (qatzip)
Summary: annocheck FAIL: stack-prot test (qatzip)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: qatzip
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Vladis Dronov
QA Contact: Vilém Maršík
URL:
Whiteboard:
Depends On:
Blocks: 2044387
TreeView+ depends on / blocked
 
Reported: 2022-01-25 10:35 UTC by Rui Ormonde
Modified: 2022-07-17 13:02 UTC (History)
3 users (show)

Fixed In Version: qatzip-1.0.7-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 13:10:09 UTC
Type: ---
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-109540 0 None None None 2022-01-25 10:42:53 UTC
Red Hat Product Errata RHBA-2022:2468 0 None None None 2022-05-17 13:10:17 UTC

Description Rui Ormonde 2022-01-25 10:35:46 UTC 
Failed test: stack-prot test

Test results:
\n Hardened: qzip: FAIL: stack-prot test because insufficient protection enabled

Applicable RPMs:
qatzip-1.0.6-5.el9.x86_64.rpm; qatzip-libs-1.0.6-5.el9.x86_64.rpm

Recommendation: Please fix the build system for the package or else add a skip of tests to the rpminspect.yaml file. For more details please see https://sourceware.org/annobin/annobin.html/Test-stack-prot.html and https://sourceware.org/annobin/annobin.html/Waiving-Hardened-Results.html#Waiving-Hardened-Results.

Why this bug was filed: All packages in RHEL 9 built with gcc (g++, etc.) are required to use a common set of flags provided by the distribution. These flags turn on important security and performance features so it is critical that any package that lacks these flags be repaired. A scanning tool named annocheck, part of the annobin package, was used to scan RHEL 9 packages. This BZ was created because binary packages of this component with the mentioned NVRs were not built with the requisite flags for one or more RHEL 9 architectures.

How to reproduce the failure: You could try running annocheck locally against your builds: https://developers.redhat.com/blog/2019/02/04/annocheck-examining-the-contents-of-binary-files.

Annocheck resources:
* annobin documentation: https://sourceware.org/annobin/annobin.html/index.html
* annocheck on the customer portal: https://access.redhat.com/documentation/en-us/red_hat_developer_toolset/9/html/user_guide/chap-annobin

Contacts:
* Instant messaging: #tools on IRC
* Email: use tools for generic questions. Otherwise, use go-tools and llvm-clang-list for Go and Clang/LLVM specific questions.
* annobin-annocheck maintainer: Nick Clifton (nickc)
Comment 4 Vladis Dronov 2022-02-10 13:05:20 UTC 
the test action plan: just run the annocheck test and ensure '-fstack-protector-strong' error is missing. the other annocheck warnings can be ignored here.

[OLDER VERSION WITH THE ERROR]

mkdir qatzip-stack-prot
cd qatzip-stack-prot/
wget http://download.eng.brq.redhat.com/rhel-9/nightly/RHEL-9/latest-RHEL-9/compose/AppStream/x86_64/os/Packages/qatzip{,-libs}-1.0.6-5.el9.x86_64.rpm
rpm2cpio < qatzip-1.0.6-5.el9.x86_64.rpm | cpio -icdumv
rpm2cpio < qatzip-libs-1.0.6-5.el9.x86_64.rpm | cpio -icdumv
annocheck usr/


annocheck: Version 9.27.
Hardened: qzip: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: qzip: FAIL: The binary was compiled without -fstack-protector-strong.    <<< THIS
Hardened: qzip: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.
Hardened: libqatzip.so.1.0.6: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: libqatzip.so.1.0.6: MAYB: The -fstack-protector setting was not recorded.    <<< THIS
Hardened: libqatzip.so.1.0.6: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.

[FIXED C9S BUILD, no "compiled without -fstack-protector-strong" error]

rm -rf *.rpm usr/ *.rpm.1
wget https://kojihub.stream.rdu2.redhat.com/kojifiles/work/tasks/6817/946817/qatzip{,-libs}-1.0.7-1.el9.x86_64.rpm
rpm2cpio < qatzip-1.0.7-1.el9.x86_64.rpm | cpio -icdumv
rpm2cpio < qatzip-libs-1.0.7-1.el9.x86_64.rpm | cpio -icdumv
annocheck usr/


annocheck: Version 9.27.
Hardened: qzip: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: qzip: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.
Hardened: libqatzip.so.1.0.7: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: libqatzip.so.1.0.7: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.

[FIXED RHEL9 BUILD, no "compiled without -fstack-protector-strong" error]

rm -rf *.rpm usr/ *.rpm.1
wget http://download.eng.bos.redhat.com/brewroot/work/tasks/603/42930603/qatzip{,-libs}-1.0.7-1.el9.x86_64.rpm
rpm2cpio < qatzip-1.0.7-1.el9.x86_64.rpm | cpio -icdumv
rpm2cpio < qatzip-libs-1.0.7-1.el9.x86_64.rpm | cpio -icdumv
annocheck usr/

annocheck: Version 9.27.
Hardened: qzip: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: qzip: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.
Hardened: libqatzip.so.1.0.7: FAIL: The binary was compiled without -DFORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: libqatzip.so.1.0.7: FAIL: Compiled without using either the -Wall or -Wformat-security options. Run with -v to see where.
Comment 6 Vladis Dronov 2022-02-10 13:40:12 UTC 
this build issue required qatzip rebuild. the new build is:

[CI] [GATING] [DONE] qatzip-1.0.7-1.el9 passed gating because all required tests passed

C9S build: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=946815
RHEL9 Task: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42930591
RHEL9 Build: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1881651
CI Dashboard: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/42930591
Comment 14 errata-xmlrpc 2022-05-17 13:10:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: qatzip), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2468
Note You need to log in before you can comment on or make changes to this bug.