442107 – Squid not built using fortify source

Bug 442107 - Squid not built using fortify source

Summary: Squid not built using fortify source

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	squid
Sub Component:
Version:	4.6
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Nagy
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-04-11 19:10 UTC by Martin Nagy
Modified:	2016-07-26 23:46 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-06-09 08:37:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Martin Nagy 2008-04-11 19:10:07 UTC

Description of problem:
Squid is not built with %{optflags} and therefore lacks -D_FORTIFY_SOURCE=2 and
-O2 flags. With these flags, squid will be more secure when processing untrusted
input (which it does a lot).

Version-Release number of selected component (if applicable):
squid-2.5.STABLE14-4.el4

How reproducible:
See build logs.

Actual results:
no -D_FORTIFY_SOURCE=2 flag used with gcc

Expected results:
-D_FORTIFY_SOURCE=2 flag used with gcc

Comment 1 Martin Nagy 2008-06-05 12:12:49 UTC

I'm starting to rethink this. It actually could be dangerous to do this. If
there are any bugs in squid that are "invisible" in the sense that they do not
do any damage, it could cause squid to crash.

Note You need to log in before you can comment on or make changes to this bug.