3.6% of heads up: Please correct your #includes or optflags use

[Lubomir Kundrak]

Hi all,

In order for FORTIFY_SOURCE  [1] to take effect there are two
requirements: 1.) use correct optflags as defined by the guidelines [2],
and 2.) include header files when using function that can potentially be
fortified by replacing with macros.

[1] http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
[2] http://fedoraproject.org/wiki/Packaging/Guidelines#head-8b14098227aebff1cf6188939e9d0877295ac448

The second problem is not specifically FORTIFY_SOURCE related; you
should really include respective headers, many routines can really be
macros; such as open(). POSIX allows this iirc.

Now -- your action is needed. Please look at the list [3] to see if your
package passed a simple test [4]:

[3] http://people.redhat.com/lkundrak/check-fortify/
[4] https://bugzilla.redhat.com/attachment.cgi?id=298147

If not, do the following:

1.) See [5] for rough explanation of the problem and what can you do
with that

2.) Search the build.log from your latest build for calls of "gcc"
without the typical optflags (look for -DFORTIFY_SOURCE=2). In case you
see those you don't pass the compiler flags correctly. Examples: [6] [7]

3.) If you see warnings about implicit declarations of functions in
build.log, the application omitted some header files.

If you have more time, try to rebuild your package with
"-Werror-implicit-function-declaration" added to %optflags in your
~/.rpmmacros to see if you rely on implicit declarations where you
should include the header files with macros and/or prototypes instead.

[5] http://ovecka.be/~lkundrak/blog/entries/fortify-check.html
[6] http://koji.fedoraproject.org/packages/hal-cups-utils/0.6.15/1.fc9/data/logs/i386/build.log
[7] http://koji.fedoraproject.org/packages/iptraf/3.0.1/3.fc9/data/logs/i386/build.log

Should you find any errors, or have comments or questions, don't
hesitate to mail me.

Thanks,
-- 
Lubomir Kundrak (Red Hat Security Response Team)