Please add -D_FORTIFY_SOURCE=3 to default build flags
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gcc-13 (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Please use "-D_FORTIFY_
_FORITFY_SOURCE mitigates buffer overflows and is currently used in Ubuntu with _FORTIFY_SOURCE=2 [0]. This newer option is better at buffer size detection and has greater coverage [1]. When Fedora assessed changing _FORTIFY_SOURCE=2 to _FORTIFY_SOURCE=3, they found mitigation coverage increased 240% on average [2]. This is a default build flag in Gentoo Hardened (2022), Fedora (2023), OpenSUSE (2023), and has been approved to be enabled in Arch (2023) [3]. There is no real-world performance difference between _FORTIFY_SOURCE=2 and _FORTIFY_SOURCE=3 [4].
[0] https:/
[1] https:/
[2] https:/
[3] https:/
[4] https:/
tags: | added: sec-1859 |
Changed in gcc-12 (Ubuntu): | |
importance: | Undecided → High |
Changed in gcc-13 (Ubuntu): | |
importance: | Undecided → High |
description: | updated |
description: | updated |
_FORTIFY_SOURCE=3 breaks code which uses malloc_usable_size in an unsafe way [0][1][2]. A glibc dev commented that systemd was the only known affected package [3].
[0] https:/ /sourceware. org/pipermail/ libc-alpha/ 2022-November/ 143599. html /github. com/systemd/ systemd/ issues/ 22801 /manpages. ubuntu. com/manpages/ lunar/en/ man3/malloc_ usable_ size.3. html /github. com/systemd/ systemd/ issues/ 22801#issuecomm ent-1344402212
[1] https:/
[2] https:/
[3] https:/