Format Security
Summary
Enable "-Werror=format-security" compilation flag for all packages in Fedora. Once this flag is enabled, GCC will refuse to compile code that could be vulnerable to a string format security flaw.
Owner
- Name: Dhiru Kholia
- Email: <dhiru.kholia@gmail.com>
- Release notes owner:
Current status
- Targeted release: Fedora 21
- Last updated: 2013-11-21
- Tracker bug: #1078901
Detailed Description
Once "-Werror=format-security" is enabled, GCC will refuse to compile code that could be vulnerable to a string format security flaw. For more details, please see this FESCo ticket.
Enabling this option eliminates an entire class of security issues! To further understand why it is important to fix such bugs, please see Format-Security-FAQ page.
Implementing this change requires a single line change to be made to the /usr/lib/rpm/redhat/macros file (part of redhat-rpm-config package). My patch to do this can be found at https://bitbucket.org/dhiru/redhat-rpm-config/branch/strict-format URL.
Benefit to Fedora
Format string vulnerabilities are (unfortunately) still common. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661548 URL for an recent example. In short, such proactive hardening action caused a FTBFS (in this very particular case) and further investigations found out that this package had a security vulnerability (CVE-2012-1152).
By enabling "-Werror=format-security" compilation flag Fedora can eliminates an entire class of security issues! (such elimination of a class of vulnerabilities doesn't happen very often).
I believe that this work is important and will benefit everyone (including upstream and other distributions).
Scope
- Proposal owners: Currently, around 400 packages FTBFS if this flag is enabled. We need to file bugs and also try solving these FTBFS issues.
- Other developers: Currently, around 400 packages FTBFS if this flag is enabled. A list of packages which FTBFS is available at http://people.fedoraproject.org/~halfie/rebuild-logs.txt URL. The fix for these errors is quite simple (in most cases). It's a matter of changing a line like, printf(foo), to read printf("%s", foo), instead. That's it. More details are available on Format-Security-FAQ. Additionally, we highly encourage owners (of the affected packages) to work with upstream.
- Release engineering: A mass build is required.
- Policies and guidelines: N/A
Upgrade/compatibility impact
N/A
How To Test
0. No special harware is required to fix these FTBFS issues.
1. To reproduce the FTBFS issues, you can use a modified "redhat-rpm-config" package from http://people.fedoraproject.org/~halfie/artifacts/redhat-rpm-config/ URL.
2. Rebuild affected package(s) and it / they should FTBFS.
User Experience
N/A (no user visible change)
Dependencies
N/A
Contingency Plan
- Contingency mechanism: Revert changes to "redhat-rpm-config" package and do a mass build.
- Contingency deadline: beta freeze
- Blocks release? No
Documentation
https://fedoraproject.org/wiki/Format-Security-FAQ
https://fedorahosted.org/fesco/ticket/1185
https://lists.fedoraproject.org/pipermail/devel/2013-November/192281.html
Release Notes
N/A (no user visible changes)