[Bug 2012440] Re: Please add -D_FORTIFY_SOURCE=3 to default build flags

Launchpad Bug Tracker 2012440 at bugs.launchpad.net
Sat Dec 16 15:31:23 UTC 2023 

This bug was fixed in the package gcc-13 - 13.2.0-9ubuntu1

---------------
gcc-13 (13.2.0-9ubuntu1) noble; urgency=medium

  * Merge with Debian; remaining changes:
    - Build from upstream sources.

gcc-13 (13.2.0-9) unstable; urgency=medium

  * Update to git 20231214 from the gcc-13 branch.
    - Fix PR target/112891 (x86), PR target/112845 (x86),
      PR target/112837 (x86), PR target/112816 (x86), PR target/111408 (x86),
      PR tree-optimization/111967, PR c/112339, PR c++/110106, PR c++/112410,
      PR c++/109876, PR c++/112795, PR fortran/93762, PR fortran/100651,
      PR libgomp/111413, PR libstdc++/111826, PR libstdc++/111948,
      PR libstdc++/112480, PR libstdc++/112473, PR libstdc++/112832,
      PR libstdc++/110133.
  * Backport libiberty: Use x86 HW optimized sha1 and followup patch,
    needed for the combined build.
  * Use DEB_BUILD_OPTIONS='... gcc-ice=nodump' for turning off dumping
    the preprocessed source to stdout. Closes: #1057635.
  * Set DEB_BUILD_OPTIONS='... gcc-ice=nodump' when running the testsuite.
  * Default to pie on loong64. Closes: #1057433.
  * For Ubuntu 24.04 LTS and later, switch _FORTIFY_SOURCE to 3 by default
    instead of 2 when optimization is enabled. LP: #2012440.

 -- Matthias Klose <doko at ubuntu.com>  Thu, 14 Dec 2023 20:00:20 +0100

** Changed in: gcc-13 (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-13 in Ubuntu.
https://bugs.launchpad.net/bugs/2012440

Title:
  Please add -D_FORTIFY_SOURCE=3 to default build flags

Status in gcc-12 package in Ubuntu:
  New
Status in gcc-13 package in Ubuntu:
  Fix Released

Bug description:
  Please use "-D_FORTIFY_SOURCE=3" in GCC 12 and 13 instead of
  "-D_FORTIFY_SOURCE=2".

  _FORITFY_SOURCE mitigates buffer overflows and is currently used in
  Ubuntu with _FORTIFY_SOURCE=2 [0]. This newer option is better at
  buffer size detection and has greater coverage [1]. When Fedora
  assessed changing _FORTIFY_SOURCE=2 to _FORTIFY_SOURCE=3, they found
  mitigation coverage increased 240% on average [2]. This is a default
  build flag in Gentoo Hardened (2022), Fedora (2023), OpenSUSE (2023),
  and has been approved to be enabled in Arch (2023) [3]. There is no
  real-world performance difference between _FORTIFY_SOURCE=2 and
  _FORTIFY_SOURCE=3 [4].

  [0] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-D_FORTIFY_SOURCE.3D2
  [1] https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level
  [2] https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags
  [3] https://github.com/jvoisin/compiler-flags-distro
  [4] https://gotplt.org/posts/fortify-source-3-performance.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-12/+bug/2012440/+subscriptions

More information about the foundations-bugs mailing list