[Bug 2012440] Re: Please add -D_FORTIFY_SOURCE=3 to default build flags
Mark Esler
2012440 at bugs.launchpad.net
Sat Dec 16 21:17:08 UTC 2023
Thank you Doko \o/
** No longer affects: gcc-12 (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-13 in Ubuntu.
https://bugs.launchpad.net/bugs/2012440
Title:
Please add -D_FORTIFY_SOURCE=3 to default build flags
Status in gcc-13 package in Ubuntu:
Fix Released
Bug description:
Please use "-D_FORTIFY_SOURCE=3" in GCC 12 and 13 instead of
"-D_FORTIFY_SOURCE=2".
_FORITFY_SOURCE mitigates buffer overflows and is currently used in
Ubuntu with _FORTIFY_SOURCE=2 [0]. This newer option is better at
buffer size detection and has greater coverage [1]. When Fedora
assessed changing _FORTIFY_SOURCE=2 to _FORTIFY_SOURCE=3, they found
mitigation coverage increased 240% on average [2]. This is a default
build flag in Gentoo Hardened (2022), Fedora (2023), OpenSUSE (2023),
and has been approved to be enabled in Arch (2023) [3]. There is no
real-world performance difference between _FORTIFY_SOURCE=2 and
_FORTIFY_SOURCE=3 [4].
[0] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-D_FORTIFY_SOURCE.3D2
[1] https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level
[2] https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags
[3] https://github.com/jvoisin/compiler-flags-distro
[4] https://gotplt.org/posts/fortify-source-3-performance.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-13/+bug/2012440/+subscriptions
More information about the foundations-bugs
mailing list