[Bug 2012440] [NEW] Please add -D_FORTIFY_SOURCE=3 to default build flags

Mark Esler 2012440 at bugs.launchpad.net
Tue Mar 21 23:45:17 UTC 2023 

Public bug reported:

Please use "-D_FORTIFY_SOURCE=3" in GCC 12 instead of
"-D_FORTIFY_SOURCE=2".

_FORITFY_SOURCE mitigates buffer overflows and is currently used in
Ubuntu with _FORTIFY_SOURCE=2 [0]. The newer option is better at buffer
size detection and has greater coverage [1]. When Fedora 28 upgraded
from _FORTIFY_SOURCE=2 to _FORTIFY_SOURCE=3, they found mitigation
coverage increased 240% on average [2]. Other distros also build with
_FORTIFY_SOURCE=3 as a default hardening flag [3][4].

[0] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-D_FORTIFY_SOURCE.3D2
[1] https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level
[2] https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags#Benefit_to_Fedora
[3] https://bugs.gentoo.org/876895
[4] https://en.opensuse.org/openSUSE:Security_Features

** Affects: gcc-12 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: sec-1859

** Tags added: sec-1859

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-12 in Ubuntu.
https://bugs.launchpad.net/bugs/2012440

Title:
  Please add -D_FORTIFY_SOURCE=3 to default build flags

Status in gcc-12 package in Ubuntu:
  New

Bug description:
  Please use "-D_FORTIFY_SOURCE=3" in GCC 12 instead of
  "-D_FORTIFY_SOURCE=2".

  _FORITFY_SOURCE mitigates buffer overflows and is currently used in
  Ubuntu with _FORTIFY_SOURCE=2 [0]. The newer option is better at
  buffer size detection and has greater coverage [1]. When Fedora 28
  upgraded from _FORTIFY_SOURCE=2 to _FORTIFY_SOURCE=3, they found
  mitigation coverage increased 240% on average [2]. Other distros also
  build with _FORTIFY_SOURCE=3 as a default hardening flag [3][4].

  [0] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-D_FORTIFY_SOURCE.3D2
  [1] https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level
  [2] https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags#Benefit_to_Fedora
  [3] https://bugs.gentoo.org/876895
  [4] https://en.opensuse.org/openSUSE:Security_Features

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-12/+bug/2012440/+subscriptions

More information about the foundations-bugs mailing list