[Bug 2012440] Re: Please add -D_FORTIFY_SOURCE=3 to default build flags

Mark Esler 2012440 at bugs.launchpad.net
Mon Sep 18 07:18:15 UTC 2023 

** Also affects: gcc-13 (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: gcc-13 (Ubuntu)
   Importance: Undecided => High

** Description changed:

- Please use "-D_FORTIFY_SOURCE=3" in GCC 12 instead of
+ Please use "-D_FORTIFY_SOURCE=3" in GCC 12 and 13 instead of
  "-D_FORTIFY_SOURCE=2".
  
  _FORITFY_SOURCE mitigates buffer overflows and is currently used in
  Ubuntu with _FORTIFY_SOURCE=2 [0]. The newer option is better at buffer
  size detection and has greater coverage [1]. When Fedora 28 upgraded
  from _FORTIFY_SOURCE=2 to _FORTIFY_SOURCE=3, they found mitigation
  coverage increased 240% on average [2]. Other distros also build with
  _FORTIFY_SOURCE=3 as a default hardening flag [3][4].
  
  [0] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-D_FORTIFY_SOURCE.3D2
  [1] https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level
  [2] https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags#Benefit_to_Fedora
  [3] https://bugs.gentoo.org/876895
  [4] https://en.opensuse.org/openSUSE:Security_Features

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-13 in Ubuntu.
https://bugs.launchpad.net/bugs/2012440

Title:
  Please add -D_FORTIFY_SOURCE=3 to default build flags

Status in gcc-12 package in Ubuntu:
  New
Status in gcc-13 package in Ubuntu:
  New

Bug description:
  Please use "-D_FORTIFY_SOURCE=3" in GCC 12 and 13 instead of
  "-D_FORTIFY_SOURCE=2".

  _FORITFY_SOURCE mitigates buffer overflows and is currently used in
  Ubuntu with _FORTIFY_SOURCE=2 [0]. The newer option is better at
  buffer size detection and has greater coverage [1]. When Fedora 28
  upgraded from _FORTIFY_SOURCE=2 to _FORTIFY_SOURCE=3, they found
  mitigation coverage increased 240% on average [2]. Other distros also
  build with _FORTIFY_SOURCE=3 as a default hardening flag [3][4].

  [0] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-D_FORTIFY_SOURCE.3D2
  [1] https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level
  [2] https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags#Benefit_to_Fedora
  [3] https://bugs.gentoo.org/876895
  [4] https://en.opensuse.org/openSUSE:Security_Features

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-12/+bug/2012440/+subscriptions

More information about the foundations-bugs mailing list