[Bug 2076419] Re: lxml: Does not respect compiler flags
Julian Andres Klode
2076419 at bugs.launchpad.net
Wed Oct 2 15:02:31 UTC 2024
I have improved the test case now. I wasn't aware you can copy it back
from the rejected queue (or forgot), and I irregularly delete past
uploads, so that could have meant recreating it.
Most of the time, if a test plan is lacking a bit, the SRU gets accepted
with a note to add some missing bits to the test plan.
** Description changed:
[Impact]
The packaging does not respect compiler flags, notably hardening flags like the stack protector, as well as frame pointer, as it never uses dpkg-buildflags and is still old manual style.
This means there is a higher security risk, which given the nature of
the library seems ill-advised, and the lack of frame pointers hampers
profiling.
[Test plan]
Look at the build log and see that the build flags have been passed, notably stuff like
- -fno-strict-overflow -Wsign-compare -DNDEBUG -g -O2 -Wall -g -O2 -Werror=implicit-function-declaration -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=for
- mat-security -fcf-protection
+ -fno-strict-overflow
+ -Werror=implicit-function-declaration
+ -fno-omit-frame-pointer
+ -mno-omit-leaf-frame-pointer
+ -fstack-protector-strong
+ -fstack-clash-protection
+ -Wformat
+ -Werror=for
- Parse some xml and see that it works
+ Run https://gist.github.com/julian-
+ klode/85e55553f85c410a1b856a93dce77208 on the ELF binaries and ensure
+ that all lines have -fno-omit-frame-pointer
+
+
+ Run a smoke test to see the parser still works:
+
+ from lxml import etree
+ from urllib.request import urlopen
+
+ with urlopen("https://www.w3.org/TR/REC-xml/REC-xml-20081126.xml") as xml:
+ xml=xml.read()
+ tree=etree.fromstring(xml, base_url="https://www.w3.org/TR/REC-xml/REC-xml-20081126.xml")
+
+ for element in tree.iter():
+ print(element)
+
+ print(etree.tostring(tree))
+
[Where problems could occur]
Hardening flags could surface existing (possibly security) bugs that have been asymptomatic so far; frame pointers will incur some slow down.
** Description changed:
[Impact]
The packaging does not respect compiler flags, notably hardening flags like the stack protector, as well as frame pointer, as it never uses dpkg-buildflags and is still old manual style.
This means there is a higher security risk, which given the nature of
the library seems ill-advised, and the lack of frame pointers hampers
profiling.
[Test plan]
- Look at the build log and see that the build flags have been passed, notably stuff like
+ Skim at the build log and see that the build flags have been passed, notably stuff like
-fno-strict-overflow
-Werror=implicit-function-declaration
-fno-omit-frame-pointer
-mno-omit-leaf-frame-pointer
-fstack-protector-strong
- -fstack-clash-protection
- -Wformat
+ -fstack-clash-protection
+ -Wformat
-Werror=for
Run https://gist.github.com/julian-
klode/85e55553f85c410a1b856a93dce77208 on the ELF binaries and ensure
that all lines have -fno-omit-frame-pointer
-
Run a smoke test to see the parser still works:
from lxml import etree
from urllib.request import urlopen
with urlopen("https://www.w3.org/TR/REC-xml/REC-xml-20081126.xml") as xml:
- xml=xml.read()
+ xml=xml.read()
tree=etree.fromstring(xml, base_url="https://www.w3.org/TR/REC-xml/REC-xml-20081126.xml")
for element in tree.iter():
- print(element)
+ print(element)
print(etree.tostring(tree))
-
[Where problems could occur]
Hardening flags could surface existing (possibly security) bugs that have been asymptomatic so far; frame pointers will incur some slow down.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to lxml in Ubuntu.
https://bugs.launchpad.net/bugs/2076419
Title:
lxml: Does not respect compiler flags
Status in lxml package in Ubuntu:
Fix Committed
Status in lxml source package in Noble:
New
Bug description:
[Impact]
The packaging does not respect compiler flags, notably hardening flags like the stack protector, as well as frame pointer, as it never uses dpkg-buildflags and is still old manual style.
This means there is a higher security risk, which given the nature of
the library seems ill-advised, and the lack of frame pointers hampers
profiling.
[Test plan]
Skim at the build log and see that the build flags have been passed, notably stuff like
-fno-strict-overflow
-Werror=implicit-function-declaration
-fno-omit-frame-pointer
-mno-omit-leaf-frame-pointer
-fstack-protector-strong
-fstack-clash-protection
-Wformat
-Werror=for
Run https://gist.github.com/julian-
klode/85e55553f85c410a1b856a93dce77208 on the ELF binaries and ensure
that all lines have -fno-omit-frame-pointer
Run a smoke test to see the parser still works:
from lxml import etree
from urllib.request import urlopen
with urlopen("https://www.w3.org/TR/REC-xml/REC-xml-20081126.xml") as xml:
xml=xml.read()
tree=etree.fromstring(xml, base_url="https://www.w3.org/TR/REC-xml/REC-xml-20081126.xml")
for element in tree.iter():
print(element)
print(etree.tostring(tree))
[Where problems could occur]
Hardening flags could surface existing (possibly security) bugs that have been asymptomatic so far; frame pointers will incur some slow down.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxml/+bug/2076419/+subscriptions
More information about the foundations-bugs
mailing list