[Bug 2078244] Re: ceph: Does not respect compiler flags for Python extensions

Launchpad Bug Tracker 2078244 at bugs.launchpad.net
Wed Dec 10 21:03:28 UTC 2025 

This bug was fixed in the package ceph - 19.2.3-0ubuntu0.24.04.1

---------------
ceph (19.2.3-0ubuntu0.24.04.1) noble; urgency=medium

  [ Luciano Lo Giudice ]
  * New upstream stable release (LP: #2119024)
  * d/control: Update dependencies.
  * d/rules: Enable LTTNG.
  * d/p/pyo3-fix.patch: Fix issues with PyO3.
  * d/p/CVE-2024-48916.patch: Removed, no longer needed.
  * d/p/patch-out-libnbd.patch: build without libnbd.
  * d/clean: Add btrfs and dashboard removals.
  * d/source/lintian-overrides: Fixup changed directory.
  * Backported from resolute to noble. Differences:
  * d/p/questing-boost-fix.patch: Removed, not needed on noble.
  * d/p/py313-compat/*.patch: Removed, not needed on noble.

  [ Graham Inggs ]
  * d/p/pass-build-flags.patch: Pass buildflags to Python extensions
    (LP: #2078244).

 -- Luciano Lo Giudice <luciano.logiudice at canonical.com>  Wed, 29 Oct
2025 22:09:45 +0000

** Changed in: ceph (Ubuntu Noble)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.org/CVERecord?id=CVE-2024-48916

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ceph in Ubuntu.
https://bugs.launchpad.net/bugs/2078244

Title:
   ceph: Does not respect compiler flags for Python extensions

Status in ceph package in Ubuntu:
  Fix Released
Status in ceph source package in Noble:
  Fix Released
Status in ceph source package in Oracular:
  Fix Released

Bug description:
  [Impact]

  Ceph packaging does not respect compiler flags when building Python
  extensions, notably hardening flags like the stack protector, as well
  as frame-pointer.

  They were enabled and present in focal, but lost somewhere after
  impish. Jammy is missing them, and noble is too.

  If we look at the buildlog for 19.2.1-0ubuntu0.24.04.2 on noble amd64,
  we see CFLAGS="".

  [ 76%] Generating ../../../lib/cython_modules/lib.3/cephfs.cpython-312-x86_64-linux-gnu.so
  cd /<<PKGBUILDDIR>>/src/pybind/cephfs && env CC="/usr/bin/cc" CFLAGS="" CPPFLAGS="-iquote/<<PKGBUILDDIR>>/src/include -w -D'void0=dead_function(void)' -D'__Pyx_check_single_interpreter(ARG)=ARG##0'" CXX="/usr/bin/c++" LDSHARED="/usr/bin/cc -shared" OPT="-DNDEBUG -g -fwrapv -O2 -w" LDFLAGS=-L/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib CYTHON_BUILD_DIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/pybind/cephfs CEPH_LIBDIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib /usr/bin/python3.12 /<<PKGBUILDDIR>>/src/pybind/cephfs/setup.py build --build-base /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules --build-platlib /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules/lib.3

  This should be fixed to include the standard Ubuntu defined hardening
  CFLAGS.

  [Testcase]

  Check the buildlog for CFLAGS on "cython_modules" binaries.

  There are test packages available in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/lp2119024-updates

  If you check the build log for noble amd64, you should see:

  [ 77%] Generating ../../../lib/cython_modules/lib.3/cephfs.cpython-312-x86_64-linux-gnu.so
  cd /<<PKGBUILDDIR>>/src/pybind/cephfs && env CC="/usr/bin/cc" CFLAGS=""\ -g\ -O2\ -fno-omit-frame-pointer\ -mno-omit-leaf-frame-pointer\ -ffile-prefix-map=/<<PKGBUILDDIR>>=.\ -fstack-protector-strong\ -fstack-clash-protection\ -Wformat\ -Werror=format-security\ -fcf-protection\ -fdebug-prefix-map=/<<PKGBUILDDIR>>=/usr/src/ceph-19.2.3-0ubuntu0.24.04.1~lp2119024v20251106b1\ -Wdate-time\ -D_FORTIFY_SOURCE=3 CPPFLAGS="-iquote/<<PKGBUILDDIR>>/src/include -w -D'void0=dead_function(void)' -D'__Pyx_check_single_interpreter(ARG)=ARG##0'" CXX="/usr/bin/c++" LDSHARED="/usr/bin/cc -shared" OPT="-DNDEBUG -g -fwrapv -O2 -w" LDFLAGS=-L/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib\ \ -Wl,-Bsymbolic-functions\ -Wl,-z,relro\ -Wl,-z,now\ -Wl,--as-needed\ -latomic CYTHON_BUILD_DIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/pybind/cephfs CEPH_LIBDIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib /usr/bin/python3.12 /<<PKGBUILDDIR>>/src/pybind/cephfs/setup.py build --build-base /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules --build-platlib /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules/lib.3

  Where all CFLAGS are present.

  [Where problems can occur]

  We are enabling compiler hardening flags which tighten up execution
  and security requirements as expected of any package in the Ubuntu
  archive.

  This could potentially lead to these compiled python libraries
  segmentation faulting if they happen to rely on faulty behaviour of
  exceeding the stack boundary and overwriting the newly placed stack
  canaries.

  Ideally, all python modules should be exercised before release, but in
  general, a certification pass of the ceph point release verification
  should be enough to smoke test these modules.

  [Other info]

  Gentoo commit:
  https://github.com/gentoo/gentoo/commit/c588d0c55a2facb7b98331abf3ccb2439cc34286

  Gentoo bugs:
  https://bugs.gentoo.org/866159
  https://bugs.gentoo.org/866161

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/2078244/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list