pdns icon indicating copy to clipboard operation
pdns copied to clipboard
verified publisher icon PowerDNS

Ponder building with `FORTIFY_SOURCE=3` when available

Open rgacogne opened this issue 3 years ago • 4 comments

  • Program: Authoritative, Recursor, dnsdist
  • Issue type: Feature request

Short description

An extra level of security, _FORTIFY_SOURCE=3 has been in the GNU C Library (glibc) since version 2.34, detecting more buffer overflows and bugs at runtime: https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level

It would be nice to add (optional?) support for it when available. It might be a while before it is supported in our CI and the target we build for, though.

rgacogne avatar Sep 19 '22 08:09 rgacogne

I'm open to bumping our main (runs-at-PR) CI to something way newer, if we can find something stable (so perhaps not some rolling distribution). Thoughts?

Habbie avatar Sep 20 '22 09:09 Habbie

There are a fair number of points to consider if we want to switch, but as far as glibc 2.34+ is concerned I see the following options:

  • CentOS Stream 9 (2.34)
  • Fedora 35 (2.34)
  • Ubuntu 22.04 (2.35)

rgacogne avatar Sep 20 '22 09:09 rgacogne

Stream already broke a few times; Fedora is only valid for six months; Ubuntu sounds like a good bet at this time.

Habbie avatar Sep 20 '22 10:09 Habbie

Agreed!

rgacogne avatar Sep 20 '22 10:09 rgacogne