Bug 725

Summary: stack protector check stymied by -D_FORTIFY_SOURCE=2 + AC_LANG_WERROR
Product: Sudo Reporter: Nick Alcock <nix>
Component: ConfigureAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.15   
Hardware: PC   
OS: Linux   
Attachments: fix -fstack-protector scanning

Description Nick Alcock 2015-10-30 10:03:18 MDT 
Created attachment 463 [details]
fix -fstack-protector scanning

The stack protector check turns optimization off to prevent the entire program being optimized out, but unfortunately also runs under AC_LANG_WERROR and (if --enable-hardening) under -D_FORTIFY_SOURCE=2.

If you compile without -O and with -D_FORTIFY_SOURCE, you get this warning:

In file included from /usr/include/stdio.h:27:0,
                 from conftest.c:174:
/usr/include/features.h:327:4: warning: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Wcpp]
 #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
    ^

which AC_LANG_WERROR then promotes to an error, forcing all the stack-protector tests to fail.

Patch fixing it (by undefining _FORTIFY_SOURCE around the check) attached.
Comment 1 Todd C. Miller 2015-10-30 10:08:48 MDT 
I think it is best to just clear CPPFLAGS for the stack protector test.
Comment 2 Nick Alcock 2015-10-30 10:28:36 MDT 
Yeah, that's probably just as good. My only worry is that the user-specified CPPFLAGS, like the user-specified CFLAGS and LDFLAGS, might contain things that are necessary to compile anything at all on that system. However, this is much less likely for CPPFLAGS than the other two, since this program has no headers to speak of, so you'll probably get away with just clearing it even on really strange systems. :)
Comment 3 Todd C. Miller 2015-10-30 10:36:36 MDT 
fixed by http://www.sudo.ws/repos/sudo/rev/1a9f8571a82d
Comment 4 Todd C. Miller 2015-11-01 15:24:11 MST 
Fixed in sudo 1.8.15