From 5e82fd62a4020670ae26179ceb84ea90105a6af5 Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Mon, 7 Feb 2022 14:02:25 +0100 Subject: [PATCH] Disable the upstream hardening - it overrides the default compilation flags of the distribution, but provides lower level of hardening than the default flags This issue was originally discovered by Annocheck stack-protection test in RHEL 9 Resolves: #2044388 The -DSECURITY_HARDENED is used to force a set of compilation flags for hardening The issue is that the MariaDB upstream level of hardening is lower than expected by Red Hat We disable this option to the default compilation flags (which have higher level of hardening) will be used --- mariadb.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/mariadb.spec b/mariadb.spec index ddf57a3..3e423d8 100644 --- a/mariadb.spec +++ b/mariadb.spec @@ -850,7 +850,7 @@ fi -DGROONGA_NORMALIZER_MYSQL_PROJECT_NAME=%{name}-server/groonga-normalizer-mysql \ -DENABLED_LOCAL_INFILE=ON \ -DENABLE_DTRACE=ON \ - -DSECURITY_HARDENED=ON \ + -DSECURITY_HARDENED=OFF \ -DWITH_WSREP=%{?with_galera:ON}%{!?with_galera:OFF} \ -DWITH_INNODB_DISALLOW_WRITES=%{?with_galera:ON}%{!?with_galera:OFF} \ -DWITH_EMBEDDED_SERVER=%{?with_embedded:ON}%{!?with_embedded:OFF} \ @@ -879,6 +879,10 @@ fi -DCONNECT_WITH_JDBC=OFF \ %{?with_debug: -DCMAKE_BUILD_TYPE=Debug -DWITH_ASAN=OFF -DWITH_INNODB_EXTRA_DEBUG=ON -DWITH_VALGRIND=ON} +# The -DSECURITY_HARDENED is used to force a set of compilation flags for hardening +# The issue is that the MariaDB upstream level of hardening is lower than expected by Red Hat +# We disable this option to the default compilation flags (which have higher level of hardening) will be used + CFLAGS="$CFLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE" # force PIC mode so that we can build libmysqld.so