From db039807876beed5b260c599705bd9e06aa34173 Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Mon, 7 Feb 2022 14:02:25 +0100 Subject: [PATCH] Diable upstream hardening - it overrides the default compilation flags of the distribution, but provides lower level of hardening than the default flags This issue was originally discovered by Annocheck stack-protection test in RHEL 9: #2044388 The -DSECURITY_HARDENED is used to force a set of compilation flags for hardening The issue is that the MariaDB upstream level of hardening is lower than expected by Red Hat We disable this option to the default compilation flags (which have higher level of hardening) will be used --- mariadb.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/mariadb.spec b/mariadb.spec index c023873..7849fe2 100644 --- a/mariadb.spec +++ b/mariadb.spec @@ -845,7 +845,7 @@ fi -DGROONGA_NORMALIZER_MYSQL_PROJECT_NAME=%{name}-server/groonga-normalizer-mysql \ -DENABLED_LOCAL_INFILE=ON \ -DENABLE_DTRACE=ON \ - -DSECURITY_HARDENED=ON \ + -DSECURITY_HARDENED=OFF \ -DWITH_WSREP=%{?with_galera:ON}%{!?with_galera:OFF} \ -DWITH_INNODB_DISALLOW_WRITES=%{?with_galera:ON}%{!?with_galera:OFF} \ -DWITH_EMBEDDED_SERVER=%{?with_embedded:ON}%{!?with_embedded:OFF} \ @@ -876,6 +876,10 @@ fi -DCONNECT_WITH_JDBC=OFF \ %{?with_debug: -DCMAKE_BUILD_TYPE=Debug -DWITH_ASAN=OFF -DWITH_INNODB_EXTRA_DEBUG=ON -DWITH_VALGRIND=ON} +# The -DSECURITY_HARDENED is used to force a set of compilation flags for hardening +# The issue is that the MariaDB upstream level of hardening is lower than expected by Red Hat +# We disable this option to the default compilation flags (which have higher level of hardening) will be used + CFLAGS="$CFLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE" # force PIC mode so that we can build libmysqld.so