This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Replace the current `_FORTIFY_SOURCE=2` with `_FORTIFY_SOURCE=3` to
improve mitigation of security issues arising from buffer overflows in
packages in Fedora.
== Owner ==
* Name: [[User:siddhesh| Siddhesh Poyarekar]]
* Email: sipoyare(a)redhat.com
== Detailed Description ==
Default C and C++ compiler flags to build packages in Fedora currently
includes `-Wp,-D_FORTIFY_SOURCE=2`, which enables fortification of
some functions in glibc, thus providing some mitigation against buffer
overflows. Since glibc 2.34 and GCC 12, there has been a new
fortification level (`_FORTIFY_SOURCE=3`) which improves the coverage
of this mitigation.
The core change to bring in this mitigation is to change the default
build flags in `redhat-rpm-config` so that packages build by default
with `-Wp,-D_FORTIFY_SOURCE=3`. There are packages (e.g. `systemd`)
that do not interact well with `_FORTIFY_SOURCE` and will also need a
workaround to downgrade fortification to level 2. The change will also
include this override.
== Benefit to Fedora ==
Analysis of packages] in Fedora rawhide indicate that the improvement
of mitigation coverage is on average over 2.4x, in some cases
protecting more than half of the fortified glibc calls in the target
This change will thus harden Fedora to a significant extent, thus
making it a more secure distribution out of the box.
== Scope ==
* Proposal owners: Post a merge request to redhat-rpm-config with the
actual change to build flags.
* Other developers:
Resolve bugs filed for build failures, either by fixing the bug
exposed by `_FORTIFY_SOURCE=3` or by disabling `_FORTIFY_SOURCE=3` for
the package if it is a false positive or if the package is unable to
adapt to the change.
* Release engineering: Mass rebuild required
* Policies and guidelines: Guidelines should include workaround for
packages that fail to build with `-Wp,-D_FORTIFY_SOURCE=3` due to a
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
No ABI change, so there should be no impact on compatibility in a
== How To Test ==
* Smoke testing of packages to ensure that they continue to work
correctly. Some packages may have overflows exposed at runtime, which
may need to be fixed.
== User Experience ==
No noticeable change to users.
== Dependencies ==
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) If too many
packages are found to be broken at runtime, the default for
fortification will be left at `_FORTIFY_SOURCE=2` for Fedora 38.
Change owner will do this in `redhat-rpm-config`
* Contingency deadline: Beta freeze
* Blocks release? Yes
* Blocks product? No
== Documentation ==
More context on `_FORTIFY_SOURCE=3` improvements].
== Release Notes ==
He / Him / His
Fedora Program Manager