https://github.com/python/cpython/commit/bdab67e1c795443a0d8f8a5bbeb3a91ac4fd5a19
commit: bdab67e1c795443a0d8f8a5bbeb3a91ac4fd5a19
branch: main
author: Nate Ohlson <[email protected]>
committer: corona10 <[email protected]>
date: 2024-07-19T01:06:51+09:00
summary:
gh-112301: Add fortify source level 3 to default compiler options (gh-121520)
files:
A Misc/NEWS.d/next/Security/2024-07-08-23-39-04.gh-issue-112301.TD8G01.rst
M configure
M configure.ac
diff --git
a/Misc/NEWS.d/next/Security/2024-07-08-23-39-04.gh-issue-112301.TD8G01.rst
b/Misc/NEWS.d/next/Security/2024-07-08-23-39-04.gh-issue-112301.TD8G01.rst
new file mode 100644
index 00000000000000..d9b48993a2fb1a
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2024-07-08-23-39-04.gh-issue-112301.TD8G01.rst
@@ -0,0 +1,2 @@
+Enable runtime protections for glibc to abort execution when unsafe behavior
is encountered,
+for all platforms except Windows.
diff --git a/configure b/configure
index 73d3bda9ddcdaa..36f4bf7c05f7f3 100755
--- a/configure
+++ b/configure
@@ -9691,6 +9691,45 @@ else $as_nop
printf "%s\n" "$as_me: WARNING: -Wtrampolines not supported" >&2;}
fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler
accepts -D_FORTIFY_SOURCE=3" >&5
+printf %s "checking whether C compiler accepts -D_FORTIFY_SOURCE=3... " >&6; }
+if test ${ax_cv_check_cflags___D_FORTIFY_SOURCE_3+y}
+then :
+ printf %s "(cached) " >&6
+else $as_nop
+
+ ax_check_save_flags=$CFLAGS
+ CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=3"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main (void)
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"
+then :
+ ax_cv_check_cflags___D_FORTIFY_SOURCE_3=yes
+else $as_nop
+ ax_cv_check_cflags___D_FORTIFY_SOURCE_3=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
+ CFLAGS=$ax_check_save_flags
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result:
$ax_cv_check_cflags___D_FORTIFY_SOURCE_3" >&5
+printf "%s\n" "$ax_cv_check_cflags___D_FORTIFY_SOURCE_3" >&6; }
+if test "x$ax_cv_check_cflags___D_FORTIFY_SOURCE_3" = xyes
+then :
+ BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"
+else $as_nop
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -D_FORTIFY_SOURCE=3
not supported" >&5
+printf "%s\n" "$as_me: WARNING: -D_FORTIFY_SOURCE=3 not supported" >&2;}
+fi
+
case $GCC in
yes)
diff --git a/configure.ac b/configure.ac
index 00246a12100863..5873002039886a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2460,6 +2460,7 @@ AS_VAR_IF([with_strict_overflow], [yes],
# These flags should be enabled by default for all builds.
AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS
-fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not
supported])], [-Werror])
AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS
-Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
+AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not
supported])])
case $GCC in
yes)
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/python-checkins.python.org/
Member address: [email protected]
