From f6576968c3117ceb3166442de2c1ee7e64a38052 Mon Sep 17 00:00:00 2001 From: zhangxubo Date: Tue, 16 Sep 2025 14:50:18 +0800 Subject: [PATCH] fix security compilation --- og-stackprot.patch | 74 +++++++++++++++++++++++++++++++++++++++++++ opengauss-server.spec | 9 +++++- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 og-stackprot.patch diff --git a/og-stackprot.patch b/og-stackprot.patch new file mode 100644 index 0000000..bc34576 --- /dev/null +++ b/og-stackprot.patch @@ -0,0 +1,74 @@ +diff -crN '--exclude=.git' openGauss-server-6.0.0/contrib/dolphin/CMakeLists.txt openGauss-server-6.0.0-edit/contrib/dolphin/CMakeLists.txt +*** openGauss-server-6.0.0/contrib/dolphin/CMakeLists.txt 2024-11-27 16:17:55.000000000 +0800 +--- openGauss-server-6.0.0-edit/contrib/dolphin/CMakeLists.txt 2025-09-15 21:20:35.195042074 +0800 +*************** +*** 88,94 **** + + + #add_compile_options(-fPIC) +! set(LIB_DOLPHIN_OPTIONS -fvisibility=hidden -fPIC -DDOLPHIN) + + set(CMAKE_VERBOSE_MAKEFILE ON) + set(CMAKE_RULE_MESSAGES OFF) +--- 88,94 ---- + + + #add_compile_options(-fPIC) +! set(LIB_DOLPHIN_OPTIONS -fvisibility=hidden -fPIC -DDOLPHIN -fstack-protector-strong) + + set(CMAKE_VERBOSE_MAKEFILE ON) + set(CMAKE_RULE_MESSAGES OFF) +diff -crN '--exclude=.git' openGauss-server-6.0.0/src/bin/gsqlerr/CMakeLists.txt openGauss-server-6.0.0-edit/src/bin/gsqlerr/CMakeLists.txt +*** openGauss-server-6.0.0/src/bin/gsqlerr/CMakeLists.txt 2024-11-27 16:17:35.000000000 +0800 +--- openGauss-server-6.0.0-edit/src/bin/gsqlerr/CMakeLists.txt 2025-09-15 22:10:02.776625038 +0800 +*************** +*** 11,17 **** + ) + + set(scanEreport_DEF_OPTIONS ${MACRO_OPTIONS}) +! set(scanEreport_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS}) + set(scanEreport_LINK_OPTIONS ${BIN_LINK_OPTIONS}) + set(scanEreport_LINK_LIBS -l${SECURE_C_CHECK}) + if("${ENABLE_MEMORY_CHECK}" STREQUAL "ON") +--- 11,17 ---- + ) + + set(scanEreport_DEF_OPTIONS ${MACRO_OPTIONS}) +! set(scanEreport_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS} -fstack-protector-strong) + set(scanEreport_LINK_OPTIONS ${BIN_LINK_OPTIONS}) + set(scanEreport_LINK_LIBS -l${SECURE_C_CHECK}) + if("${ENABLE_MEMORY_CHECK}" STREQUAL "ON") +*************** +*** 60,66 **** + ) + + set(gsqlerr_DEF_OPTIONS ${MACRO_OPTIONS}) +! set(gsqlerr_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS}) + set(gsqlerr_LINK_OPTIONS ${BIN_LINK_OPTIONS}) + set(gsqlerr_LINK_LIBS -l${SECURE_C_CHECK}) + if("${ENABLE_MEMORY_CHECK}" STREQUAL "ON") +--- 60,66 ---- + ) + + set(gsqlerr_DEF_OPTIONS ${MACRO_OPTIONS}) +! set(gsqlerr_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS} -fstack-protector-strong) + set(gsqlerr_LINK_OPTIONS ${BIN_LINK_OPTIONS}) + set(gsqlerr_LINK_LIBS -l${SECURE_C_CHECK}) + if("${ENABLE_MEMORY_CHECK}" STREQUAL "ON") +*************** +*** 70,76 **** + set(gsqlerr_LINK_LIBS ${gsqlerr_LINK_LIBS} -pthread -ldl -lm -lrt) + set(gsqlerr_DEF_OPTIONS ${gsqlerr_DEF_OPTIONS} -D_REENTRANT) + endif() +! add_bintarget(gsqlerr TGT_gsqlerr_SRC TGT_gsqlerr_INC "${gsqlerr_DEF_OPTIONS}" "${gsqlerr_COMPILE_OPTIONS}" "${gsqlerr_LINK_OPTIONS}" "${gsqlerr_LINK_LIBS}") + add_dependencies(gsqlerr scanEreport) + target_link_directories(gsqlerr PUBLIC + ${LIBEDIT_LIB_PATH} ${LIBCGROUP_LIB_PATH} ${SECURE_LIB_PATH} ${KERBEROS_LIB_PATH} ${CMAKE_BINARY_DIR}/lib +--- 70,76 ---- + set(gsqlerr_LINK_LIBS ${gsqlerr_LINK_LIBS} -pthread -ldl -lm -lrt) + set(gsqlerr_DEF_OPTIONS ${gsqlerr_DEF_OPTIONS} -D_REENTRANT) + endif() +! add_bintarget(gsqlerr TGT_gsqlerr_SRC TGT_gsqlerr_INC "${gsqlerr_DEF_OPTIONS}" "${gsqlerr_COMPILE_OPTIONS}" "${gsqlerr_LINK_OPTIONS}" "${gsqlerr_LINK_LIBS}" -fstack-protector-strong) + add_dependencies(gsqlerr scanEreport) + target_link_directories(gsqlerr PUBLIC + ${LIBEDIT_LIB_PATH} ${LIBCGROUP_LIB_PATH} ${SECURE_LIB_PATH} ${KERBEROS_LIB_PATH} ${CMAKE_BINARY_DIR}/lib diff --git a/opengauss-server.spec b/opengauss-server.spec index caba06e..d00486b 100755 --- a/opengauss-server.spec +++ b/opengauss-server.spec @@ -13,7 +13,7 @@ Name: opengauss Version: 6.0.0 -Release: 25 +Release: 26 Summary: openGauss is an open source relational database management system License: MulanPSL-2.0 and MIT and BSD and zlib and TCL and Apache-2.0 and BSL-1.0 URL: https://gitee.com/opengauss/openGauss-server @@ -41,6 +41,7 @@ Patch3: og-security.patch Patch4: og-syntax.patch Patch5: og-riscv64-support.patch Patch6: og-dolphin.patch +Patch7: og-stackprot.patch Patch11: zlib.patch Patch12: zlib-CVE-2022-37434.patch Patch21: krb5-backport-Add-a-simple-DER-support-header.patch @@ -89,6 +90,7 @@ pushd openGauss-server-%{version} %patch -P4 -p1 %patch -P5 -p1 %patch -P6 -p1 +%patch -P7 -p1 popd pushd %{zlib_name}-%{zlib_version} @@ -224,6 +226,8 @@ sed -i '/"$BIN_DIR\/gaussdb\.map"/d' ./separate_debug_information.sh ./separate_debug_information.sh rm -rf ${opengauss_source_dir}/mppdb_temp_install/packages rm -rf ${opengauss_source_dir}/mppdb_temp_install/symbols +rm ${opengauss_source_dir}/mppdb_temp_install/bin/gsqlerr +rm ${opengauss_source_dir}/mppdb_temp_install/lib/libz.a # package os_name=$(cat /etc/os-release | grep -w NAME | awk -F '"' '{print $2}') @@ -482,6 +486,9 @@ fi %changelog +* Tue Sep 16 2025 zhangxubo - 6.0.0-26 +- Fix bugs: #ICXUK0 fix security compilation + * Wed Sep 10 2025 zhangxubo - 6.0.0-25 - Fix bugs: #ICUX7L Safe compilation option strip adapt -- Gitee