[yocto-security] [PATCH] SDK environment script doesn't set security options in CC and LDFLAGS variables

Alexander Kanavin alex.kanavin at gmail.com
Wed Nov 20 03:25:21 PST 2019


This patch should go to the openembedded-core mailing list.

Alex

On Wed, 20 Nov 2019 at 11:03, Antoine MANACHE <a.manache at gmail.com> wrote:

> When building a SDK from a DISTRO with security flags enabled, options
> added to
>
> CC and LDFLAGS are not replicated in the SDK environment script.
> This could lead to some situations where an application compiled with
> the SDK and having some security weaknesses correctly runs on target but
> crashes once integrated to the core image built with the full Yocto
> stack.
>
> Signed-off-by: Antoine Manache <a.manache at gmail.com>
> ---
>  meta/conf/distro/include/security_flags.inc | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/conf/distro/include/security_flags.inc
> b/meta/conf/distro/include/security_flags.inc
> index 620978a8ed..329482bfa3 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -56,7 +56,9 @@ SECURITY_STRINGFORMAT_pn-busybox = ""
>  SECURITY_STRINGFORMAT_pn-gcc = ""
>
>  TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> +TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
>  TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> +TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
>
>  SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
>  SECURITY_STACK_PROTECTOR_pn-glibc = ""
> --
> 2.11.0
> _______________________________________________
> yocto-security mailing list
> yocto-security at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto-security/attachments/20191120/fab0d259/attachment.html>


More information about the yocto-security mailing list