
<div dir="ltr"><div>This patch should go to the openembedded-core mailing list.</div><div><br></div><div>Alex<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 20 Nov 2019 at 11:03, Antoine MANACHE <<a href="mailto:a.manache@gmail.com">a.manache@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr"><span style="font-family:Consolas,monospace;font-size:10pt;background-color:rgb(255,255,255)">When building a SDK from a DISTRO with security flags enabled, options added to</span><br></div><div dir="ltr" style="font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:Calibri,Arial,Helvetica,sans-serif"><p>

<span style="font-family:Consolas,monospace;font-size:10pt">CC and LDFLAGS are not replicated in the SDK environment script.</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">This could lead to some situations where an application compiled with</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">the SDK and having some security weaknesses correctly runs on target but</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">crashes once integrated to the core image built with the full Yocto</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">stack.</span><br style="font-family:Consolas,monospace;font-size:10pt">

<br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">Signed-off-by: Antoine Manache <<a href="mailto:a.manache@gmail.com" rel="noreferrer" target="_blank">a.manache@gmail.com</a>></span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">---</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">Â meta/conf/distro/include/security_flags.inc | 2 ++</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">Â 1 file changed, 2 insertions(+)</span><br style="font-family:Consolas,monospace;font-size:10pt">

<br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">index 620978a8ed..329482bfa3 100644</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">--- a/meta/conf/distro/include/security_flags.inc</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">+++ b/meta/conf/distro/include/security_flags.inc</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">@@ -56,7 +56,9 @@ SECURITY_STRINGFORMAT_pn-busybox = ""</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">Â SECURITY_STRINGFORMAT_pn-gcc = ""</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">Â </span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">Â TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">+TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">Â TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">+TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">Â </span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">Â SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">Â SECURITY_STACK_PROTECTOR_pn-glibc = ""</span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">-- </span><br style="font-family:Consolas,monospace;font-size:10pt">

<span style="font-family:Consolas,monospace;font-size:10pt">2.11.0</span><br style="font-family:Consolas,monospace;font-size:10pt"></p></div>


</div></div>

_______________________________________________<br>

yocto-security mailing list<br>

<a href="mailto:yocto-security@yoctoproject.org" target="_blank">yocto-security@yoctoproject.org</a><br>

<a href="https://lists.yoctoproject.org/listinfo/yocto-security" rel="noreferrer" target="_blank">https://lists.yoctoproject.org/listinfo/yocto-security</a><br>

</blockquote></div>