diff --git a/mariadb-security-enhancing-with-fstack-protector-strong.patch b/mariadb-security-enhancing-with-fstack-protector-strong.patch new file mode 100644 index 0000000000000000000000000000000000000000..5eb8ff12328ac6c24c25c9b23a8ef50b6783b8fc --- /dev/null +++ b/mariadb-security-enhancing-with-fstack-protector-strong.patch @@ -0,0 +1,151 @@ +diff --git a/plugin/auth_examples/CMakeLists.txt b/plugin/auth_examples/CMakeLists.txt +index 0efd8348..74cbd716 100644 +--- a/plugin/auth_examples/CMakeLists.txt ++++ b/plugin/auth_examples/CMakeLists.txt +@@ -29,6 +29,10 @@ MYSQL_ADD_PLUGIN(qa_auth_client qa_auth_client.c + + MYSQL_ADD_PLUGIN(auth_0x0100 auth_0x0100.c MODULE_ONLY COMPONENT Test) + ++IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(auth_0x0100 PRIVATE -fstack-protector-strong) ++ENDIF() ++ + # disabled in favor of + # libmariadb/plugins/auth/mariadb_cleartext.c + # +diff --git a/plugin/debug_key_management/CMakeLists.txt b/plugin/debug_key_management/CMakeLists.txt +index eeb8a3bf..3755cd00 100644 +--- a/plugin/debug_key_management/CMakeLists.txt ++++ b/plugin/debug_key_management/CMakeLists.txt +@@ -1,2 +1,8 @@ + MYSQL_ADD_PLUGIN(DEBUG_KEY_MANAGEMENT debug_key_management_plugin.cc + MODULE_ONLY COMPONENT Test) ++ ++IF(TARGET debug_key_management) ++ IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(debug_key_management PRIVATE -fstack-protector-strong) ++ ENDIF() ++ENDIF() +diff --git a/plugin/example_key_management/CMakeLists.txt b/plugin/example_key_management/CMakeLists.txt +index fe893e53..0bb8113f 100644 +--- a/plugin/example_key_management/CMakeLists.txt ++++ b/plugin/example_key_management/CMakeLists.txt +@@ -1,2 +1,8 @@ + MYSQL_ADD_PLUGIN(EXAMPLE_KEY_MANAGEMENT example_key_management_plugin.cc + MODULE_ONLY COMPONENT Test) ++ ++IF(TARGET example_key_management) ++ IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(example_key_management PRIVATE -fstack-protector-strong) ++ ENDIF() ++ENDIF() +diff --git a/plugin/provider_bzip2/CMakeLists.txt b/plugin/provider_bzip2/CMakeLists.txt +index e2ac4592..9c111ae0 100644 +--- a/plugin/provider_bzip2/CMakeLists.txt ++++ b/plugin/provider_bzip2/CMakeLists.txt +@@ -12,4 +12,8 @@ IF (BZIP2_FOUND) + + MYSQL_ADD_PLUGIN(provider_bzip2 plugin.c COMPONENT provider-bzip2 + LINK_LIBRARIES ${BZIP2_LIBRARIES} CONFIG provider_bzip2.cnf) ++ ++ IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(provider_bzip2 PRIVATE -fstack-protector-strong) ++ ENDIF() + ENDIF() +diff --git a/plugin/provider_lz4/CMakeLists.txt b/plugin/provider_lz4/CMakeLists.txt +index daad63ac..50febaf1 100644 +--- a/plugin/provider_lz4/CMakeLists.txt ++++ b/plugin/provider_lz4/CMakeLists.txt +@@ -12,4 +12,8 @@ IF (LZ4_FOUND) + + MYSQL_ADD_PLUGIN(provider_lz4 plugin.c COMPONENT provider-lz4 + LINK_LIBRARIES ${LZ4_LIBRARIES} CONFIG provider_lz4.cnf) ++ ++ IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(provider_lz4 PRIVATE -fstack-protector-strong) ++ ENDIF() + ENDIF() +diff --git a/plugin/provider_lzma/CMakeLists.txt b/plugin/provider_lzma/CMakeLists.txt +index 8b0781aa..5448afad 100644 +--- a/plugin/provider_lzma/CMakeLists.txt ++++ b/plugin/provider_lzma/CMakeLists.txt +@@ -12,4 +12,8 @@ IF (LIBLZMA_FOUND) + + MYSQL_ADD_PLUGIN(provider_lzma plugin.c COMPONENT provider-lzma + LINK_LIBRARIES ${LIBLZMA_LIBRARIES} CONFIG provider_lzma.cnf) ++ ++ IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(provider_lzma PRIVATE -fstack-protector-strong) ++ ENDIF() + ENDIF() +diff --git a/plugin/provider_lzo/CMakeLists.txt b/plugin/provider_lzo/CMakeLists.txt +index 8a8d31d2..169a7ad2 100644 +--- a/plugin/provider_lzo/CMakeLists.txt ++++ b/plugin/provider_lzo/CMakeLists.txt +@@ -12,4 +12,8 @@ IF (LZO_FOUND) + + MYSQL_ADD_PLUGIN(provider_lzo plugin.c COMPONENT provider-lzo + LINK_LIBRARIES ${LZO_LIBRARIES} CONFIG provider_lzo.cnf) ++ ++ IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(provider_lzo PRIVATE -fstack-protector-strong) ++ ENDIF() + ENDIF() +diff --git a/plugin/provider_snappy/CMakeLists.txt b/plugin/provider_snappy/CMakeLists.txt +index d963029d..f97eb6ed 100644 +--- a/plugin/provider_snappy/CMakeLists.txt ++++ b/plugin/provider_snappy/CMakeLists.txt +@@ -12,4 +12,8 @@ IF (SNAPPY_FOUND) + + MYSQL_ADD_PLUGIN(provider_snappy plugin.c COMPONENT provider-snappy + LINK_LIBRARIES ${SNAPPY_LIBRARIES} CONFIG provider_snappy.cnf) ++ ++ IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(provider_snappy PRIVATE -fstack-protector-strong) ++ ENDIF() + ENDIF() +diff --git a/plugin/simple_password_check/CMakeLists.txt b/plugin/simple_password_check/CMakeLists.txt +index f41024d2..6e00c5cf 100644 +--- a/plugin/simple_password_check/CMakeLists.txt ++++ b/plugin/simple_password_check/CMakeLists.txt +@@ -1 +1,5 @@ + MYSQL_ADD_PLUGIN(simple_password_check simple_password_check.c MODULE_ONLY) ++ ++IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(simple_password_check PRIVATE -fstack-protector-strong) ++ENDIF() +diff --git a/storage/blackhole/CMakeLists.txt b/storage/blackhole/CMakeLists.txt +index c58ca125..80c77efb 100644 +--- a/storage/blackhole/CMakeLists.txt ++++ b/storage/blackhole/CMakeLists.txt +@@ -15,3 +15,7 @@ + + SET(BLACKHOLE_SOURCES ha_blackhole.cc ha_blackhole.h) + MYSQL_ADD_PLUGIN(blackhole ${BLACKHOLE_SOURCES} STORAGE_ENGINE) ++ ++IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(blackhole PRIVATE -fstack-protector-strong) ++ENDIF() +diff --git a/storage/example/CMakeLists.txt b/storage/example/CMakeLists.txt +index 5b59d1b1..2bff6f9d 100644 +--- a/storage/example/CMakeLists.txt ++++ b/storage/example/CMakeLists.txt +@@ -15,3 +15,7 @@ + + SET(EXAMPLE_SOURCES ha_example.cc) + MYSQL_ADD_PLUGIN(example ${EXAMPLE_SOURCES} STORAGE_ENGINE MODULE_ONLY COMPONENT Test) ++ ++IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(example PRIVATE -fstack-protector-strong) ++ENDIF() +diff --git a/storage/test_sql_discovery/CMakeLists.txt b/storage/test_sql_discovery/CMakeLists.txt +index 2039b081..a711b417 100644 +--- a/storage/test_sql_discovery/CMakeLists.txt ++++ b/storage/test_sql_discovery/CMakeLists.txt +@@ -1,2 +1,6 @@ + MYSQL_ADD_PLUGIN(test_sql_discovery test_sql_discovery.cc STORAGE_ENGINE + COMPONENT Test) ++ ++IF(SECURITY_HARDENED AND NOT WITH_ASAN AND NOT WITH_UBSAN AND NOT WITH_TSAN AND NOT WITH_GPROF AND NOT WITH_MSAN) ++ target_compile_options(test_sql_discovery PRIVATE -fstack-protector-strong) ++ENDIF() diff --git a/mariadb.spec b/mariadb.spec index c3b22cb7de82f2a99d183a218e9a05db46937ac2..cc64e3df26167455e826891bc865beff148d33c0 100644 --- a/mariadb.spec +++ b/mariadb.spec @@ -74,7 +74,7 @@ Name: mariadb Version: 11.8.3 -Release: 2 +Release: 3 Epoch: 4 Summary: A very fast and robust SQL database server @@ -113,6 +113,8 @@ Patch9: %{pkgnamepatch}-ownsetup.patch Patch10: %{pkgnamepatch}-ssl-cipher-tests.patch # Patch11: Use PCDIR CMake option, if configured Patch11: %{pkgnamepatch}-pcdir.patch +# Patch12: append -fstack-protector-strong for security compile needs (issue #ICXUK1) +Patch12: %{pkgnamepatch}-security-enhancing-with-fstack-protector-strong.patch BuildRequires: ninja-build mold BuildRequires: cmake gcc-c++ @@ -1473,6 +1475,9 @@ fi %endif %changelog +* Tue Sep 23 2025 xiejing - 4:11.8.3-3 +- Force to add -fstack-protector-strong option for security enhancing (issue #ICXUK1) + * Fri Aug 29 2025 xiejing - 4:11.8.3-2 - Disable provider_* plugin by default to fix systemd service start error