Problem: Buffer overruns in string/memory library functions can be exploited by an attacker Fix By: Compiling with -D_FORTIFY_SOURCE=2 or -D_FORTIFY_SOURCE=3 Waive If: The application does not use C library string/memory functions Example: FAIL: fortify test because -D_FORTIFY_SOURCE=[2|3] was not present on the command line Example: FAIL: fortify test because -O level is too low Example: FAIL: fortify test because no indication that the necessary option was used (and a C compiler was detected)
This test checks that the application was compiled with either -D_FORTIFY_SOURCE=2 or -D_FORTIFY_SOURCE=3 specified on the compiler command line. Since these options need good optimization in order to work properly the test also checks that -O2 or higher was used.
The _FORTIFY_SOURCE define enables the use of secure version of certain string and memory C library functions. For full details of what it does, see this blog: https://access.redhat.com/blogs/766093/posts/1976213
Any program that uses the string or memory functions in the glibc library should have this define present on the compiler command line. Programs that do not use these functions do not need the define, but it will not hurt to have it present anyway.
Note - this test is automatically disabled if the --profile=el7 option is used.
Note - if either of the el10 or rawhide profiles are enabled then only -D_FORTIFY_SOURCE=3 will be accepted.
If necessary the test can be disabled via the --skip-fortify option and re-enabled via the --test-fortify option.