Discover Security Projects News
Fedora 38 To Beef Up Its Compiler Fortification Defenses
In addition to Fedora 38 now allowing "no-omit-frame-pointer" to enhance profiling/debugging with possible performance costs, this next Fedora Linux release is also planning to use "_FORTIFY_SOURCE=3" compiler defenses to further bolster security.
The _FORTIFY_SOURCE=3 level allows detecting more buffer overflows and other possible security issues. GCC 12 and Glibc 2.34 have supported the _FORTIFY_SOURCE=3 level for detecting more problems at compile-time and run-time while is in good enough shape that FESCo has approved of fortify source level three replacing level two as a default compiler setting. Developers believe the improved security coverage from _FORTIFY_SOURCE=3 is well worth the small performance overhead cost and code size increase of the new level.
The Fedora Engineering and Steering Committee has granted the change proposal to use "_FORTIFY_SOURCE=3" as part of the default compiler flags when building packages to help in mitigating security issues. Though some packages will revert to _FORTIFY_SOURCE=2 as packages like systemd currently have issues with the higher fortification level.