Review a fix for OpenSSL3 CVE

Joshua Root jmr at
Thu Nov 3 03:43:46 UTC 2022

On 2022-11-3 06:56 , Clemens Lang wrote:
> Speaking of this CVE… we don't actually build with the common set of
> security flags in MacPorts, do we? We should probably look into getting
> the common set -fstack-protector-strong -fstack-clash-protection -fPIE
> (probably not required on modern macOS?) -D_FORTIFY_SOURCE=3
> -fcf-protection=full (on x86_64) and maybe -Wl,-bind_at_load
> -Wl,-read_only_stubs.
> Does anybody have a good overview of what the recommended set of
> security compiler flags is on macOS? Quick testing suggests everything
> but -fstack-protector-strong and -D_FORTIFY_SOURCE is already on by
> default.

_FORTIFY_SOURCE is also on by default since 10.6. 

Though that's set to 2 not 3, it looks like setting it to anything 
higher than 2 does nothing extra in libc at least.

Apple has generally been pretty good about enabling these hardening 
measures. The difficult work would be figuring out on which OS and Xcode 
versions these options can be used and are not already enabled.

- Josh

More information about the macports-dev mailing list