From c8bb97defcf4b0df6150259657c0faf871fe5a1a Mon Sep 17 00:00:00 2001
From: zhangxubo <bxuzhang@163.com>
Date: Tue, 11 Nov 2025 21:29:59 +0800
Subject: [PATCH] fix security compile options #ID5ZE1

---
 og-secrity-compile.patch | 124 +++++++++++++++++++++++++++++++++++++++
 opengauss-server.spec    |   8 ++-
 2 files changed, 131 insertions(+), 1 deletion(-)
 create mode 100644 og-secrity-compile.patch

diff --git a/og-secrity-compile.patch b/og-secrity-compile.patch
new file mode 100644
index 0000000..8c8cde3
--- /dev/null
+++ b/og-secrity-compile.patch
@@ -0,0 +1,124 @@
+diff -crN '--exclude=.git' openGauss-server-6.0.0/contrib/dolphin/CMakeLists.txt openGauss-server-6.0.0-edit/contrib/dolphin/CMakeLists.txt
+*** openGauss-server-6.0.0/contrib/dolphin/CMakeLists.txt	2024-11-27 16:17:55.000000000 +0800
+--- openGauss-server-6.0.0-edit/contrib/dolphin/CMakeLists.txt	2025-11-11 21:21:05.510111300 +0800
+***************
+*** 120,126 ****
+  add_subdirectory(plugin_catalog)
+  
+  set(dolphin_outer_DEF_OPTIONS ${MACRO_OPTIONS})
+! set(dolphin_outer_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${LIB_DOLPHIN_OPTIONS} ${CHECK_OPTIONS})
+  set(dolphin_outer_LINK_OPTIONS ${LIB_LINK_OPTIONS})
+  AUX_SOURCE_DIRECTORY(${CMAKE_CURRENT_SOURCE_DIR} dolphin_outer_SRC)
+  list(APPEND dolphin_outer_SRC ${CMAKE_CURRENT_SOURCE_DIR}/plugin_utils/fmgrtab.cpp)
+--- 120,126 ----
+  add_subdirectory(plugin_catalog)
+  
+  set(dolphin_outer_DEF_OPTIONS ${MACRO_OPTIONS})
+! set(dolphin_outer_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${LIB_DOLPHIN_OPTIONS} ${CHECK_OPTIONS} -fstack-protector-strong)
+  set(dolphin_outer_LINK_OPTIONS ${LIB_LINK_OPTIONS})
+  AUX_SOURCE_DIRECTORY(${CMAKE_CURRENT_SOURCE_DIR} dolphin_outer_SRC)
+  list(APPEND dolphin_outer_SRC ${CMAKE_CURRENT_SOURCE_DIR}/plugin_utils/fmgrtab.cpp)
+***************
+*** 153,159 ****
+  )
+  
+  set(dolphin_DEF_OPTIONS ${MACRO_OPTIONS})
+! set(dolphin_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${LIB_DOLPHIN_OPTIONS} ${CHECK_OPTIONS})
+  set(dolphin_LINK_OPTIONS ${LIB_LINK_OPTIONS})
+  add_shared_libtarget(dolphin dolphin_objects dolphin_outer_INC "${dolphin_DEF_OPTIONS}" "${dolphin_COMPILE_OPTIONS}" "${dolphin_LINK_OPTIONS}")
+  set_target_properties(dolphin PROPERTIES PREFIX "")
+--- 153,159 ----
+  )
+  
+  set(dolphin_DEF_OPTIONS ${MACRO_OPTIONS})
+! set(dolphin_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${LIB_DOLPHIN_OPTIONS} ${CHECK_OPTIONS} -fstack-protector-strong)
+  set(dolphin_LINK_OPTIONS ${LIB_LINK_OPTIONS})
+  add_shared_libtarget(dolphin dolphin_objects dolphin_outer_INC "${dolphin_DEF_OPTIONS}" "${dolphin_COMPILE_OPTIONS}" "${dolphin_LINK_OPTIONS}")
+  set_target_properties(dolphin PROPERTIES PREFIX "")
+diff -crN '--exclude=.git' openGauss-server-6.0.0/src/bin/gsqlerr/CMakeLists.txt openGauss-server-6.0.0-edit/src/bin/gsqlerr/CMakeLists.txt
+*** openGauss-server-6.0.0/src/bin/gsqlerr/CMakeLists.txt	2024-11-27 16:17:35.000000000 +0800
+--- openGauss-server-6.0.0-edit/src/bin/gsqlerr/CMakeLists.txt	2025-11-12 16:36:34.979782445 +0800
+***************
+*** 11,17 ****
+  )
+  
+  set(scanEreport_DEF_OPTIONS ${MACRO_OPTIONS})
+! set(scanEreport_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS})
+  set(scanEreport_LINK_OPTIONS ${BIN_LINK_OPTIONS})
+  set(scanEreport_LINK_LIBS -l${SECURE_C_CHECK})
+  if("${ENABLE_MEMORY_CHECK}" STREQUAL "ON")
+--- 11,17 ----
+  )
+  
+  set(scanEreport_DEF_OPTIONS ${MACRO_OPTIONS})
+! set(scanEreport_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS} -fstack-protector-strong)
+  set(scanEreport_LINK_OPTIONS ${BIN_LINK_OPTIONS})
+  set(scanEreport_LINK_LIBS -l${SECURE_C_CHECK})
+  if("${ENABLE_MEMORY_CHECK}" STREQUAL "ON")
+***************
+*** 60,66 ****
+  )
+  
+  set(gsqlerr_DEF_OPTIONS ${MACRO_OPTIONS})
+! set(gsqlerr_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS})
+  set(gsqlerr_LINK_OPTIONS ${BIN_LINK_OPTIONS})
+  set(gsqlerr_LINK_LIBS -l${SECURE_C_CHECK})
+  if("${ENABLE_MEMORY_CHECK}" STREQUAL "ON")
+--- 60,66 ----
+  )
+  
+  set(gsqlerr_DEF_OPTIONS ${MACRO_OPTIONS})
+! set(gsqlerr_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS} -fstack-protector-strong)
+  set(gsqlerr_LINK_OPTIONS ${BIN_LINK_OPTIONS})
+  set(gsqlerr_LINK_LIBS -l${SECURE_C_CHECK})
+  if("${ENABLE_MEMORY_CHECK}" STREQUAL "ON")
+***************
+*** 70,76 ****
+      set(gsqlerr_LINK_LIBS ${gsqlerr_LINK_LIBS} -pthread -ldl -lm -lrt)
+      set(gsqlerr_DEF_OPTIONS ${gsqlerr_DEF_OPTIONS} -D_REENTRANT)
+  endif()
+! add_bintarget(gsqlerr TGT_gsqlerr_SRC TGT_gsqlerr_INC "${gsqlerr_DEF_OPTIONS}" "${gsqlerr_COMPILE_OPTIONS}" "${gsqlerr_LINK_OPTIONS}" "${gsqlerr_LINK_LIBS}")
+  add_dependencies(gsqlerr scanEreport)
+  target_link_directories(gsqlerr PUBLIC
+      ${LIBEDIT_LIB_PATH} ${LIBCGROUP_LIB_PATH} ${SECURE_LIB_PATH} ${KERBEROS_LIB_PATH} ${CMAKE_BINARY_DIR}/lib
+--- 70,76 ----
+      set(gsqlerr_LINK_LIBS ${gsqlerr_LINK_LIBS} -pthread -ldl -lm -lrt)
+      set(gsqlerr_DEF_OPTIONS ${gsqlerr_DEF_OPTIONS} -D_REENTRANT)
+  endif()
+! add_bintarget(gsqlerr TGT_gsqlerr_SRC TGT_gsqlerr_INC "${gsqlerr_DEF_OPTIONS}" "${gsqlerr_COMPILE_OPTIONS}" "${gsqlerr_LINK_OPTIONS}" "${gsqlerr_LINK_LIBS}" -fstack-protector-strong)
+  add_dependencies(gsqlerr scanEreport)
+  target_link_directories(gsqlerr PUBLIC
+      ${LIBEDIT_LIB_PATH} ${LIBCGROUP_LIB_PATH} ${SECURE_LIB_PATH} ${KERBEROS_LIB_PATH} ${CMAKE_BINARY_DIR}/lib
+diff -crN '--exclude=.git' openGauss-server-6.0.0/src/CMakeLists.txt openGauss-server-6.0.0-edit/src/CMakeLists.txt
+*** openGauss-server-6.0.0/src/CMakeLists.txt	2025-11-11 21:19:04.245018147 +0800
+--- openGauss-server-6.0.0-edit/src/CMakeLists.txt	2025-11-12 16:36:49.480869034 +0800
+***************
+*** 178,188 ****
+  # special
+  # open source install part
+  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
+-     install(DIRECTORY ${KERBEROS_SBIN_PATH}/ DESTINATION bin)
+-     install(DIRECTORY ${KERBEROS_BIN_PATH} DESTINATION .)
+      install(DIRECTORY ${KERBEROS_LIB_PATH} DESTINATION .)
+  endif()
+! install(DIRECTORY ${ZLIB_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libz.*")
+   
+  install(FILES ${XGBOOST_LIB_PATH}/libxgboost.so DESTINATION lib)
+  # fastcheck part
+--- 178,193 ----
+  # special
+  # open source install part
+  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
+      install(DIRECTORY ${KERBEROS_LIB_PATH} DESTINATION .)
++     install(PROGRAMS  ${KERBEROS_BIN_PATH}/klist DESTINATION bin)
++     install(PROGRAMS  ${KERBEROS_BIN_PATH}/kinit DESTINATION bin)
++     install(PROGRAMS  ${KERBEROS_BIN_PATH}/kdestroy DESTINATION bin)
++     install(PROGRAMS  ${KERBEROS_SBIN_PATH}/kdb5_util DESTINATION bin)
++     install(PROGRAMS  ${KERBEROS_SBIN_PATH}/krb5kdc DESTINATION bin)
++     install(PROGRAMS  ${KERBEROS_SBIN_PATH}/kadmin.local DESTINATION bin)
++     install(PROGRAMS  ${KERBEROS_SBIN_PATH}/kadmind DESTINATION bin)
+  endif()
+! install(DIRECTORY ${ZLIB_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libz.so*")
+   
+  install(FILES ${XGBOOST_LIB_PATH}/libxgboost.so DESTINATION lib)
+  # fastcheck part
diff --git a/opengauss-server.spec b/opengauss-server.spec
index 8a4c7fe..92eb222 100755
--- a/opengauss-server.spec
+++ b/opengauss-server.spec
@@ -13,7 +13,7 @@
 
 Name:           opengauss
 Version:        6.0.0
-Release:        24
+Release:        25
 Summary:        openGauss is an open source relational database management system
 License:        MulanPSL-2.0 and MIT and BSD and zlib and TCL and Apache-2.0 and BSL-1.0
 URL:            https://gitee.com/opengauss/openGauss-server
@@ -41,6 +41,7 @@ Patch3:         og-security.patch
 Patch4:         og-syntax.patch
 Patch5:         og-riscv64-support.patch
 Patch6:         og-dolphin.patch
+Patch7:         og-secrity-compile.patch
 Patch11:        zlib.patch
 Patch12:        zlib-CVE-2022-37434.patch
 Patch21:        krb5-backport-Add-a-simple-DER-support-header.patch
@@ -89,6 +90,7 @@ pushd openGauss-server-%{version}
 %patch -P4 -p1
 %patch -P5 -p1
 %patch -P6 -p1
+%patch -P7 -p1
 popd
 
 pushd %{zlib_name}-%{zlib_version}
@@ -224,6 +226,7 @@ sed -i '/"$BIN_DIR\/gaussdb\.map"/d' ./separate_debug_information.sh
 ./separate_debug_information.sh
 rm -rf ${opengauss_source_dir}/mppdb_temp_install/packages
 rm -rf ${opengauss_source_dir}/mppdb_temp_install/symbols
+rm -rf ${opengauss_source_dir}/mppdb_temp_install/bin/gsqlerr
 
 # package
 os_name=$(cat /etc/os-release | grep -w NAME | awk -F '"' '{print $2}')
@@ -482,6 +485,9 @@ fi
 
 
 %changelog
+* Tue Nov 11 2025 zhangxubo <zhangxubo1@huawei.com> - 6.0.0-25
+- fix issue #ID5ZE1 security compile options.
+
 * Wed Mar 12 2025 Funda Wang <fundawang@yeah.net> - 6.0.0-24
 - fix build with cmake 4.0
 
-- 
Gitee