Bug 725657

Summary: net-snmp should be compiled with relro
Product: Red Hat Enterprise Linux 6 Reporter: Jan Safranek <jsafrane>
Component: net-snmpAssignee: Jan Safranek <jsafrane>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: high    
Version: 6.1CC: ksrot, ovasik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In this update, the Net-SNMP daemons, binaries and shared libraries are compiled with full RELRO for better security.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 17:12:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 743047    

Description Jan Safranek 2011-07-26 08:15:38 UTC 
Description of problem:
Steve Grubb's mighty check shows that net-snmp is not compiled with relro.

Version-Release number of selected component (if applicable):
net-snmp-5.5-31.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. download http://people.redhat.com/sgrubb/files/rpm-chksec
2. yum install net-snmp net-snmp-perl net-snmp-utils
3. for i in net-snmp{,-libs,-utils,-perl}; do ./rpm-chksec $i; done
  
Actual results:
something is red

Expected results:
everything is green
Comment 3 Jan Safranek 2011-08-11 12:25:24 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
In this update, the Net-SNMP daemons, binaries and shared libraries are compiled with full RELRO for better security.
Comment 6 Karel Srot 2011-08-30 07:54:54 UTC 
some items are still red with net-snmp-5.5-35.el6.x86_64

[root@rhel61a ~]# for i in net-snmp{,-libs,-utils,-perl,-python}; do ./rpm-chksec $i; done
FILE                                                    TYPE      RELRO    PIE 
/usr/sbin/snmpd                                         daemon    full     yes 
/usr/sbin/snmptrapd                                     daemon    full     yes 
FILE                                                    TYPE      RELRO    PIE 
/usr/lib64/libnetsnmp.so.20.0.0                         library   full     DSO 
/usr/lib64/libnetsnmpagent.so.20.0.0                    library   full     DSO 
/usr/lib64/libnetsnmphelpers.so.20.0.0                  library   full     DSO 
/usr/lib64/libnetsnmpmibs.so.20.0.0                     library   full     DSO 
/usr/lib64/libnetsnmptrapd.so.20.0.0                    library   full     DSO 
/usr/lib64/libsnmp.so.20.0.0                            library   full     DSO 
FILE                                                    TYPE      RELRO    PIE 
/usr/bin/encode_keychange                               exec      full     no  
/usr/bin/snmpbulkget                                    exec      full     no  
/usr/bin/snmpbulkwalk                                   exec      full     no  
/usr/bin/snmpdelta                                      exec      full     no  
/usr/bin/snmpdf                                         exec      full     no  
/usr/bin/snmpget                                        exec      full     no  
/usr/bin/snmpgetnext                                    exec      full     no  
/usr/bin/snmpnetstat                                    exec      full     no  
/usr/bin/snmpset                                        exec      full     no  
/usr/bin/snmpstatus                                     exec      full     no  
/usr/bin/snmptable                                      exec      full     no  
/usr/bin/snmptest                                       exec      full     no  
/usr/bin/snmptranslate                                  exec      full     no  
/usr/bin/snmptrap                                       exec      full     no  
/usr/bin/snmpusm                                        exec      full     no  
/usr/bin/snmpvacm                                       exec      full     no  
/usr/bin/snmpwalk                                       exec      full     no  
FILE                                                    TYPE      RELRO    PIE 
/usr/lib64/perl5/vendor_perl/auto/NetSNMP/ASN/ASN.so    library   no       DSO 
/usr/lib64/perl5/vendor_perl/auto/NetSNMP/OID/OID.so    library   no       DSO 
/usr/lib64/perl5/vendor_perl/auto/NetSNMP/TrapReceiver/TrapReceiver.solibrary   no       DSO 
/usr/lib64/perl5/vendor_perl/auto/NetSNMP/agent/agent.solibrary   no       DSO 
/usr/lib64/perl5/vendor_perl/auto/NetSNMP/agent/default_store/default_store.solibrary   no       DSO 
/usr/lib64/perl5/vendor_perl/auto/NetSNMP/default_store/default_store.solibrary   no       DSO 
/usr/lib64/perl5/vendor_perl/auto/SNMP/SNMP.so          library   no       DSO 
FILE                                                    TYPE      RELRO    PIE 
/usr/lib64/python2.6/site-packages/netsnmp/client_intf.solibrary   no       DSO
Comment 7 Jan Safranek 2011-08-31 15:00:31 UTC 
(In reply to comment #6)
> FILE                                                    TYPE      RELRO    PIE 
> /usr/lib64/perl5/vendor_perl/auto/NetSNMP/ASN/ASN.so    library   no       DSO 
> /usr/lib64/perl5/vendor_perl/auto/NetSNMP/OID/OID.so    library   no       DSO 
> /usr/lib64/perl5/vendor_perl/auto/NetSNMP/TrapReceiver/TrapReceiver.solibrary  
> no       DSO 
> /usr/lib64/perl5/vendor_perl/auto/NetSNMP/agent/agent.solibrary   no       DSO 
> /usr/lib64/perl5/vendor_perl/auto/NetSNMP/agent/default_store/default_store.solibrary
>   no       DSO 
> /usr/lib64/perl5/vendor_perl/auto/NetSNMP/default_store/default_store.solibrary
>   no       DSO 
> /usr/lib64/perl5/vendor_perl/auto/SNMP/SNMP.so          library   no       DSO 
> FILE                                                    TYPE      RELRO    PIE 
> /usr/lib64/python2.6/site-packages/netsnmp/client_intf.solibrary   no       DSO

Perl and python modules take LDFLAGS from net-snmp-config, which does not contain relro options... Recompilation is necessary.
Comment 8 Karel Srot 2011-09-06 10:48:21 UTC 
retested with net-snmp-5.5-36.el6, there are two libs remaining without relro.

/usr/lib/perl5/vendor_perl/auto/NetSNMP/agent/default_store/default_store.solibrary   no       DSO
/usr/lib/python2.6/site-packages/netsnmp/client_intf.so library   no       DSO
Comment 10 Karel Srot 2011-09-09 13:39:39 UTC 
switching back to ASSIGNED based on #c8.
Comment 12 errata-xmlrpc 2011-12-06 17:12:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1524.html