Red Hat Bugzilla – Bug 1264033
Partial RELRO for exim
Last modified: 2015-09-18 12:15:12 EDT
Description of problem: FESCo requires some packages to use PIE and relro hardening by default. This page contains that list: https://fedoraproject.org/wiki/Hardened_Packages A few exim packages use only Partial RELRO instead of Full RELRO. Please comment if this is acceptable or should be changed ? ---------- exim-4.86-1.fc24.src.rpm /mnt/fedora/Packages/e/exim-mon-4.86-1.fc24.x86_64.rpm RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH ./usr/sbin/eximon.bin ---------- exim-4.86-1.fc24.src.rpm /mnt/fedora/Packages/e/exim-mysql-4.86-1.fc24.x86_64.rpm RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled DSO No RPATH No RUNPATH ./usr/lib64/exim/4.86-1.fc24/lookups/mysql.so ---------- exim-4.86-1.fc24.src.rpm /mnt/fedora/Packages/e/exim-pgsql-4.86-1.fc24.x86_64.rpm RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled DSO No RPATH No RUNPATH ./usr/lib64/exim/4.86-1.fc24/lookups/pgsql.so Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I am taking it. I think it's enough to do full RELRO on the exim daemon and not on all support binaries (could affect performance, so probably better to keep them partial RELRO). So fixing it this way. If you think it's not enough, let me know, but it would require patching of the exim buildscripts.