Hide Forgot
Description of problem: Steve Grubb's mighty check shows that net-snmp is not compiled with relro. Version-Release number of selected component (if applicable): net-snmp-5.5-31.el6.x86_64 How reproducible: always Steps to Reproduce: 1. download http://people.redhat.com/sgrubb/files/rpm-chksec 2. yum install net-snmp net-snmp-perl net-snmp-utils 3. for i in net-snmp{,-libs,-utils,-perl}; do ./rpm-chksec $i; done Actual results: something is red Expected results: everything is green
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: In this update, the Net-SNMP daemons, binaries and shared libraries are compiled with full RELRO for better security.
some items are still red with net-snmp-5.5-35.el6.x86_64 [root@rhel61a ~]# for i in net-snmp{,-libs,-utils,-perl,-python}; do ./rpm-chksec $i; done FILE TYPE RELRO PIE /usr/sbin/snmpd daemon full yes /usr/sbin/snmptrapd daemon full yes FILE TYPE RELRO PIE /usr/lib64/libnetsnmp.so.20.0.0 library full DSO /usr/lib64/libnetsnmpagent.so.20.0.0 library full DSO /usr/lib64/libnetsnmphelpers.so.20.0.0 library full DSO /usr/lib64/libnetsnmpmibs.so.20.0.0 library full DSO /usr/lib64/libnetsnmptrapd.so.20.0.0 library full DSO /usr/lib64/libsnmp.so.20.0.0 library full DSO FILE TYPE RELRO PIE /usr/bin/encode_keychange exec full no /usr/bin/snmpbulkget exec full no /usr/bin/snmpbulkwalk exec full no /usr/bin/snmpdelta exec full no /usr/bin/snmpdf exec full no /usr/bin/snmpget exec full no /usr/bin/snmpgetnext exec full no /usr/bin/snmpnetstat exec full no /usr/bin/snmpset exec full no /usr/bin/snmpstatus exec full no /usr/bin/snmptable exec full no /usr/bin/snmptest exec full no /usr/bin/snmptranslate exec full no /usr/bin/snmptrap exec full no /usr/bin/snmpusm exec full no /usr/bin/snmpvacm exec full no /usr/bin/snmpwalk exec full no FILE TYPE RELRO PIE /usr/lib64/perl5/vendor_perl/auto/NetSNMP/ASN/ASN.so library no DSO /usr/lib64/perl5/vendor_perl/auto/NetSNMP/OID/OID.so library no DSO /usr/lib64/perl5/vendor_perl/auto/NetSNMP/TrapReceiver/TrapReceiver.solibrary no DSO /usr/lib64/perl5/vendor_perl/auto/NetSNMP/agent/agent.solibrary no DSO /usr/lib64/perl5/vendor_perl/auto/NetSNMP/agent/default_store/default_store.solibrary no DSO /usr/lib64/perl5/vendor_perl/auto/NetSNMP/default_store/default_store.solibrary no DSO /usr/lib64/perl5/vendor_perl/auto/SNMP/SNMP.so library no DSO FILE TYPE RELRO PIE /usr/lib64/python2.6/site-packages/netsnmp/client_intf.solibrary no DSO
(In reply to comment #6) > FILE TYPE RELRO PIE > /usr/lib64/perl5/vendor_perl/auto/NetSNMP/ASN/ASN.so library no DSO > /usr/lib64/perl5/vendor_perl/auto/NetSNMP/OID/OID.so library no DSO > /usr/lib64/perl5/vendor_perl/auto/NetSNMP/TrapReceiver/TrapReceiver.solibrary > no DSO > /usr/lib64/perl5/vendor_perl/auto/NetSNMP/agent/agent.solibrary no DSO > /usr/lib64/perl5/vendor_perl/auto/NetSNMP/agent/default_store/default_store.solibrary > no DSO > /usr/lib64/perl5/vendor_perl/auto/NetSNMP/default_store/default_store.solibrary > no DSO > /usr/lib64/perl5/vendor_perl/auto/SNMP/SNMP.so library no DSO > FILE TYPE RELRO PIE > /usr/lib64/python2.6/site-packages/netsnmp/client_intf.solibrary no DSO Perl and python modules take LDFLAGS from net-snmp-config, which does not contain relro options... Recompilation is necessary.
retested with net-snmp-5.5-36.el6, there are two libs remaining without relro. /usr/lib/perl5/vendor_perl/auto/NetSNMP/agent/default_store/default_store.solibrary no DSO /usr/lib/python2.6/site-packages/netsnmp/client_intf.so library no DSO
switching back to ASSIGNED based on #c8.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1524.html