Description of problem:
The cyrus-sasl-lib package contains libraries. We would like them to be built with
partial RELRO support as a security enhancement.
Partial RELRO requires these passed at link: -Wl,-z,relro
You can fix this by patching the Makefiles to add this link flag to LDFLAGS or you might be able to simply add LDFLAGS="$LDFLAGS -Wl,-z,relro" to the configure line in the rpm's spec file. You will have to test the built packages to ensure the flags are properly passed all the way to the end of build. It does not hurt anything if the package contains applications that pick up partial relro support, too.
You can test the resulting package for compliance with this program:
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
Jan, there are some executables that are not yet even partial RELRO, also DSO is missing in one case. Is this expected? And if so, why pls?
:: [ FAIL ] :: Check if all executables/libraries support RELRO - partial or full in cyrus-sasl (Expected 1, got 0)
/usr/sbin/pluginviewer exec no no
/usr/sbin/saslauthd daemon no no
/usr/sbin/testsaslauthd exec no no
:: [ FAIL ] :: Check if all executables/libraries support RELRO - partial or full in cyrus-sasl-lib (Expected 1, got 0)
/usr/lib64/sasl2/libanonymous.so.2.0.23 library partial DSO
/usr/sbin/sasldblistusers2 exec no no
/usr/sbin/saslpasswd2 exec no no
Miro, only libraries should have relro! Look at bugzilla name!
*** Bug 642928 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.