Bug 727274 - Request to recompile libraries with -Wl,-z,relro flags
Summary: Request to recompile libraries with -Wl,-z,relro flags
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: cyrus-sasl
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jan F. Chadima
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
: 642928 (view as bug list)
Depends On:
Blocks: RHEL62CCC 727296 846801 846802
TreeView+ depends on / blocked
 
Reported: 2011-08-01 17:51 UTC by Irina Boverman
Modified: 2012-08-08 18:29 UTC (History)
4 users (show)

Fixed In Version: cyrus-sasl-2.1.23-9.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1189204 (view as bug list)
Environment:
Last Closed: 2011-12-06 17:02:17 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1687 0 normal SHIPPED_LIVE cyrus-sasl bug fix and enhancement update 2011-12-06 00:49:58 UTC

Description Irina Boverman 2011-08-01 17:51:02 UTC 
Description of problem:

The cyrus-sasl-lib package contains libraries. We would like them to be built with
partial RELRO support as a security enhancement.

Additional info:

Partial RELRO requires these passed at link: -Wl,-z,relro
You can fix this by patching the Makefiles to add this link flag to LDFLAGS or you might be able to simply add LDFLAGS="$LDFLAGS -Wl,-z,relro" to the configure line in the rpm's spec file. You will have to test the built packages to ensure the flags are properly passed all the way to the end of build. It does not hurt anything if the package contains applications that pick up partial relro support, too.

You can test the resulting package for compliance with this program:
http://people.redhat.com/sgrubb/files/rpm-chksec
Comment 2 RHEL Program Management 2011-08-01 18:08:29 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 4 Miroslav Vadkerti 2011-08-11 13:04:49 UTC 
Jan, there are some executables that are not yet even partial RELRO, also DSO is missing in one case. Is this expected? And if so, why pls?

:: [   FAIL   ] :: Check if all executables/libraries support RELRO - partial or full in cyrus-sasl (Expected 1, got 0)
/usr/sbin/pluginviewer                                  exec      no       no  
/usr/sbin/saslauthd                                     daemon    no       no  
/usr/sbin/testsaslauthd                                 exec      no       no  

:: [   FAIL   ] :: Check if all executables/libraries support RELRO - partial or full in cyrus-sasl-lib (Expected 1, got 0)
/usr/lib64/sasl2/libanonymous.so.2.0.23                 library   partial  DSO 
/usr/sbin/sasldblistusers2                              exec      no       no  
/usr/sbin/saslpasswd2                                   exec      no       no
Comment 5 Jan F. Chadima 2011-08-11 19:52:12 UTC 
Miro, only libraries should have relro! Look at bugzilla name!
Comment 8 Jan F. Chadima 2011-08-14 06:30:50 UTC 
*** Bug 642928 has been marked as a duplicate of this bug. ***
Comment 16 errata-xmlrpc 2011-12-06 17:02:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1687.html
Note You need to log in before you can comment on or make changes to this bug.