Red Hat Bugzilla – Bug 838606
enable PIE and RELRO in cifs-utils binaries
Last modified: 2015-01-04 18:03:02 EST
Andreas got some errata tool package check warnings today when he was updating cifs-utils in the RHEL5 samba3x package:
07:14 <@asn> BAD samba3x-client File /sbin/mount.cifs lost GNU_RELRO security protection on i386 x86_64 ppc ppc64 s390 s390x
07:14 <@asn> BAD samba3x-client PIE regression for file sbin/mount.cifs on all architectures
07:14 <@asn> BAD samba3x-client File /usr/sbin/cifs.upcall lost GNU_RELRO security protection on i386 x86_64 ppc ppc64 s390 s390x
07:14 <@asn> BAD samba3x-client PIE regression for file usr/sbin/cifs.upcall on all architectures
It looks like we're not taking advantage of all of the handy compiler/linker features to make these binaries as safe as possible. In particular, we ought to enable PIE and RELRO support in them.
I've sent a patch upstream to add support for this there and we ought to pull this into RHEL6 as well. Note that we don't have any reason to believe that there is any specific vulnerability here, but it's sensible to enable these proactively.
Fixed in cifs-utils-4.8.1-11.el6.
Reproduced in cifs-utils-4.8.1-10.el6.x86_64 and verified in cifs-utils-4.8.1-11.el6.x86_64.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.