[dhcp] Hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO

Jiří Popelka jpopelka at fedoraproject.org
Tue Sep 7 15:49:03 UTC 2010 

commit 1a731ce50f310aa8084d5c6838334fa9ede3b591
Author: Jiri Popelka <jpopelka at redhat.com>
Date:   Tue Sep 7 17:20:06 2010 +0200

    Hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO

 dhcp-4.2.0-PIE-RELRO.patch |   35 +++++++++++++++++++++++++++++++++++
 dhcp.spec                  |   12 ++++++++++--
 2 files changed, 45 insertions(+), 2 deletions(-)
---
diff --git a/dhcp-4.2.0-PIE-RELRO.patch b/dhcp-4.2.0-PIE-RELRO.patch
new file mode 100644
index 0000000..5805fd2
--- /dev/null
+++ b/dhcp-4.2.0-PIE-RELRO.patch
@@ -0,0 +1,35 @@
+diff -up dhcp-4.2.0/client/Makefile.am.PIE-RELRO dhcp-4.2.0/client/Makefile.am
+--- dhcp-4.2.0/client/Makefile.am.PIE-RELRO	2010-09-07 17:22:32.000000000 +0200
++++ dhcp-4.2.0/client/Makefile.am	2010-09-07 17:23:08.000000000 +0200
+@@ -6,6 +6,8 @@ dhclient_SOURCES = clparse.c dhclient.c 
+ 		   scripts/solaris scripts/openwrt
+ dhclient_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \
+ 		 ../bind/lib/libdns.a ../bind/lib/libisc.a $(CAPNG_LDADD)
++dhclient_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
++
+ man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5
+ EXTRA_DIST = $(man_MANS)
+ 
+diff -up dhcp-4.2.0/relay/Makefile.am.PIE-RELRO dhcp-4.2.0/relay/Makefile.am
+--- dhcp-4.2.0/relay/Makefile.am.PIE-RELRO	2009-10-28 05:12:30.000000000 +0100
++++ dhcp-4.2.0/relay/Makefile.am	2010-09-07 17:23:38.000000000 +0200
+@@ -4,6 +4,8 @@ sbin_PROGRAMS = dhcrelay
+ dhcrelay_SOURCES = dhcrelay.c
+ dhcrelay_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \
+ 		 ../bind/lib/libdns.a ../bind/lib/libisc.a
++dhcrelay_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
++
+ man_MANS = dhcrelay.8
+ EXTRA_DIST = $(man_MANS)
+ 
+diff -up dhcp-4.2.0/server/Makefile.am.PIE-RELRO dhcp-4.2.0/server/Makefile.am
+--- dhcp-4.2.0/server/Makefile.am.PIE-RELRO	2010-03-24 22:49:47.000000000 +0100
++++ dhcp-4.2.0/server/Makefile.am	2010-09-07 17:24:08.000000000 +0200
+@@ -10,6 +10,7 @@ dhcpd_CFLAGS = $(LDAP_CFLAGS)
+ dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \
+ 	      ../dhcpctl/libdhcpctl.a ../bind/lib/libdns.a \
+ 	      ../bind/lib/libisc.a
++dhcpd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
+ 
+ man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5
+ EXTRA_DIST = $(man_MANS)
diff --git a/dhcp.spec b/dhcp.spec
index 6374e9c..c3b4e7c 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -7,7 +7,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.2.0
-Release:  6%{?dist}
+Release:  7%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -54,6 +54,7 @@ Patch25:  dhcp-4.2.0-release6-elapsed.patch
 Patch26:  dhcp-4.2.0-initialization-delay.patch
 Patch27:  dhcp-4.2.0-parse_date.patch
 Patch28:  dhcp-4.2.0-rfc3442-classless-static-routes.patch
+Patch29:  dhcp-4.2.0-PIE-RELRO.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf
@@ -189,6 +190,7 @@ libdhcpctl and libomapi static libraries are also included in this package.
 %patch18 -p1 -b .dracut
 
 # Ensure 64-bit platforms parse lease file dates & times correctly (#448615)
+# (Partly submitted to dhcp-bugs at isc.org - [ISC-Bugs #22033])
 %patch19 -p1 -b .64-bit_lease_parse
 
 # Drop unnecessary capabilities in dhclient (#517649, #546765)
@@ -229,6 +231,9 @@ libdhcpctl and libomapi static libraries are also included in this package.
 # RFC 3442 - Classless Static Route Option for DHCPv4 (#516325)
 %patch28 -p1 -b .rfc3442
 
+# hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO
+%patch29 -p1 -b .PIE-RELRO
+
 # Copy in the Fedora/RHEL dhclient script
 %{__install} -p -m 0755 %{SOURCE4} client/scripts/linux
 %{__install} -p -m 0644 %{SOURCE5} .
@@ -281,7 +286,7 @@ done
 %build
 autoreconf --verbose --force --install
 
-CFLAGS="%{optflags} -fno-strict-aliasing -fPIC -D_GNU_SOURCE" \
+CFLAGS="%{optflags} -fno-strict-aliasing -fPIE -D_GNU_SOURCE" \
 %configure \
     --with-srv-lease-file=%{_localstatedir}/lib/dhcpd/dhcpd.leases \
     --with-srv6-lease-file=%{_localstatedir}/lib/dhcpd/dhcpd6.leases \
@@ -510,6 +515,9 @@ fi
 %attr(0644,root,root) %{_mandir}/man3/omapi.3.gz
 
 %changelog
+* Tue Sep 7 2010 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.0-7
+- Hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO
+
 * Thu Sep 2 2010 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.0-6
 - Another fix for handling time values on 64-bit platforms (#628258)

More information about the scm-commits mailing list