[dhcp/f13/master] Hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO

Jiří Popelka jpopelka at fedoraproject.org
Tue Sep 7 16:04:08 UTC 2010 

commit e3a844a5558c2609f702e20d5b4a09b6204bff95
Author: Jiri Popelka <jpopelka at redhat.com>
Date:   Tue Sep 7 17:33:33 2010 +0200

    Hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO

 dhcp-4.1.1-P1-PIE-RELRO.patch |   35 +++++++++++++++++++++++++++++++++++
 dhcp.spec                     |   11 +++++++++--
 2 files changed, 44 insertions(+), 2 deletions(-)
---
diff --git a/dhcp-4.1.1-P1-PIE-RELRO.patch b/dhcp-4.1.1-P1-PIE-RELRO.patch
new file mode 100644
index 0000000..e8f394f
--- /dev/null
+++ b/dhcp-4.1.1-P1-PIE-RELRO.patch
@@ -0,0 +1,35 @@
+diff -up dhcp-4.1.1-P1/client/Makefile.am.PIE-RELRO dhcp-4.1.1-P1/client/Makefile.am
+--- dhcp-4.1.1-P1/client/Makefile.am.PIE-RELRO	2010-09-03 16:52:34.000000000 +0200
++++ dhcp-4.1.1-P1/client/Makefile.am	2010-09-03 16:54:45.193275762 +0200
+@@ -6,6 +6,8 @@ dhclient_SOURCES = clparse.c dhclient.c 
+ 		   scripts/solaris scripts/openwrt
+ dhclient_LDADD = ../common/libdhcp.a ../minires/libres.a \
+ 		 ../omapip/libomapi.a ../dst/libdst.a $(CAPNG_LDADD)
++dhclient_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
++
+ man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5
+ EXTRA_DIST = $(man_MANS)
+ 
+diff -up dhcp-4.1.1-P1/relay/Makefile.am.PIE-RELRO dhcp-4.1.1-P1/relay/Makefile.am
+--- dhcp-4.1.1-P1/relay/Makefile.am.PIE-RELRO	2008-06-13 02:55:53.000000000 +0200
++++ dhcp-4.1.1-P1/relay/Makefile.am	2010-09-03 16:54:40.680276341 +0200
+@@ -3,6 +3,8 @@ AM_CPPFLAGS = -DLOCALSTATEDIR='"@localst
+ sbin_PROGRAMS = dhcrelay
+ dhcrelay_SOURCES = dhcrelay.c
+ dhcrelay_LDADD = ../common/libdhcp.a ../omapip/libomapi.a ../dst/libdst.a ../minires/libres.a
++dhcrelay_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
++
+ man_MANS = dhcrelay.8
+ EXTRA_DIST = $(man_MANS)
+ 
+diff -up dhcp-4.1.1-P1/server/Makefile.am.PIE-RELRO dhcp-4.1.1-P1/server/Makefile.am
+--- dhcp-4.1.1-P1/server/Makefile.am.PIE-RELRO	2010-09-03 16:52:33.014269279 +0200
++++ dhcp-4.1.1-P1/server/Makefile.am	2010-09-03 16:54:37.354284369 +0200
+@@ -9,6 +9,7 @@ dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c c
+ dhcpd_CFLAGS = $(LDAP_CFLAGS) $(LDAPSSL_CFLAGS)
+ dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.a ../minires/libres.a \
+ 	      ../dhcpctl/libdhcpctl.a ../dst/libdst.a $(LDAP_LIBS)
++dhcpd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
+ 
+ man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5
+ EXTRA_DIST = $(man_MANS)
diff --git a/dhcp.spec b/dhcp.spec
index a64cece..daa65f0 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -15,7 +15,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.1.1
-Release:  24.%{patchver}%{?dist}
+Release:  25.%{patchver}%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -62,6 +62,7 @@ Patch24:  %{name}-4.1.1-retransmission.patch
 Patch25:  %{name}-4.1.1-release6-elapsed.patch
 Patch26:  %{name}-4.1.1-initialization-delay.patch
 Patch27:  %{name}-4.1.1-P1-parse_date.patch
+Patch28:  %{name}-4.1.1-P1-PIE-RELRO.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf
@@ -243,6 +244,9 @@ libdhcpctl and libomapi static libraries are also included in this package.
 # (Submitted to dhcp-bugs at isc.org - [ISC-Bugs #21501])
 %patch27 -p1 -b .parse_date
 
+# Make dhcpd/dhcrelay/dhclient PIE and RELRO
+%patch28 -p1 -b .PIE-RELRO
+
 # Copy in documentation and example scripts for LDAP patch to dhcpd
 %{__install} -p -m 0755 ldap-for-dhcp-%{ldappatchver}/dhcpd-conf-to-ldap contrib/
 
@@ -302,7 +306,7 @@ autoheader
 automake --foreign --add-missing --copy
 
 %build
-CFLAGS="%{optflags} -fno-strict-aliasing -fPIC -D_GNU_SOURCE" \
+CFLAGS="%{optflags} -fno-strict-aliasing -fPIE -D_GNU_SOURCE" \
 %configure \
     --enable-dhcpv6 \
     --with-srv-lease-file=%{_localstatedir}/lib/dhcpd/dhcpd.leases \
@@ -528,6 +532,9 @@ fi
 %attr(0644,root,root) %{_mandir}/man3/omapi.3.gz
 
 %changelog
+* Tue Sep 07 2010 Jiri Popelka <jpopelka at redhat.com> - 12:4.1.1-25.P1
+- Hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO
+
 * Fri Aug 20 2010 Jiri Popelka <jpopelka at redhat.com> - 12:4.1.1-24.P1
 - Add DHCRELAYARGS variable to /etc/sysconfig/dhcrelay

More information about the scm-commits mailing list