diff --git a/dhcp-4.2.0-PIE-RELRO.patch b/dhcp-4.2.0-PIE-RELRO.patch new file mode 100644 index 0000000..5805fd2 --- /dev/null +++ b/dhcp-4.2.0-PIE-RELRO.patch @@ -0,0 +1,35 @@ +diff -up dhcp-4.2.0/client/Makefile.am.PIE-RELRO dhcp-4.2.0/client/Makefile.am +--- dhcp-4.2.0/client/Makefile.am.PIE-RELRO 2010-09-07 17:22:32.000000000 +0200 ++++ dhcp-4.2.0/client/Makefile.am 2010-09-07 17:23:08.000000000 +0200 +@@ -6,6 +6,8 @@ dhclient_SOURCES = clparse.c dhclient.c + scripts/solaris scripts/openwrt + dhclient_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ + ../bind/lib/libdns.a ../bind/lib/libisc.a $(CAPNG_LDADD) ++dhclient_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now ++ + man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5 + EXTRA_DIST = $(man_MANS) + +diff -up dhcp-4.2.0/relay/Makefile.am.PIE-RELRO dhcp-4.2.0/relay/Makefile.am +--- dhcp-4.2.0/relay/Makefile.am.PIE-RELRO 2009-10-28 05:12:30.000000000 +0100 ++++ dhcp-4.2.0/relay/Makefile.am 2010-09-07 17:23:38.000000000 +0200 +@@ -4,6 +4,8 @@ sbin_PROGRAMS = dhcrelay + dhcrelay_SOURCES = dhcrelay.c + dhcrelay_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ + ../bind/lib/libdns.a ../bind/lib/libisc.a ++dhcrelay_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now ++ + man_MANS = dhcrelay.8 + EXTRA_DIST = $(man_MANS) + +diff -up dhcp-4.2.0/server/Makefile.am.PIE-RELRO dhcp-4.2.0/server/Makefile.am +--- dhcp-4.2.0/server/Makefile.am.PIE-RELRO 2010-03-24 22:49:47.000000000 +0100 ++++ dhcp-4.2.0/server/Makefile.am 2010-09-07 17:24:08.000000000 +0200 +@@ -10,6 +10,7 @@ dhcpd_CFLAGS = $(LDAP_CFLAGS) + dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ + ../dhcpctl/libdhcpctl.a ../bind/lib/libdns.a \ + ../bind/lib/libisc.a ++dhcpd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now + + man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5 + EXTRA_DIST = $(man_MANS) diff --git a/dhcp.spec b/dhcp.spec index 6374e9c..c3b4e7c 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -7,7 +7,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.2.0 -Release: 6%{?dist} +Release: 7%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and # that's why it is at 12 now. It should have never been used, but it was. @@ -54,6 +54,7 @@ Patch25: dhcp-4.2.0-release6-elapsed.patch Patch26: dhcp-4.2.0-initialization-delay.patch Patch27: dhcp-4.2.0-parse_date.patch Patch28: dhcp-4.2.0-rfc3442-classless-static-routes.patch +Patch29: dhcp-4.2.0-PIE-RELRO.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf @@ -189,6 +190,7 @@ libdhcpctl and libomapi static libraries are also included in this package. %patch18 -p1 -b .dracut # Ensure 64-bit platforms parse lease file dates & times correctly (#448615) +# (Partly submitted to dhcp-bugs@isc.org - [ISC-Bugs #22033]) %patch19 -p1 -b .64-bit_lease_parse # Drop unnecessary capabilities in dhclient (#517649, #546765) @@ -229,6 +231,9 @@ libdhcpctl and libomapi static libraries are also included in this package. # RFC 3442 - Classless Static Route Option for DHCPv4 (#516325) %patch28 -p1 -b .rfc3442 +# hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO +%patch29 -p1 -b .PIE-RELRO + # Copy in the Fedora/RHEL dhclient script %{__install} -p -m 0755 %{SOURCE4} client/scripts/linux %{__install} -p -m 0644 %{SOURCE5} . @@ -281,7 +286,7 @@ done %build autoreconf --verbose --force --install -CFLAGS="%{optflags} -fno-strict-aliasing -fPIC -D_GNU_SOURCE" \ +CFLAGS="%{optflags} -fno-strict-aliasing -fPIE -D_GNU_SOURCE" \ %configure \ --with-srv-lease-file=%{_localstatedir}/lib/dhcpd/dhcpd.leases \ --with-srv6-lease-file=%{_localstatedir}/lib/dhcpd/dhcpd6.leases \ @@ -510,6 +515,9 @@ fi %attr(0644,root,root) %{_mandir}/man3/omapi.3.gz %changelog +* Tue Sep 7 2010 Jiri Popelka - 12:4.2.0-7 +- Hardening dhcpd/dhcrelay/dhclient by making them PIE & RELRO + * Thu Sep 2 2010 Jiri Popelka - 12:4.2.0-6 - Another fix for handling time values on 64-bit platforms (#628258)