[Bug 828874] New: BIND compiled with -fPIC instead of -fPIE
https://bugzilla.novell.com/show_bug.cgi?id=828874 https://bugzilla.novell.com/show_bug.cgi?id=828874#c0 Summary: BIND compiled with -fPIC instead of -fPIE Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86-64 OS/Version: openSUSE 12.3 Status: NEW Severity: Enhancement Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: novell.20.melitta@spamgourmet.com QAContact: qa-bugs@suse.de Found By: Customer Blocker: No Created an attachment (id=547435) --> (http://bugzilla.novell.com/attachment.cgi?id=547435) Enhanced version of pie_compile.diff The pie_compile.diff patch included in the BIND SRPM compiles source files in the "bin" subdirectory with -fPIC instead of -fPIE. This incurs a performance penalty because function calls within the same source file have to go through the PLT and global variables within the same source file have to go through the GOT. This can be avoided if -fPIE is used. Click on these links if you do not understand that: http://www.airs.com/blog/archives/549 http://www.openbsd.org/papers/nycbsdcon08-pie/mgp00004.html The attached patch is a replacement for pie_compile.diff which fixes this by adding the libtool option -static to $EXT_CFLAGS. Important: For this patch to work, you have to add "--disable-static" to $CONFIGURE_OPTIONS in the specfile. If you omit this then libtool will try to link the executables against the statically compiled (non-PIC) libraries which results in a linker error. An additional benefit of this patch is that the compile time is cut in half: For libraries, only PIC object files are generated and for executables, only PIE objects are generated. Currently, i.e. without this patch, libtool generates an additional (unused) non-PIC object file for each source file. The patch also adds PIE to the idnconf and zkt tools. The patch applies cleanly to BIND 9.9.3-P1. Note that openSUSE 12.3 and openSUSE-current still contain BIND 9.9.2-P1 which is vulnerable against CVE-2012-5689 and CVE-2013-2266. You should update the RPM to BIND 9.9.3-P1 at your earliest convenience. Note also that SLES 11 SP3 still contains BIND 9.6ESV, support for which ends in January 2014. The next ESV release is 9.9, so you need to update the RPM in SLES to 9.9 as well over the next 6 months. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=828874
https://bugzilla.novell.com/show_bug.cgi?id=828874#c
Ye Yuan
https://bugzilla.novell.com/show_bug.cgi?id=828874
https://bugzilla.novell.com/show_bug.cgi?id=828874#c1
Reinhard Max
https://bugzilla.novell.com/show_bug.cgi?id=828874
https://bugzilla.novell.com/show_bug.cgi?id=828874#c2
--- Comment #2 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=828874
https://bugzilla.novell.com/show_bug.cgi?id=828874#c3
--- Comment #3 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com