From fb0649f14a288beddc571fb52da7b0b5fd434b41 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Sun, 22 Feb 2026 15:37:02 +0100 Subject: [PATCH] Use full RELRO for modules (use HARDEN_LDFLAGS in MODULEFLAGS) Previously, due to HARDEN_LDFLAGS missing in MODULEFLAGS we were only partial RELRO instead of full RELRO. This is a defense-in- depth measure but is good to have and the ommission was unintended. --- configure | 2 +- configure.ac | 2 +- doc/RELEASE-NOTES.md | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 554aff4a6..8d81bf88f 100755 --- a/configure +++ b/configure @@ -8266,7 +8266,7 @@ printf "%s\n" "#define UNDERSCORE /**/" >>confdefs.h fi -MODULEFLAGS="$ac_cv_pic $DYNAMIC_LDFLAGS" +MODULEFLAGS="$ac_cv_pic $DYNAMIC_LDFLAGS $HARDEN_LDFLAGS" else case e in #( e) diff --git a/configure.ac b/configure.ac index 667155ad8..06480ccf8 100644 --- a/configure.ac +++ b/configure.ac @@ -349,7 +349,7 @@ if test "$ac_cv_underscore" = "yes"; then AC_DEFINE([UNDERSCORE], [], [Define if your system prepends an underscore to symbols]) fi -MODULEFLAGS="$ac_cv_pic $DYNAMIC_LDFLAGS" +MODULEFLAGS="$ac_cv_pic $DYNAMIC_LDFLAGS $HARDEN_LDFLAGS" dnl DYNAMIC_LINKING is not meant to be defined in include/setup.h, it's dnl defined in the Makefiles using -D. Having it defined globally will dnl only cause braindamage and symbol collisions :-D. diff --git a/doc/RELEASE-NOTES.md b/doc/RELEASE-NOTES.md index 2e9404daf..980cac135 100644 --- a/doc/RELEASE-NOTES.md +++ b/doc/RELEASE-NOTES.md @@ -30,6 +30,8 @@ This version comes with a few enhancements and has quite a number of bugfixes. [set::handshake-timeout](https://www.unrealircd.org/docs/Set_block#set::handshake-timeout) from 30 to 40 seconds. * Update shipped libs: PCRE2 (10.47), Jansson (2.15.0), Sodium (1.0.21) +* Minor hardening tweak for modules, reducing the impact of some security bugs + (full RELRO instead of partial RELRO) ### Fixes: * Crash when using [Extended Server Bans](https://www.unrealircd.org/docs/Extended_server_bans)