Bug 973458
| Summary: | firefox should be a hardening build | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Harald Reindl <h.reindl> |
| Component: | firefox | Assignee: | Martin Stransky <stransky> |
| Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 18 | CC: | gecko-bugs-nobody, stransky |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-08-21 13:04:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Harald Reindl
2013-06-12 00:16:38 UTC
Actually, the file /usr/lib64/firefox/firefox & /usr/lib64/firefox/firefox-bin are copy of xulrunner-stub executables from xulrunner package. We ship firefox as a XUL application. "ps aux" says that "/usr/lib64/firefox/firefox" is the running binary and it is not PIE nor Full RELRO, the same for /usr/lib64/xulrunner/xulrunner-stub so i am not sure what you trying to explain me? [harry@srv-rhsoft:~]$ hardening-check /usr/lib64/xulrunner/xulrunner-stub /usr/lib64/xulrunner/xulrunner-stub: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! I mean the fix is need for xulrunner package, not for the firefox one. But it does not matter anyway. and now what - *you* are maintainer of *both* The bug is on my TODO list. But feel free to attach a patch for it, I'll happily test it and put into Fedora. what patch? did you read http://fedoraproject.org/wiki/Packaging:Guidelines#PIE? To use this in your spec, add: %global _hardened_build 1 The mozilla itself sets the PIC/z flags in configure script but the xulrunner-stub is missing them and that's the bug. The proper fix is to build xulrunner-stub as well as the rest of the mozilla code (libxul.so and the others). The _hardened_build hack (through $RPM_OPT_FLAGS) is just a workaround. We can use it but I still like to have the right fix upstream for that. btw. The _hardened_build hack does not work in xulrunner. Is there any LD_FLAGS macro which should be used? Plus the PIE code does not work with prelink...but I'm not sure how it matters here as far as mozilla uses elf-hack for the dynamic link optimization. it should not work with "prelink" because this means ASLR is only done at prelink-time and that is one of the problems of non-PIE/PIC code, it beats off ASLR
in any package i maintain private and company internal i export the flags before the %configure-macro
export CFLAGS="%{optflags} -fPIC -fPIE"
export CXXFLAGS="%{optflags} -fPIC -fPIE"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"
Unfortunately Firefox/Xulrunner fails to build with this setup. the interesting is which error occurs you can try only "-fPIC" and only "-fPIE" maybe remove the "-pie" from the LDFLAGS i had software which was not PIE without the LDFLAGS while "-fPIC -fPIE" used for the CFLAGS - if i where you i would simply ask upstream at Mozilla There's an upstream bug for that - https://bugzilla.mozilla.org/show_bug.cgi?id=857628 |