Bug 973458
Summary: | firefox should be a hardening build | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Harald Reindl <h.reindl> |
Component: | firefox | Assignee: | Martin Stransky <stransky> |
Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 18 | CC: | gecko-bugs-nobody, stransky |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-08-21 13:04:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Harald Reindl
2013-06-12 00:16:38 UTC
Actually, the file /usr/lib64/firefox/firefox & /usr/lib64/firefox/firefox-bin are copy of xulrunner-stub executables from xulrunner package. We ship firefox as a XUL application. "ps aux" says that "/usr/lib64/firefox/firefox" is the running binary and it is not PIE nor Full RELRO, the same for /usr/lib64/xulrunner/xulrunner-stub so i am not sure what you trying to explain me? [harry@srv-rhsoft:~]$ hardening-check /usr/lib64/xulrunner/xulrunner-stub /usr/lib64/xulrunner/xulrunner-stub: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! I mean the fix is need for xulrunner package, not for the firefox one. But it does not matter anyway. and now what - *you* are maintainer of *both* The bug is on my TODO list. But feel free to attach a patch for it, I'll happily test it and put into Fedora. what patch? did you read http://fedoraproject.org/wiki/Packaging:Guidelines#PIE? To use this in your spec, add: %global _hardened_build 1 The mozilla itself sets the PIC/z flags in configure script but the xulrunner-stub is missing them and that's the bug. The proper fix is to build xulrunner-stub as well as the rest of the mozilla code (libxul.so and the others). The _hardened_build hack (through $RPM_OPT_FLAGS) is just a workaround. We can use it but I still like to have the right fix upstream for that. btw. The _hardened_build hack does not work in xulrunner. Is there any LD_FLAGS macro which should be used? Plus the PIE code does not work with prelink...but I'm not sure how it matters here as far as mozilla uses elf-hack for the dynamic link optimization. it should not work with "prelink" because this means ASLR is only done at prelink-time and that is one of the problems of non-PIE/PIC code, it beats off ASLR in any package i maintain private and company internal i export the flags before the %configure-macro export CFLAGS="%{optflags} -fPIC -fPIE" export CXXFLAGS="%{optflags} -fPIC -fPIE" export LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie" Unfortunately Firefox/Xulrunner fails to build with this setup. the interesting is which error occurs you can try only "-fPIC" and only "-fPIE" maybe remove the "-pie" from the LDFLAGS i had software which was not PIE without the LDFLAGS while "-fPIC -fPIE" used for the CFLAGS - if i where you i would simply ask upstream at Mozilla There's an upstream bug for that - https://bugzilla.mozilla.org/show_bug.cgi?id=857628 |