1256628 – Use upstream --enable-pie configure option for enabling PIE in Firefox

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1256628 - Use upstream --enable-pie configure option for enabling PIE in Firefox

Summary: Use upstream --enable-pie configure option for enabling PIE in Firefox

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firefox
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Stransky
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-25 07:04 UTC by Martin Stransky
Modified:	2019-08-23 06:26 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1246287
Environment:
Last Closed:	2019-08-23 06:26:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Mozilla Foundation	857628	0	None	None	None	Never

Description Martin Stransky 2015-08-25 07:04:24 UTC

+++ This bug was initially created as a clone of Bug #1246287 +++

Fedora should use the upstream configure option instead of hacking the build options[1] to generate a hardened build.
This is the recommended[2] approach.

Note: Same thing may apply to other Mozilla products like Thunderbird.

[1] http://pkgs.fedoraproject.org/cgit/firefox.git/commit/?h=f22&id=ded1820a4f7f445b440a40a0e584bf3038307066
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1079662#c3

--- Additional comment from Johannes Pfrang on 2015-07-23 18:35:47 EDT ---

Let me rephrase that: PIE should be enabled using the upstream configure option.

--- Additional comment from Martin Stransky on 2015-08-20 05:28:48 EDT ---

Added to rawhide - firefox 40.0-7. Thanks for the report.

--- Additional comment from Harald Reindl on 2015-08-20 20:58:51 EDT ---

well, if you are at it why not just use hardening-check / checksec and enable FULL RELRO too?

http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html

export LDFLAGS="-Wl,-z,now -Wl,-z,relro -pie %{optflags}"
export SH_LDFLAGS="-Wl,-z,now -Wl,-z,relro %{optflags}"

/usr/lib64/firefox/firefox:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
_______________________________________________________

a *really* hardened build looks like this (self built PHP):

/usr/bin/php:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

--- Additional comment from Martin Stransky on 2015-08-21 03:53:46 EDT ---

Are you referring to the "Immediate binding: no, not found!" ? Or there are any other missing pieces here?

--- Additional comment from Harald Reindl on 2015-08-21 04:11:38 EDT ---

yes, "Immediate binding" is FULL RELRO, "checksec" labels it that way but in a list-form which is perfectly for verify complete dirs but not to post in bugzilla :-)

Options:

  --file <executable-file>
  --dir <directory> [-v]
  --proc <process name>
  --proc-all
  --proc-libs <process ID>
  --kernel
  --fortify-file <executable-file>
  --fortify-proc <process ID>
  --version
  --help

For more information, see:
  http://www.trapkit.de/tools/checksec.html

[root@srv-rhsoft:~]$ checksec --file /usr/lib64/firefox/firefox
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/firefox/firefox

--- Additional comment from Martin Stransky on 2015-08-25 03:01:41 EDT ---

Added to Fedora 22 and 21, let's see what happen.

Note You need to log in before you can comment on or make changes to this bug.