Bug 1256628 - Use upstream --enable-pie configure option for enabling PIE in Firefox
Use upstream --enable-pie configure option for enabling PIE in Firefox
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firefox (Show other bugs)
7.2
Unspecified Linux
unspecified Severity low
: rc
: ---
Assigned To: Martin Stransky
Desktop QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-25 03:04 EDT by Martin Stransky
Modified: 2017-08-02 02:51 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1246287
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 857628 None None None Never

  None (edit)
Description Martin Stransky 2015-08-25 03:04:24 EDT
+++ This bug was initially created as a clone of Bug #1246287 +++

Fedora should use the upstream configure option instead of hacking the build options[1] to generate a hardened build.
This is the recommended[2] approach.

Note: Same thing may apply to other Mozilla products like Thunderbird.

[1] http://pkgs.fedoraproject.org/cgit/firefox.git/commit/?h=f22&id=ded1820a4f7f445b440a40a0e584bf3038307066
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1079662#c3

--- Additional comment from Johannes Pfrang on 2015-07-23 18:35:47 EDT ---

Let me rephrase that: PIE should be enabled using the upstream configure option.

--- Additional comment from Martin Stransky on 2015-08-20 05:28:48 EDT ---

Added to rawhide - firefox 40.0-7. Thanks for the report.

--- Additional comment from Harald Reindl on 2015-08-20 20:58:51 EDT ---

well, if you are at it why not just use hardening-check / checksec and enable FULL RELRO too?

http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html

export LDFLAGS="-Wl,-z,now -Wl,-z,relro -pie %{optflags}"
export SH_LDFLAGS="-Wl,-z,now -Wl,-z,relro %{optflags}"

/usr/lib64/firefox/firefox:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
_______________________________________________________

a *really* hardened build looks like this (self built PHP):

/usr/bin/php:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

--- Additional comment from Martin Stransky on 2015-08-21 03:53:46 EDT ---

Are you referring to the "Immediate binding: no, not found!" ? Or there are any other missing pieces here?

--- Additional comment from Harald Reindl on 2015-08-21 04:11:38 EDT ---

yes, "Immediate binding" is FULL RELRO, "checksec" labels it that way but in a list-form which is perfectly for verify complete dirs but not to post in bugzilla :-)

Options:

  --file <executable-file>
  --dir <directory> [-v]
  --proc <process name>
  --proc-all
  --proc-libs <process ID>
  --kernel
  --fortify-file <executable-file>
  --fortify-proc <process ID>
  --version
  --help

For more information, see:
  http://www.trapkit.de/tools/checksec.html

[root@srv-rhsoft:~]$ checksec --file /usr/lib64/firefox/firefox
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/firefox/firefox

--- Additional comment from Martin Stransky on 2015-08-25 03:01:41 EDT ---

Added to Fedora 22 and 21, let's see what happen.

Note You need to log in before you can comment on or make changes to this bug.