Now that clang is the default, https://src.fedoraproject.org/rpms/chromium/blob/rawhide/f/chromium.spec#_153 CFI should be enabled when possible. Chromium should be built with control flow integrity (CFI) support, which helps prevent attackers from modifying the program's control flow. The previous reason for not doing this is no longer the case: https://bugzilla.redhat.com/show_bug.cgi?id=1970161#c1 Reproducible: Always Steps to Reproduce: 1. Go to https://src.fedoraproject.org/rpms/chromium/blob/rawhide/f/chromium.spec#_1173 2. is_cfi is false Actual Results: is_cfi is false Expected Results: is_cfi is true
i built chromium-120.0.6099.62 with control flow integrity support is_cfi=true and noticed that the binary size (chromium-bowser) has increased by about 49MB. It is really bad on the system with little memory. So i am not sure if we should enable it
(In reply to Than Ngo from comment #1) > i built chromium-120.0.6099.62 with control flow integrity support > is_cfi=true and noticed that the binary size (chromium-bowser) has increased > by about 49MB. > It is really bad on the system with little memory. So i am not sure if we > should enable it A couple things to keep in mind: - CFI is already default and has been used in official Chrome for Linux builds for many years now: https://www.chromium.org/developers/testing/control-flow-integrity/ - Also according to the same link above, even though the binary will be larger, the memory impact will be a small constant: "(read-only tables inside the binary shared between all chrome processes)" - Keeping this feature disabled is a significant security degradation compared to upstream. The current settings are taking a security feature that exists and is default upstream and disabling it. This seems unjustified especially since this ask is not to add new security functionality that upstream doesn't already have. Given the above, the memory impact should be less than expected and the security gains are significant.
FEDORA-2023-5d1b8507b8 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5d1b8507b8
FEDORA-2023-5d1b8507b8 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-5d1b8507b8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5d1b8507b8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-a32ad3e643 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a32ad3e643
FEDORA-2023-5d1b8507b8 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-a32ad3e643 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a32ad3e643` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a32ad3e643 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-a32ad3e643 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.