Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 973458 - firefox should be a hardening build
firefox should be a hardening build
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Martin Stransky
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-11 20:16 EDT by Harald Reindl
Modified: 2013-08-21 09:05 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-21 09:04:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 857628 None None None Never

  None (edit)
Description Harald Reindl 2013-06-11 20:16:38 EDT
Firefox deals with active content and should use PIC/PIE and "Full RELRO"

http://fedoraproject.org/wiki/Packaging:Guidelines
> If your package meets the following criteria you should consider 
> enabling the PIE compiler flags: Your package accepts/processes 
> untrusted input

yes, a webbrowser processes untrusted input most of the time

verification tools:
http://koji.fedoraproject.org/koji/buildinfo?buildID=426028
http://koji.fedoraproject.org/koji/buildinfo?buildID=425584

[harry@srv-rhsoft:~]$ hardening-check /usr/lib64/firefox/firefox
/usr/lib64/firefox/firefox:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

[harry@srv-rhsoft:~]$ hardening-check /usr/lib64/firefox/firefox-bin
/usr/lib64/firefox/firefox-bin:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
Comment 1 Martin Stransky 2013-06-12 09:30:07 EDT
Actually, the file /usr/lib64/firefox/firefox & /usr/lib64/firefox/firefox-bin are copy of xulrunner-stub executables from xulrunner package. We ship firefox as a XUL application.
Comment 2 Harald Reindl 2013-06-12 09:41:29 EDT
"ps aux" says that "/usr/lib64/firefox/firefox" is the running binary and it is not PIE nor Full RELRO, the same for /usr/lib64/xulrunner/xulrunner-stub so i am not sure what you trying to explain me?

[harry@srv-rhsoft:~]$ hardening-check /usr/lib64/xulrunner/xulrunner-stub
/usr/lib64/xulrunner/xulrunner-stub:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
Comment 3 Martin Stransky 2013-06-12 09:45:25 EDT
I mean the fix is need for xulrunner package, not for the firefox one. But it does not matter anyway.
Comment 4 Harald Reindl 2013-08-16 16:06:16 EDT
and now what - *you* are maintainer of *both*
Comment 5 Martin Stransky 2013-08-19 08:50:49 EDT
The bug is on my TODO list. But feel free to attach a patch for it, I'll happily test it and put into Fedora.
Comment 6 Harald Reindl 2013-08-19 08:58:05 EDT
what patch?
did you read http://fedoraproject.org/wiki/Packaging:Guidelines#PIE?

To use this in your spec, add:
%global _hardened_build 1
Comment 7 Martin Stransky 2013-08-19 09:25:17 EDT
The mozilla itself sets the PIC/z flags in configure script but the xulrunner-stub is missing them and that's the bug. The proper fix is to build xulrunner-stub as well as the rest of the mozilla code (libxul.so and the others).

The _hardened_build hack (through $RPM_OPT_FLAGS) is just a workaround. We can use it but I still like to have the right fix upstream for that.
Comment 8 Martin Stransky 2013-08-20 09:42:01 EDT
btw. The _hardened_build hack does not work in xulrunner. Is there any LD_FLAGS macro which should be used?

Plus the PIE code does not work with prelink...but I'm not sure how it matters here as far as mozilla uses elf-hack for the dynamic link optimization.
Comment 9 Harald Reindl 2013-08-20 09:47:33 EDT
it should not work with "prelink" because this means ASLR is only done at prelink-time and that is one of the problems of non-PIE/PIC code, it beats off ASLR

in any package i maintain private and company internal i export the flags before the %configure-macro

export CFLAGS="%{optflags} -fPIC -fPIE"
export CXXFLAGS="%{optflags} -fPIC -fPIE"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"
Comment 10 Martin Stransky 2013-08-20 10:35:43 EDT
Unfortunately Firefox/Xulrunner fails to build with this setup.
Comment 11 Harald Reindl 2013-08-20 10:42:01 EDT
the interesting is which error occurs

you can try only "-fPIC" and only "-fPIE"
maybe remove the "-pie" from the LDFLAGS

i had software which was not PIE without the LDFLAGS while "-fPIC -fPIE" 
used for the CFLAGS - if i where you i would simply ask upstream at Mozilla
Comment 12 Martin Stransky 2013-08-21 09:04:09 EDT
There's an upstream bug for that - https://bugzilla.mozilla.org/show_bug.cgi?id=857628

Note You need to log in before you can comment on or make changes to this bug.