Firefox deals with active content and should use PIC/PIE and "Full RELRO" http://fedoraproject.org/wiki/Packaging:Guidelines > If your package meets the following criteria you should consider > enabling the PIE compiler flags: Your package accepts/processes > untrusted input yes, a webbrowser processes untrusted input most of the time verification tools: http://koji.fedoraproject.org/koji/buildinfo?buildID=426028 http://koji.fedoraproject.org/koji/buildinfo?buildID=425584 [harry@srv-rhsoft:~]$ hardening-check /usr/lib64/firefox/firefox /usr/lib64/firefox/firefox: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! [harry@srv-rhsoft:~]$ hardening-check /usr/lib64/firefox/firefox-bin /usr/lib64/firefox/firefox-bin: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found!
Actually, the file /usr/lib64/firefox/firefox & /usr/lib64/firefox/firefox-bin are copy of xulrunner-stub executables from xulrunner package. We ship firefox as a XUL application.
"ps aux" says that "/usr/lib64/firefox/firefox" is the running binary and it is not PIE nor Full RELRO, the same for /usr/lib64/xulrunner/xulrunner-stub so i am not sure what you trying to explain me? [harry@srv-rhsoft:~]$ hardening-check /usr/lib64/xulrunner/xulrunner-stub /usr/lib64/xulrunner/xulrunner-stub: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found!
I mean the fix is need for xulrunner package, not for the firefox one. But it does not matter anyway.
and now what - *you* are maintainer of *both*
The bug is on my TODO list. But feel free to attach a patch for it, I'll happily test it and put into Fedora.
what patch? did you read http://fedoraproject.org/wiki/Packaging:Guidelines#PIE? To use this in your spec, add: %global _hardened_build 1
The mozilla itself sets the PIC/z flags in configure script but the xulrunner-stub is missing them and that's the bug. The proper fix is to build xulrunner-stub as well as the rest of the mozilla code (libxul.so and the others). The _hardened_build hack (through $RPM_OPT_FLAGS) is just a workaround. We can use it but I still like to have the right fix upstream for that.
btw. The _hardened_build hack does not work in xulrunner. Is there any LD_FLAGS macro which should be used? Plus the PIE code does not work with prelink...but I'm not sure how it matters here as far as mozilla uses elf-hack for the dynamic link optimization.
it should not work with "prelink" because this means ASLR is only done at prelink-time and that is one of the problems of non-PIE/PIC code, it beats off ASLR in any package i maintain private and company internal i export the flags before the %configure-macro export CFLAGS="%{optflags} -fPIC -fPIE" export CXXFLAGS="%{optflags} -fPIC -fPIE" export LDFLAGS="-Wl,-z,now -Wl,-z,relro,-z,noexecstack -pie"
Unfortunately Firefox/Xulrunner fails to build with this setup.
the interesting is which error occurs you can try only "-fPIC" and only "-fPIE" maybe remove the "-pie" from the LDFLAGS i had software which was not PIE without the LDFLAGS while "-fPIC -fPIE" used for the CFLAGS - if i where you i would simply ask upstream at Mozilla
There's an upstream bug for that - https://bugzilla.mozilla.org/show_bug.cgi?id=857628