Public bug reported: Hi,
the firefox package provided by Ubuntu seems to be built with hardening flags, for instance: $ hardening-check /usr/lib/firefox/firefox /usr/lib/firefox/firefox: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes $ hardening-check /usr/lib/firefox/libxul.so /usr/lib/firefox/libxul.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! but the compilation options (-fstack-protector-strong and -D_FORTIFY_SOURCE=2) do not show up in about:buildconfig. Here is what I have in about:buildconfig: about:buildconfig Source Built from https://hg.mozilla.org/releases/mozilla-release/rev/44d6a57ab554308585a67a13035d31b264be781e Build platform target x86_64-pc-linux-gnu Build tools Compiler Version Compiler flags /usr/bin/gcc -std=gnu99 6.2.0 -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe /usr/bin/g++ -std=gnu++11 6.2.0 -Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wc++14-compat -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -freorder-blocks -Os -fomit-frame-pointer When I look at the same page in the firefox build in Debian stretch, here is what I see: about:buildconfig Build platform target x86_64-pc-linux-gnu Build tools Compiler Version Compiler flags gcc 6.3.0 -Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -Wcast-align -fstack-protector-strong -Wformat -Werror=format-security -fno-schedule-insns2 -fno-lifetime-dse -fno-delete-null-pointer-checks -std=gnu99 -fgnu89-inline -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe g++ 6.3.0 -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wcast-align -fstack-protector-strong -Wformat -Werror=format-security -fno-schedule-insns2 -fno-lifetime-dse -fno-delete-null-pointer-checks -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -freorder-blocks -Os -fomit-frame-pointer The D_FORTIFY_SOURCE=2 and -fstack-protector-strong do show up which IMHO is a good thing from the point of view of someone who would like to check the hardening of firefox builds. ProblemType: Bug DistroRelease: Ubuntu 16.10 Package: firefox 52.0+build2-0ubuntu0.16.10.1 ProcVersionSignature: Error: [Errno 2] No such file or directory: '/proc/version_signature' Uname: Linux 4.10.1-041001-generic x86_64 AddonCompatCheckDisabled: False ApportVersion: 2.20.3-0ubuntu8.2 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: bonnaudl 15515 F.... pulseaudio BuildID: 20170303012224 Channel: Unavailable CurrentDesktop: KDE Date: Thu Mar 9 15:55:13 2017 DefaultProfileExtensions: extensions.sqlite corrupt or missing DefaultProfileIncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite) DefaultProfileLocales: extensions.sqlite corrupt or missing DefaultProfilePlugins: Shockwave Flash - /usr/lib/flashplugin-installer/libflashplayer.so DefaultProfilePrefSources: /usr/lib/firefox/defaults/pref/all-ubuntumate.js prefs.js [Profile]/extensions/[email protected]/defaults/preferences/prefs.js DefaultProfileThemes: extensions.sqlite corrupt or missing EcryptfsInUse: Yes ForcedLayersAccel: False IfupdownConfig: # interfaces(5) file used by ifup(8) and ifdown(8) auto lo iface lo inet loopback IpRoute: default via 193.55.51.129 dev eth0 proto static metric 100 169.254.0.0/16 dev eth0 scope link metric 1000 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 193.55.51.37 via 193.55.51.129 dev eth0 proto dhcp metric 100 193.55.51.128/26 dev eth0 proto kernel scope link src 193.55.51.166 metric 100 Profile1Extensions: extensions.sqlite corrupt or missing Profile1IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite) Profile1Locales: extensions.sqlite corrupt or missing Profile1Plugins: Shockwave Flash - /usr/lib/flashplugin-installer/libflashplayer.so Profile1PrefSources: /usr/lib/firefox/defaults/pref/all-ubuntumate.js prefs.js Profile1Themes: extensions.sqlite corrupt or missing Profiles: Profile0 (Default) - LastVersion=52.0/20170303012224 (In use) Profile1 - LastVersion=52.0/20170303012224 RunningIncompatibleAddons: False SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 11/14/2013 dmi.bios.vendor: Dell Inc. dmi.bios.version: A19 dmi.board.name: 0NVF5K dmi.board.vendor: Dell Inc. dmi.board.version: A01 dmi.chassis.type: 9 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvrA19:bd11/14/2013:svnDellInc.:pnLatitudeE6520:pvr01:rvnDellInc.:rn0NVF5K:rvrA01:cvnDellInc.:ct9:cvr: dmi.product.name: Latitude E6520 dmi.product.version: 01 dmi.sys.vendor: Dell Inc. ** Affects: firefox (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug gnome3-ppa third-party-packages yakkety -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1671519 Title: Please show hardening flags in about:buildconfig Status in firefox package in Ubuntu: New Bug description: Hi, the firefox package provided by Ubuntu seems to be built with hardening flags, for instance: $ hardening-check /usr/lib/firefox/firefox /usr/lib/firefox/firefox: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes $ hardening-check /usr/lib/firefox/libxul.so /usr/lib/firefox/libxul.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! but the compilation options (-fstack-protector-strong and -D_FORTIFY_SOURCE=2) do not show up in about:buildconfig. Here is what I have in about:buildconfig: about:buildconfig Source Built from https://hg.mozilla.org/releases/mozilla-release/rev/44d6a57ab554308585a67a13035d31b264be781e Build platform target x86_64-pc-linux-gnu Build tools Compiler Version Compiler flags /usr/bin/gcc -std=gnu99 6.2.0 -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe /usr/bin/g++ -std=gnu++11 6.2.0 -Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wc++14-compat -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -freorder-blocks -Os -fomit-frame-pointer When I look at the same page in the firefox build in Debian stretch, here is what I see: about:buildconfig Build platform target x86_64-pc-linux-gnu Build tools Compiler Version Compiler flags gcc 6.3.0 -Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -Wcast-align -fstack-protector-strong -Wformat -Werror=format-security -fno-schedule-insns2 -fno-lifetime-dse -fno-delete-null-pointer-checks -std=gnu99 -fgnu89-inline -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe g++ 6.3.0 -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wcast-align -fstack-protector-strong -Wformat -Werror=format-security -fno-schedule-insns2 -fno-lifetime-dse -fno-delete-null-pointer-checks -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -freorder-blocks -Os -fomit-frame-pointer The D_FORTIFY_SOURCE=2 and -fstack-protector-strong do show up which IMHO is a good thing from the point of view of someone who would like to check the hardening of firefox builds. ProblemType: Bug DistroRelease: Ubuntu 16.10 Package: firefox 52.0+build2-0ubuntu0.16.10.1 ProcVersionSignature: Error: [Errno 2] No such file or directory: '/proc/version_signature' Uname: Linux 4.10.1-041001-generic x86_64 AddonCompatCheckDisabled: False ApportVersion: 2.20.3-0ubuntu8.2 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: bonnaudl 15515 F.... pulseaudio BuildID: 20170303012224 Channel: Unavailable CurrentDesktop: KDE Date: Thu Mar 9 15:55:13 2017 DefaultProfileExtensions: extensions.sqlite corrupt or missing DefaultProfileIncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite) DefaultProfileLocales: extensions.sqlite corrupt or missing DefaultProfilePlugins: Shockwave Flash - /usr/lib/flashplugin-installer/libflashplayer.so DefaultProfilePrefSources: /usr/lib/firefox/defaults/pref/all-ubuntumate.js prefs.js [Profile]/extensions/[email protected]/defaults/preferences/prefs.js DefaultProfileThemes: extensions.sqlite corrupt or missing EcryptfsInUse: Yes ForcedLayersAccel: False IfupdownConfig: # interfaces(5) file used by ifup(8) and ifdown(8) auto lo iface lo inet loopback IpRoute: default via 193.55.51.129 dev eth0 proto static metric 100 169.254.0.0/16 dev eth0 scope link metric 1000 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 193.55.51.37 via 193.55.51.129 dev eth0 proto dhcp metric 100 193.55.51.128/26 dev eth0 proto kernel scope link src 193.55.51.166 metric 100 Profile1Extensions: extensions.sqlite corrupt or missing Profile1IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite) Profile1Locales: extensions.sqlite corrupt or missing Profile1Plugins: Shockwave Flash - /usr/lib/flashplugin-installer/libflashplayer.so Profile1PrefSources: /usr/lib/firefox/defaults/pref/all-ubuntumate.js prefs.js Profile1Themes: extensions.sqlite corrupt or missing Profiles: Profile0 (Default) - LastVersion=52.0/20170303012224 (In use) Profile1 - LastVersion=52.0/20170303012224 RunningIncompatibleAddons: False SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 11/14/2013 dmi.bios.vendor: Dell Inc. dmi.bios.version: A19 dmi.board.name: 0NVF5K dmi.board.vendor: Dell Inc. dmi.board.version: A01 dmi.chassis.type: 9 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvrA19:bd11/14/2013:svnDellInc.:pnLatitudeE6520:pvr01:rvnDellInc.:rn0NVF5K:rvrA01:cvnDellInc.:ct9:cvr: dmi.product.name: Latitude E6520 dmi.product.version: 01 dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1671519/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
