Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Avatar for Username

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Request to host Firefox linux binaries that are compiled with the PIC/PIE flag

LimuxSpring
LimuxSpring
more options

Many of Linux Distributions take firefox binaries from https://packages.mozilla.org/apt/ as given in the Mozilla Knowlege Base Article Install Firefox on Linux. In this article there is a option to Install Firefox .deb package for Debian-based distributions.

However the binaries and libraries that are hosted in Firefox repositories are not compiled with the PIE/PIC flag. That prevents Firefox browser from using ASLR capabilities and to a large degree prevent Buffer overflows attacks. Please refer to the output given below for more details.

$ file -e elf /opt/firefox/firefox /opt/firefox/firefox: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) $ $ readelf -h /opt/firefox/firefox ELF Header: 

 Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
 Class:                             ELF64
 Data:                              2's complement, little endian
 Version:                           1 (current)
 OS/ABI:                            UNIX - System V
 ABI Version:                       0
 Type:                              EXEC (Executable file)
 Machine:                           Advanced Micro Devices X86-64
 Version:                           0x1

The output of the first command is ELF 64-bit LSB executable, which indicates that it is not a PIE executable. If it had been a PIE executable then it would have been ELF 64-bit LSB pie executable. Similarly the output of the second command has a Key, Type, whose value is EXEC (Executable file). However for a PIE binary the value would be DYN (Position-Independent Executable file).

Can Mozilla please compile the binaries and shared libraries with the PIE/PIC flag and then host them in its repositories? Many of Linux Distros do not have the bandwidth to take the source and compile binaries for different architects and are dependent on Mozilla to provide the same. Doing so would be appreciated and would help in enhancing safety of Linux users who use Firefox as their primary browser.


PIE = Position Independent Executable PIC = Position Independent Code ASLR = Address Space Layout Randomisation. PIC and PIE are used interchangeably and imply the same thing.

Many of Linux Distributions take firefox binaries from https://packages.mozilla.org/apt/ as given in the Mozilla Knowlege Base Article [http://mzl.la/1xKrIV5 Install Firefox on Linux]. In this article there is a option to [https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions-recommended Install Firefox .deb package for Debian-based distributions]. However the binaries and libraries that are hosted in Firefox repositories are not compiled with the PIE/PIC flag. That prevents Firefox browser from using ASLR capabilities and to a large degree prevent Buffer overflows attacks. Please refer to the output given below for more details. ''$ file -e elf /opt/firefox/firefox /opt/firefox/firefox: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) $ $ readelf -h /opt/firefox/firefox ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Advanced Micro Devices X86-64 Version: 0x1'' The output of the first command is '''ELF 64-bit LSB executable''', which indicates that it is not a PIE executable. If it had been a PIE executable then it would have been '''ELF 64-bit LSB pie executable'''. Similarly the output of the second command has a Key, Type, whose value is '''EXEC (Executable file)'''. However for a PIE binary the value would be '''DYN (Position-Independent Executable file)'''. Can Mozilla please compile the binaries and shared libraries with the PIE/PIC flag and then host them in its repositories? Many of Linux Distros do not have the bandwidth to take the source and compile binaries for different architects and are dependent on Mozilla to provide the same. Doing so would be appreciated and would help in enhancing safety of Linux users who use Firefox as their primary browser. PIE = Position Independent Executable PIC = Position Independent Code ASLR = Address Space Layout Randomisation. PIC and PIE are used interchangeably and imply the same thing.

Modifié le par LimuxSpring

Toutes les réponses (1)

LimuxSpring
LimuxSpring Auteur de la question
more options

Information from about:buildconfig of the browser. As can be seen the browser executable have been built with -fPIC flag but not -fPIE

Source = Built from https://hg.mozilla.org/releases/mozilla-release/rev/2f6d80ae5a069caeed2c79987422bfae1d8facc3

Build platform target = x86_64-pc-linux-gnu

Build tools Compiler = /builds/worker/fetches/clang/bin/clang --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu -std=gnu99 Version = 18.1.7 Compiler flags = -pthread -ffunction-sections -fdata-sections -fno-math-errno -fPIC -fcrash-diagnostics-dir=/builds/worker/artifacts

Compiler = /builds/worker/fetches/clang/bin/clang++ --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu Version = 18.1.7 Compiler flags = -D_GLIBCXX_USE_CXX11_ABI=0 -fno-rtti -pthread -fno-sized-deallocation -fno-aligned-new -ffunction-sections -fdata-sections -fno-math-errno -fno-exceptions -fPIC -fcrash-diagnostics-dir=/builds/worker/artifacts -gdwarf-4 -O3 -fomit-frame-pointer -funwind-tables

Compiler = /builds/worker/fetches/rustc/bin/rustc Version = 1.79.0 Compiler flags =


Configure options MOZ_AUTOMATION=1 MOZILLA_OFFICIAL=1 --enable-update-channel=release MOZBUILD_STATE_PATH=/builds/worker/.mozbuild MOZ_FETCHES_DIR=/builds/worker/fetches 'CFLAGS= -fcrash-diagnostics-dir=/builds/worker/artifacts' 'CXXFLAGS= -fcrash-diagnostics-dir=/builds/worker/artifacts' MOZ_STDCXX_COMPAT=1 ENABLE_CLANG_PLUGIN=1 --enable-profile-use=cross --with-pgo-profile-path=/builds/worker/fetches/merged.profdata --with-pgo-jarlog=/builds/worker/fetches/en-US.log MOZ_LTO=cross MOZ_NO_PIE_COMPAT=1 MOZ_SOURCE_REPO=https://hg.mozilla.org/releases/mozilla-release MOZ_SOURCE_CHANGESET=2f6d80ae5a069caeed2c79987422bfae1d8facc3 --enable-js-shell --enable-rust-simd --enable-default-toolkit=cairo-gtk3-x11-wayland --with-mozilla-api-keyfile=/builds/mozilla-desktop-geoloc-api.key --with-google-location-service-api-keyfile=/builds/gls-gapi.data --with-google-safebrowsing-api-keyfile=/builds/sb-gapi.data MOZ_SIMPLE_PACKAGE_NAME=target MOZ_PACKAGE_JSSHELL=1 --enable-official-branding

Cela vous a-t-il été utile ?

Poser une question

Vous devez vous identifier avec votre compte pour répondre aux messages. Veuillez poser une nouvelle question, si vous n’avez pas encore de compte.