Request to host Firefox linux binaries that are compiled with the PIC/PIE flag
Many of Linux Distributions take firefox binaries from https://packages.mozilla.org/apt/ as given in the Mozilla Knowlege Base Article Install Firefox on Linux. In this article there is a option to Install Firefox .deb package for Debian-based distributions.
However the binaries and libraries that are hosted in Firefox repositories are not compiled with the PIE/PIC flag. That prevents Firefox browser from using ASLR capabilities and to a large degree prevent Buffer overflows attacks. Please refer to the output given below for more details.
$ file -e elf /opt/firefox/firefox /opt/firefox/firefox: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) $ $ readelf -h /opt/firefox/firefox ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Advanced Micro Devices X86-64 Version: 0x1
The output of the first command is ELF 64-bit LSB executable, which indicates that it is not a PIE executable. If it had been a PIE executable then it would have been ELF 64-bit LSB pie executable. Similarly the output of the second command has a Key, Type, whose value is EXEC (Executable file). However for a PIE binary the value would be DYN (Position-Independent Executable file).
Can Mozilla please compile the binaries and shared libraries with the PIE/PIC flag and then host them in its repositories? Many of Linux Distros do not have the bandwidth to take the source and compile binaries for different architects and are dependent on Mozilla to provide the same. Doing so would be appreciated and would help in enhancing safety of Linux users who use Firefox as their primary browser.
PIE = Position Independent Executable
PIC = Position Independent Code
ASLR = Address Space Layout Randomisation.
PIC and PIE are used interchangeably and imply the same thing.
由LimuxSpring于修改
所有回复 (1)
Information from about:buildconfig of the browser. As can be seen the browser executable have been built with -fPIC flag but not -fPIE
Source = Built from https://hg.mozilla.org/releases/mozilla-release/rev/2f6d80ae5a069caeed2c79987422bfae1d8facc3
Build platform target = x86_64-pc-linux-gnu
Build tools Compiler = /builds/worker/fetches/clang/bin/clang --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu -std=gnu99 Version = 18.1.7 Compiler flags = -pthread -ffunction-sections -fdata-sections -fno-math-errno -fPIC -fcrash-diagnostics-dir=/builds/worker/artifacts
Compiler = /builds/worker/fetches/clang/bin/clang++ --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu Version = 18.1.7 Compiler flags = -D_GLIBCXX_USE_CXX11_ABI=0 -fno-rtti -pthread -fno-sized-deallocation -fno-aligned-new -ffunction-sections -fdata-sections -fno-math-errno -fno-exceptions -fPIC -fcrash-diagnostics-dir=/builds/worker/artifacts -gdwarf-4 -O3 -fomit-frame-pointer -funwind-tables
Compiler = /builds/worker/fetches/rustc/bin/rustc Version = 1.79.0 Compiler flags =
Configure options MOZ_AUTOMATION=1 MOZILLA_OFFICIAL=1 --enable-update-channel=release MOZBUILD_STATE_PATH=/builds/worker/.mozbuild MOZ_FETCHES_DIR=/builds/worker/fetches 'CFLAGS= -fcrash-diagnostics-dir=/builds/worker/artifacts' 'CXXFLAGS= -fcrash-diagnostics-dir=/builds/worker/artifacts' MOZ_STDCXX_COMPAT=1 ENABLE_CLANG_PLUGIN=1 --enable-profile-use=cross --with-pgo-profile-path=/builds/worker/fetches/merged.profdata --with-pgo-jarlog=/builds/worker/fetches/en-US.log MOZ_LTO=cross MOZ_NO_PIE_COMPAT=1 MOZ_SOURCE_REPO=https://hg.mozilla.org/releases/mozilla-release MOZ_SOURCE_CHANGESET=2f6d80ae5a069caeed2c79987422bfae1d8facc3 --enable-js-shell --enable-rust-simd --enable-default-toolkit=cairo-gtk3-x11-wayland --with-mozilla-api-keyfile=/builds/mozilla-desktop-geoloc-api.key --with-google-location-service-api-keyfile=/builds/gls-gapi.data --with-google-safebrowsing-api-keyfile=/builds/sb-gapi.data MOZ_SIMPLE_PACKAGE_NAME=target MOZ_PACKAGE_JSSHELL=1 --enable-official-branding