[Bug 233707] www/firefox: fails to build with -fstack-protector-{strong,all} + -Wl,-z,nocopyreloc
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Dec 30 14:12:58 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233707
--- Comment #7 from Shawn Webb <shawn.webb at hardenedbsd.org> ---
(In reply to Jan Beich from comment #6)
> I've filed an upstream bug to get more feedback.
I doubt this is a bug in upstream. Every major operating system in which
Mozilla supports supports ASLR, with the sole exception of FreeBSD. The problem
is that FreeBSD isn't compiling certain libraries with -fPIC. Once FreeBSD
gains some form of address space randomization, whether it be ASR or ASLR,
FreeBSD will also need to update base and ports to compile libraries with
-fPIC, which HardenedBSD has already done (and, it appears, OpenBSD, too, but I
haven't verified that). Granted, the `-fPIC`-ization could happen before the
ASR[1] patch lands (and likely would be good preparation for it).
I think Mozilla is in the right here because they're applying security
hardening measures. There'd be two ways to fix this: 1) apply fewer security
hardening measures in the browser; 2) apply -fPIC where appropriate. Option 2
is the more attractive option. Granted, browsers are extremely complex
applications that are nearly impossible to properly secure, especially given
that they execute arbitrary remote code locally.
[1]: https://reviews.freebsd.org/D5603
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-toolchain
mailing list