Ubuntu
firefox package

Please show hardening flags in about:buildconfig

Bug #1671519 reported by Laurent Bonnaud on 2017-03-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	firefox (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Hi,

the firefox package provided by Ubuntu seems to be built with hardening flags, for instance:

$ hardening-check /usr/lib/firefox/firefox
/usr/lib/firefox/firefox:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes

$ hardening-check /usr/lib/firefox/libxul.so
/usr/lib/firefox/libxul.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!

but the compilation options (-fstack-protector-strong and -D_FORTIFY_SOURCE=2) do not show up in about:buildconfig.

Here is what I have in about:buildconfig:

about:buildconfig
Source
Built from https://hg.mozilla.org/releases/mozilla-release/rev/44d6a57ab554308585a67a13035d31b264be781e
Build platform
target
x86_64-pc-linux-gnu
Build tools
Compiler Version Compiler flags
/usr/bin/gcc -std=gnu99 6.2.0 -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
/usr/bin/g++ -std=gnu++11 6.2.0 -Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wc++14-compat -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -freorder-blocks -Os -fomit-frame-pointer

When I look at the same page in the firefox build in Debian stretch, here is what I see:

about:buildconfig
Build platform
target
x86_64-pc-linux-gnu
Build tools
Compiler Version Compiler flags
gcc 6.3.0 -Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -Wcast-align -fstack-protector-strong -Wformat -Werror=format-security -fno-schedule-insns2 -fno-lifetime-dse -fno-delete-null-pointer-checks -std=gnu99 -fgnu89-inline -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
g++ 6.3.0 -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wcast-align -fstack-protector-strong -Wformat -Werror=format-security -fno-schedule-insns2 -fno-lifetime-dse -fno-delete-null-pointer-checks -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -freorder-blocks -Os -fomit-frame-pointer

The D_FORTIFY_SOURCE=2 and -fstack-protector-strong do show up which IMHO is a good thing from the point of view of someone who would like to check the hardening of firefox builds.

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: firefox 52.0+build2-0ubuntu0.16.10.1
ProcVersionSignature: Error: [Errno 2] No such file or directory: '/proc/version_signature'
Uname: Linux 4.10.1-041001-generic x86_64
AddonCompatCheckDisabled: False
ApportVersion: 2.20.3-0ubuntu8.2
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: bonnaudl 15515 F.... pulseaudio
BuildID: 20170303012224
Channel: Unavailable
CurrentDesktop: KDE
Date: Thu Mar 9 15:55:13 2017
DefaultProfileExtensions: extensions.sqlite corrupt or missing
DefaultProfileIncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
DefaultProfileLocales: extensions.sqlite corrupt or missing
DefaultProfilePlugins: Shockwave Flash - /usr/lib/flashplugin-installer/libflashplayer.so
DefaultProfilePrefSources:
/usr/lib/firefox/defaults/pref/all-ubuntumate.js
prefs.js
[Profile]/<email address hidden>/defaults/preferences/prefs.js
DefaultProfileThemes: extensions.sqlite corrupt or missing
EcryptfsInUse: Yes
ForcedLayersAccel: False
IfupdownConfig:
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
IpRoute:
default via 193.55.51.129 dev eth0 proto static metric 100
169.254.0.0/16 dev eth0 scope link metric 1000
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
193.55.51.37 via 193.55.51.129 dev eth0 proto dhcp metric 100
193.55.51.128/26 dev eth0 proto kernel scope link src 193.55.51.166 metric 100
Profile1Extensions: extensions.sqlite corrupt or missing
Profile1IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
Profile1Locales: extensions.sqlite corrupt or missing
Profile1Plugins: Shockwave Flash - /usr/lib/flashplugin-installer/libflashplayer.so
Profile1PrefSources:
/usr/lib/firefox/defaults/pref/all-ubuntumate.js
prefs.js
Profile1Themes: extensions.sqlite corrupt or missing
Profiles:
Profile0 (Default) - LastVersion=52.0/20170303012224 (In use)
Profile1 - LastVersion=52.0/20170303012224
RunningIncompatibleAddons: False
SourcePackage: firefox
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 11/14/2013
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A19
dmi.board.name: 0NVF5K
dmi.board.vendor: Dell Inc.
dmi.board.version: A01
dmi.chassis.type: 9
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA19:bd11/14/2013:svnDellInc.:pnLatitudeE6520:pvr01:rvnDellInc.:rn0NVF5K:rvrA01:cvnDellInc.:ct9:cvr:
dmi.product.name: Latitude E6520
dmi.product.version: 01
dmi.sys.vendor: Dell Inc.

Tags:

Revision history for this message

Laurent Bonnaud (laurent-bonnaud) wrote on 2017-03-09:

AlsaInfo.txt Edit (35.6 KiB, text/plain; charset="utf-8")
CRDA.txt Edit (392 bytes, text/plain; charset="utf-8")
CurrentDmesg.txt Edit (223.9 KiB, text/plain; charset="utf-8")
DefaultProfilePrefs.txt Edit (9.3 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (7.1 KiB, text/plain; charset="utf-8")
IpAddr.txt Edit (1.0 KiB, text/plain; charset="utf-8")
IwConfig.txt Edit (282 bytes, text/plain; charset="utf-8")
JournalErrors.txt Edit (107.0 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (36.7 KiB, text/plain; charset="utf-8")
Lspci.txt Edit (13.0 KiB, text/plain; charset="utf-8")
PciNetwork.txt Edit (1.3 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (350 bytes, text/plain; charset="utf-8")
Profile1Prefs.txt Edit (1.1 KiB, text/plain; charset="utf-8")
PulseList.txt Edit (24.9 KiB, text/plain; charset="utf-8")
RelatedPackageVersions.txt Edit (170 bytes, text/plain; charset="utf-8")
RfKill.txt Edit (178 bytes, text/plain; charset="utf-8")
WifiSyslog.txt Edit (1.5 MiB, text/plain; charset="utf-8")

Revision history for this message

Laurent Bonnaud (laurent-bonnaud) wrote on 2023-03-30:

Firefox changed completely since this report, so closing.

Changed in firefox (Ubuntu):
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntufirefox package