The firefox binary in Tor Browser 7.0a3 for Linux is not PIE

The firefox, plugin-container and updater binaries are not PIE.

We can fix that by adding ac_add_options --enable-pie to the mozconfig file.

added TorBrowserTeam201705R component::applications/tor browser owner::tbb-team priority::medium resolution::fixed severity::normal status::closed tbb-hardened tbb-security type::defect labels

Trac:
0001-Bug-22238-make-the-firefox-binaries-PIE-on-Linux.patch

I attached a patch adding ac_add_options --enable-pie. I checked in a build with rbm that it makes the firefox binary PIE.

Trac:
Status: new to needs_review
Keywords: N/A deleted, TorBrowserTeam201705R added

Do you know what changed to make this necessary now? We did not change the compiler version and we still have export DEB_BUILD_HARDENING_PIE=1.

This is now commit b51157dc9a520a693c2fb27ab3213e3bdf1cb5f1 on tor-browser-52.1.0esr-7.0-2. Would still be nice to understand what made this change necessary.

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

Replying to gk:

Do you know what changed to make this necessary now? We did not change the compiler version and we still have export DEB_BUILD_HARDENING_PIE=1.

Good question. After looking at what changed, I suspect this might be caused by this commit: https://hg.mozilla.org/mozilla-central/rev/f8cf0fe7c810

Before this commit, I think we were using c++ as the compiler, and after this commit g++ is being used.

In gitian/descriptors/linux/gitian-firefox.yml we are doing:

  mv gcc gcc.real
  mv c++ c++.real
  ln -sf hardened-cc gcc
  ln -sf hardened-cc c++

So we are using the hardened wrapper if the c++ command is used, but not if the g++ command is used.

So maybe a better fix would be to add a g++ -> hardened-cc symlink in gitian/descriptors/linux/gitian-firefox.yml.

Trac:
Resolution: fixed to N/A
Status: closed to reopened

Could you test that and provide a patch for the upcoming alpha?

I pushed the branch bug_22238 adding a g++ -> hardened-cc symbolic link: https://gitweb.torproject.org/user/boklm/tor-browser-bundle.git/commit/?h=bug_22238

I tried a similar change in rbm, without the --enable-pie option in mozconfig, and this fixed the problem.

Trac:
Status: reopened to needs_review

Thanks, looks better. :) Merged to master (commit 48b68f84b34aef3567aeffe6932ff1e40d900f2b) and I backed out the patch on tor-browser-52.1.0esr-7.0-2 (commit c474e8a83bff73cff6a26aac945e110bc44846a0).

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

closed

moved to tpo/applications/tor-browser#22238 (closed)