Søg i Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Læs mere

Request to host Firefox linux binaries that are compiled with the PIC/PIE flag

more options

Many of Linux Distributions take firefox binaries from https://packages.mozilla.org/apt/ as given in the Mozilla Knowlege Base Article Install Firefox on Linux. In this article there is a option to Install Firefox .deb package for Debian-based distributions.

However the binaries and libraries that are hosted in Firefox repositories are not compiled with the PIE/PIC flag. That prevents Firefox browser from using ASLR capabilities and to a large degree prevent Buffer overflows attacks. Please refer to the output given below for more details.

$ file -e elf /opt/firefox/firefox /opt/firefox/firefox: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) $ $ readelf -h /opt/firefox/firefox ELF Header:

 Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
 Class:                             ELF64
 Data:                              2's complement, little endian
 Version:                           1 (current)
 OS/ABI:                            UNIX - System V
 ABI Version:                       0
 Type:                              EXEC (Executable file)
 Machine:                           Advanced Micro Devices X86-64
 Version:                           0x1

The output of the first command is ELF 64-bit LSB executable, which indicates that it is not a PIE executable. If it had been a PIE executable then it would have been ELF 64-bit LSB pie executable. Similarly the output of the second command has a Key, Type, whose value is EXEC (Executable file). However for a PIE binary the value would be DYN (Position-Independent Executable file).

Can Mozilla please compile the binaries and shared libraries with the PIE/PIC flag and then host them in its repositories? Many of Linux Distros do not have the bandwidth to take the source and compile binaries for different architects and are dependent on Mozilla to provide the same. Doing so would be appreciated and would help in enhancing safety of Linux users who use Firefox as their primary browser.


PIE = Position Independent Executable PIC = Position Independent Code ASLR = Address Space Layout Randomisation. PIC and PIE are used interchangeably and imply the same thing.

Many of Linux Distributions take firefox binaries from https://packages.mozilla.org/apt/ as given in the Mozilla Knowlege Base Article [http://mzl.la/1xKrIV5 Install Firefox on Linux]. In this article there is a option to [https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions-recommended Install Firefox .deb package for Debian-based distributions]. However the binaries and libraries that are hosted in Firefox repositories are not compiled with the PIE/PIC flag. That prevents Firefox browser from using ASLR capabilities and to a large degree prevent Buffer overflows attacks. Please refer to the output given below for more details. ''$ file -e elf /opt/firefox/firefox /opt/firefox/firefox: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) $ $ readelf -h /opt/firefox/firefox ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Advanced Micro Devices X86-64 Version: 0x1'' The output of the first command is '''ELF 64-bit LSB executable''', which indicates that it is not a PIE executable. If it had been a PIE executable then it would have been '''ELF 64-bit LSB pie executable'''. Similarly the output of the second command has a Key, Type, whose value is '''EXEC (Executable file)'''. However for a PIE binary the value would be '''DYN (Position-Independent Executable file)'''. Can Mozilla please compile the binaries and shared libraries with the PIE/PIC flag and then host them in its repositories? Many of Linux Distros do not have the bandwidth to take the source and compile binaries for different architects and are dependent on Mozilla to provide the same. Doing so would be appreciated and would help in enhancing safety of Linux users who use Firefox as their primary browser. PIE = Position Independent Executable PIC = Position Independent Code ASLR = Address Space Layout Randomisation. PIC and PIE are used interchangeably and imply the same thing.

Ændret af LimuxSpring den

Alle svar (1)

more options

Information from about:buildconfig of the browser. As can be seen the browser executable have been built with -fPIC flag but not -fPIE

Source = Built from https://hg.mozilla.org/releases/mozilla-release/rev/2f6d80ae5a069caeed2c79987422bfae1d8facc3

Build platform target = x86_64-pc-linux-gnu

Build tools Compiler = /builds/worker/fetches/clang/bin/clang --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu -std=gnu99 Version = 18.1.7 Compiler flags = -pthread -ffunction-sections -fdata-sections -fno-math-errno -fPIC -fcrash-diagnostics-dir=/builds/worker/artifacts

Compiler = /builds/worker/fetches/clang/bin/clang++ --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu Version = 18.1.7 Compiler flags = -D_GLIBCXX_USE_CXX11_ABI=0 -fno-rtti -pthread -fno-sized-deallocation -fno-aligned-new -ffunction-sections -fdata-sections -fno-math-errno -fno-exceptions -fPIC -fcrash-diagnostics-dir=/builds/worker/artifacts -gdwarf-4 -O3 -fomit-frame-pointer -funwind-tables

Compiler = /builds/worker/fetches/rustc/bin/rustc Version = 1.79.0 Compiler flags =


Configure options MOZ_AUTOMATION=1 MOZILLA_OFFICIAL=1 --enable-update-channel=release MOZBUILD_STATE_PATH=/builds/worker/.mozbuild MOZ_FETCHES_DIR=/builds/worker/fetches 'CFLAGS= -fcrash-diagnostics-dir=/builds/worker/artifacts' 'CXXFLAGS= -fcrash-diagnostics-dir=/builds/worker/artifacts' MOZ_STDCXX_COMPAT=1 ENABLE_CLANG_PLUGIN=1 --enable-profile-use=cross --with-pgo-profile-path=/builds/worker/fetches/merged.profdata --with-pgo-jarlog=/builds/worker/fetches/en-US.log MOZ_LTO=cross MOZ_NO_PIE_COMPAT=1 MOZ_SOURCE_REPO=https://hg.mozilla.org/releases/mozilla-release MOZ_SOURCE_CHANGESET=2f6d80ae5a069caeed2c79987422bfae1d8facc3 --enable-js-shell --enable-rust-simd --enable-default-toolkit=cairo-gtk3-x11-wayland --with-mozilla-api-keyfile=/builds/mozilla-desktop-geoloc-api.key --with-google-location-service-api-keyfile=/builds/gls-gapi.data --with-google-safebrowsing-api-keyfile=/builds/sb-gapi.data MOZ_SIMPLE_PACKAGE_NAME=target MOZ_PACKAGE_JSSHELL=1 --enable-official-branding

Nyttig?

Stil et spørgsmål

Du skal logge ind på din konto for at svare på et indlæg. Start et nyt spørgsmål, hvis du ikke har en konto endnu.