[Bug 1671519] [NEW] Please show hardening flags in about:buildconfig

Laurent Bonnaud L.Bonnaud at laposte.net
Thu Mar 9 15:19:46 UTC 2017 

Public bug reported:

Hi,

the firefox package provided by Ubuntu seems to be built with hardening
flags, for instance:

$ hardening-check /usr/lib/firefox/firefox
/usr/lib/firefox/firefox:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

$ hardening-check /usr/lib/firefox/libxul.so
/usr/lib/firefox/libxul.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

but the compilation options (-fstack-protector-strong and
-D_FORTIFY_SOURCE=2) do not show up in about:buildconfig.

Here is what I have in about:buildconfig:

about:buildconfig
Source
Built from https://hg.mozilla.org/releases/mozilla-release/rev/44d6a57ab554308585a67a13035d31b264be781e
Build platform
target
x86_64-pc-linux-gnu
Build tools
Compiler        Version         Compiler flags
/usr/bin/gcc -std=gnu99         6.2.0   -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
/usr/bin/g++ -std=gnu++11       6.2.0   -Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wc++14-compat -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -fno-lifetime-dse -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -freorder-blocks -Os -fomit-frame-pointer

When I look at the same page in the firefox build in Debian stretch,
here is what I see:

about:buildconfig
Build platform
target
x86_64-pc-linux-gnu
Build tools
Compiler        Version         Compiler flags
gcc     6.3.0   -Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -Wcast-align -fstack-protector-strong -Wformat -Werror=format-security -fno-schedule-insns2 -fno-lifetime-dse -fno-delete-null-pointer-checks -std=gnu99 -fgnu89-inline -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
g++     6.3.0   -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wcast-align -fstack-protector-strong -Wformat -Werror=format-security -fno-schedule-insns2 -fno-lifetime-dse -fno-delete-null-pointer-checks -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -freorder-blocks -Os -fomit-frame-pointer

The D_FORTIFY_SOURCE=2 and -fstack-protector-strong do show up which
IMHO is a good thing from the point of view of someone who would like to
check the hardening of firefox builds.

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: firefox 52.0+build2-0ubuntu0.16.10.1
ProcVersionSignature: Error: [Errno 2] No such file or directory: '/proc/version_signature'
Uname: Linux 4.10.1-041001-generic x86_64
AddonCompatCheckDisabled: False
ApportVersion: 2.20.3-0ubuntu8.2
Architecture: amd64
AudioDevicesInUse:
 USER        PID ACCESS COMMAND
 /dev/snd/controlC0:  bonnaudl  15515 F.... pulseaudio
BuildID: 20170303012224
Channel: Unavailable
CurrentDesktop: KDE
Date: Thu Mar  9 15:55:13 2017
DefaultProfileExtensions: extensions.sqlite corrupt or missing
DefaultProfileIncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
DefaultProfileLocales: extensions.sqlite corrupt or missing
DefaultProfilePlugins: Shockwave Flash - /usr/lib/flashplugin-installer/libflashplayer.so
DefaultProfilePrefSources:
 /usr/lib/firefox/defaults/pref/all-ubuntumate.js
 prefs.js
 [Profile]/extensions/perspectives at cmu.edu/defaults/preferences/prefs.js
DefaultProfileThemes: extensions.sqlite corrupt or missing
EcryptfsInUse: Yes
ForcedLayersAccel: False
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
IpRoute:
 default via 193.55.51.129 dev eth0  proto static  metric 100 
 169.254.0.0/16 dev eth0  scope link  metric 1000 
 172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown 
 193.55.51.37 via 193.55.51.129 dev eth0  proto dhcp  metric 100 
 193.55.51.128/26 dev eth0  proto kernel  scope link  src 193.55.51.166  metric 100
Profile1Extensions: extensions.sqlite corrupt or missing
Profile1IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
Profile1Locales: extensions.sqlite corrupt or missing
Profile1Plugins: Shockwave Flash - /usr/lib/flashplugin-installer/libflashplayer.so
Profile1PrefSources:
 /usr/lib/firefox/defaults/pref/all-ubuntumate.js
 prefs.js
Profile1Themes: extensions.sqlite corrupt or missing
Profiles:
 Profile0 (Default) - LastVersion=52.0/20170303012224 (In use)
 Profile1 - LastVersion=52.0/20170303012224
RunningIncompatibleAddons: False
SourcePackage: firefox
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 11/14/2013
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A19
dmi.board.name: 0NVF5K
dmi.board.vendor: Dell Inc.
dmi.board.version: A01
dmi.chassis.type: 9
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA19:bd11/14/2013:svnDellInc.:pnLatitudeE6520:pvr01:rvnDellInc.:rn0NVF5K:rvrA01:cvnDellInc.:ct9:cvr:
dmi.product.name: Latitude E6520
dmi.product.version: 01
dmi.sys.vendor: Dell Inc.

** Affects: firefox (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug gnome3-ppa third-party-packages yakkety

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1671519

Title:
  Please show hardening flags in about:buildconfig

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1671519/+subscriptions

More information about the Ubuntu-mozillateam-bugs mailing list