Date: Sun, 30 Dec 2018 14:12:56 +0000
From: bugzilla-noreply@freebsd.org
To: toolchain@FreeBSD.org
Subject: [Bug 233707] www/firefox: fails to build with -fstack-protector-{strong,all} + -Wl,-z,nocopyreloc
Message-ID: <bug-233707-29464-qgtgyZg3RI@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-233707-29464@https.bugs.freebsd.org/bugzilla/>
References: <bug-233707-29464@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D233707 --- Comment #7 from Shawn Webb <shawn.webb@hardenedbsd.org> --- (In reply to Jan Beich from comment #6) > I've filed an upstream bug to get more feedback. I doubt this is a bug in upstream. Every major operating system in which Mozilla supports supports ASLR, with the sole exception of FreeBSD. The pro= blem is that FreeBSD isn't compiling certain libraries with -fPIC. Once FreeBSD gains some form of address space randomization, whether it be ASR or ASLR, FreeBSD will also need to update base and ports to compile libraries with -fPIC, which HardenedBSD has already done (and, it appears, OpenBSD, too, b= ut I haven't verified that). Granted, the `-fPIC`-ization could happen before the ASR[1] patch lands (and likely would be good preparation for it). I think Mozilla is in the right here because they're applying security hardening measures. There'd be two ways to fix this: 1) apply fewer security hardening measures in the browser; 2) apply -fPIC where appropriate. Option= 2 is the more attractive option. Granted, browsers are extremely complex applications that are nearly impossible to properly secure, especially given that they execute arbitrary remote code locally. [1]: https://reviews.freebsd.org/D5603 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-233707-29464-qgtgyZg3RI>