410617 – www-client/epiphany-3.2.1-r1 ebuild shouldn't unconditionally pax-mark m /usr/bin/epiphany

Bug 410617 - www-client/epiphany-3.2.1-r1 ebuild shouldn't unconditionally pax-mark m /usr/bin/epiphany

Summary: www-client/epiphany-3.2.1-r1 ebuild shouldn't unconditionally pax-mark m /usr...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] GNOME (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Linux Gnome Desktop Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-04-03 01:08 UTC by Maxim Kammerer
Modified:	2012-04-14 03:26 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maxim Kammerer 2012-04-03 01:08:17 UTC

paxctl -m disables important PaX security features. The jit USE flag is already disabled by default for webkit-gtk on hardened, so I think that PaX-marking epiphany executable should be left for the end-user (as is done with midori, for instance).

Comment 1 Maxim Kammerer 2012-04-03 01:11:33 UTC

Relevant: bug #407085, bug #404215.

Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev

2012-04-14 03:26:38 UTC

Good point. Fixed in epiphany-3.4.0.1; if you want the full PaX protection, you can emerge it with USE=-jit.

>*epiphany-3.4.0.1 (14 Apr 2012)
>
>  14 Apr 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  +epiphany-3.4.0.1.ebuild:
>  Version bump with a much improved history storage and a new gtk3.4-style
>  application menu. Add a new jit USE flag to control whether to relax memory
>  protection on PaX systems and allow using jit-enabled webkit-gtk (bug
>  #410617, thanks to Maxim Kammerer for reporting).