QA Notice: The following files contain executable stacks Files with executable stacks will not work properly (or at all!) on some architectures/operating systems. A bug should be filed at http://bugs.gentoo.org/ to make sure the file is fixed. For more information, see http://hardened.gentoo.org/gnu-stack.xml Please include the following list of files in your report: Note: Bugs should be filed for the respective maintainers of the package in question and not hardened@ RWX --- --- usr/lib64/nss/libfreebl3.so.12 emerge -pv nss: dev-libs/nss-3.12.3 USE="-utils" emerge --info: Portage 2.1.6.11 (default/linux/amd64/2008.0/desktop, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.29-gentoo x86_64) ================================================================= System uname: Linux-2.6.29-gentoo-x86_64-AMD_Athlon-tm-_64_Processor_3500+-with-gentoo-2.0.0 Timestamp of tree: Thu, 16 Apr 2009 04:30:01 +0000 distcc 3.1 x86_64-pc-linux-gnu [disabled] ccache version 2.4 [disabled] app-shells/bash: 4.0_p17-r1 dev-java/java-config: 1.3.7-r1, 2.1.7 dev-lang/python: 2.6.1-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.6.3-r1 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.4.3-r1 sys-apps/sandbox: 1.9 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.28-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe -fno-strict-aliasing" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/initng/daemon /etc/initng/net /etc/initng/system /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -O2 -pipe -fno-strict-aliasing" DISTDIR="/home/media/dist" FEATURES="cvs distlocks elog fixpackages java-strict metadata-transfer multilib-strict parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://mirror.switch.ch/mirror/gentoo/" LANG="it_IT.UTF-8" LC_ALL="it_IT.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="it" PKGDIR="/home/ftp/packages" PORTAGE_COMPRESS="bzip2" PORTAGE_COMPRESS_FLAGS="-9" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS=" --timeout=800 --progress " PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/overlays/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext 3ds 7zip X a52 aac acl acpi alsa amd64 amr apache2 audiofile avahi bash-completion berkdb bl branding bzip2 cairo cal3d caps ccache cdb cddb cdparanoia cdr cg chroot cli cpudetection cracklib crypt css cups curl custom-cflags dbus devhelp dga directfb disk-partition djvu dmi dovecot-sasl dri dts dv dvd dvdr dvdread emboss emerald encode epydoc erandom esd evo exif expat extrafilters fam fame ffmpeg firefox flac fltk foomaticdb fortran gd gdbm ggi gif gimp glib glibc-omitfp glitz glut gmp gnokii gnome gnutls gphoto2 gpm graphviz gsm gstreamer gtk gtkhtml guile hal hbci howl-compat iconv idn ieee1394 imagemagick imlib ipv6 isc isdnlog ithreads java javacomm javascript jbig jce jikes jpeg jpeg2k justify kde kdeenablefinal kdehiddenvisibility kqemu lcms ldap libcaca libnotify linuxthreads-tls lm_sensors logitech-mouse logrotate lzo mad mailwrapper matroska mbox mdb mhash midi mikmod mjpeg mmap mmx mmxext mng motif mozdevelop mp3 mpeg mppe-mppc msn mudflap multilib musepack musicbrainz mysql ncurses network-cron nfs nls nptl nptlonly nsplugin numeric nvidia odbc ode offensive ofx ogg ogre openexr opengl openmp oss pam parport pch pcre pdf perl php png povray ppds pppd print pulseaudio python qa qt3support qt4 quicktime quotes rdesktop readline reflection resolvconf restrict-javascript rtc samba scanner sdl semantic-desktop session slang slp smime sndfile snmp speex spell spl sse sse2 ssl startup-notification subversion svg sysfs syslog tcpd test tetex tga theora threads tidy tiff timidity tk truetype unicode usb userlocales utempter v4l v4l2 vcd vda vorbis vorbis-psy wma wmf wmp xattr xforms xine xinerama xml xorg xpm xprint xscreensaver xulrunner xv xvid xvmc yv12 zeroconf zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" CAMERAS="canon directory panasonic pccam300 " ELIBC="glibc" FOO2ZJS_DEVICES="hp1005 hpp1005" INPUT_DEVICES="mouse evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it" USERLAND="GNU" VIDEO_CARDS="nvidia nv" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, MAKEOPTS
(In reply to comment #0) > QA Notice: The following files contain executable stacks > Files with executable stacks will not work properly (or at all!) > on some architectures/operating systems. A bug should be filed > at http://bugs.gentoo.org/ to make sure the file is fixed. > For more information, see http://hardened.gentoo.org/gnu-stack.xml > Please include the following list of files in your report: > Note: Bugs should be filed for the respective maintainers > of the package in question and not hardened@ > RWX --- --- usr/lib64/nss/libfreebl3.so.12 > > It seems that this only affects x64 and not x86. It also prevents mozilla from running with mprotect on PAX kernels. I have followed the guide and it seemed that the problem was in 'intel-aes.s' file under the freebl directory. As per the guide, adding this: #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif to the end of file and recompiling solved the problem :))
Created attachment 195388 [details] patch to add from ebuild This is the exact fix, as described in the post. This will just ensure that anyoene else that needs it before it is added to the tree has easy access to it.
https://bugzilla.mozilla.org/show_bug.cgi?id=499584 <~~~ upstream bug report.
I have commited the patch to the mozilla overlay, if all goes well will have it pushed to main tree in a few days.
Fixed with 3.12.3-r1, patch thanks to gentoobugsie
