337736 – Please add a use flag to x11-libs/qt-webkit allowing JIT to be disabled on hardened systems

Bug 337736 - Please add a use flag to x11-libs/qt-webkit allowing JIT to be disabled on hardened systems

Summary: Please add a use flag to x11-libs/qt-webkit allowing JIT to be disabled on ha...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Library (show other bugs)
Hardware:	All Linux

Importance:	High enhancement (vote)
Assignee:	Qt Bug Alias

URL:	http://pax.grsecurity.net/docs/mprote...
Whiteboard:
Keywords:

Depends on:	338245
Blocks:
	Show dependency tree

Reported:	2010-09-17 02:07 UTC by Dillon
Modified:	2010-11-19 02:58 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch using IUSE+jit and configure option to disable jit (qt-webit-4.6.2-r1-nojit.patch,1.19 KB, patch) 2010-09-17 02:08 UTC, Dillon	Details \| Diff
Spelling error (qt-webkit-4.6.2-r1-nojit.patch,1.19 KB, patch) 2010-09-20 22:59 UTC, Dillon	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dillon 2010-09-17 02:07:02 UTC

JIT requires executable stack pages, and any process performing JavaScript on
hardened kernels will require to run with PAX_MPROTECT disabled. This may allow
easier code execution exploits to work (without the need in pure ret2libc-style
stack preparations, that is harder). Apart from that the JIT itself can be
vulnerable.
-- p.labushev@gmail.com

Comment 1 Dillon 2010-09-17 02:08:12 UTC

Created attachment 247675 [details, diff]
Patch using IUSE+jit and configure option to disable jit

This stopped kwrite from being killed by PaX, I'm not sure what other
applications are affected, but amarok seems to not be one of them as there is
no change.

Comment 2 Dillon 2010-09-20 22:59:38 UTC

Created attachment 248220 [details, diff]
Spelling error

Comment 3 Tomás Touceda (RETIRED) gentoo-dev

2010-11-19 02:58:53 UTC

Committed. Thanks again Dillon for the patch.