The thunderbird installation by default does a paxctl -m on /usr/lib/thunderbird/thunderbird-bin. This is absolutely unacceptable w.r.t. security. The mail program is one of the most endangered programs on the system, it is confronted with unknown and potentially malicious contents, so it must run with memory execute protection. Why is this done? For javascript JITing? Compile thunderbird without jit, at least controllable by a USE flag. There should be no reason at all to run javascript in mails, and if there is, it will most likely not performance critical.
see bug 345469 WOrks for you adding paxctl -M for thunderbird?
Yes, thunderbird works fine for me with paxctl mprotect enabled. However, I'm a pure text mail freak, I don't have a mail with rich HTML contents to test. JavaScript JIT will definitely not work with mprotect turned on, we already had the same discussion and the same tests for firefox. When the JIT is turned off in about:config or at compile time, firefox works fine with mprotect enabled (but slower by a factor of >=6 on JavaScript speed tests), so thunderbird should also work with mprotect. About bug 345469: * I never tried to debug thunderbird, my whole system is non-debug. * That bug looks very strange to me, I have no idea how the problems described there and paxctl could be related. As far as I remember, you'll get a SIGKILL and not a SIGSEGV when hitting mprotect? * There are restrictions and problems when debugging mprotect-on-executables. For example, you cannot attach to a running mprotect-on-process with gdb. So, for debugging, it is always a good idea to turn mprotect off, or you will run into troubles.
can you past emerge --info and paxtest blackhat please?
Note: I'm *not* on a hardened system: I use a Pax kernel, mmap/stack randomization, mprotect enabled and so on, but I don't use a hardened toolchain, and I don't use PIE executables, exec randomization or ssp. Portage 2.1.9.44 (default/linux/amd64/10.0/no-multilib, gcc-4.5.2, glibc-2.13-r2, 2.6.37.4-grsec x86_64) ================================================================= System uname: Linux-2.6.37.4-grsec-x86_64-Intel-R-_Core-TM-_i7_CPU_Q_820_@_1.73GHz-with-gentoo-2.0.2 Timestamp of tree: Sat, 26 Mar 2011 07:15:01 +0000 app-shells/bash: 4.2_p8 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.1-r1 dev-util/cmake: 2.8.4 sys-apps/baselayout: 2.0.2 sys-apps/openrc: 0.8.0 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.21 sys-devel/gcc: 4.5.2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82 virtual/os-headers: 2.6.38 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA dlj-1.1 AdobeFlash-10.1" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -mtune=native -O2 -finline-functions -fomit-frame-pointer -fweb -fivopts -maccumulate-outgoing-args -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -mtune=native -O2 -finline-functions -fomit-frame-pointer -fweb -fivopts -maccumulate-outgoing-args -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages keeptemp keepwork news noclean parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox" FFLAGS="" GENTOO_MIRRORS="http://de-mirror.org/distro/gentoo http://gentoo.inode.at http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror http://ftp.spline.inf.fu-berlin.de/mirrors/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LANG="en_DE.iso885915" LC_ALL="en_DE.iso885915" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/portage" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X a52 aac alsa amd64 applet archive ass bogofilter bzip2 cairo cdparanoia cli consolekit contrast cups curl cxx dbus detex devfs-compat dga divx dri dts dvd dvdnav dvdr dvi dvipdfm encode exif expat extra faad flac fontconfig foomaticdb fts3 gif gimp glib glibc-omitfp gmedia gmp gnome gnome-keyring gnutls gs gstreamer gtk iconv inotify jbig jpeg jpeg2k kpathsea lasi latex latex3 lcdfilter lcms libnotify libwww lightning lua lzma lzo mad midi mmap mmx mmxext mng modules mp3 mudflap natspec nautilus ncurses nntp nptl nptlonly nsplugin ogg oldnet pam pango pcre pdf pic png policykit postproc ppds pppd quicktime raw readline realmedia rle rtc sasl scanner secure-delete session smp sndfile soup sqlite sqlite3 sse sse2 sse3 ssh ssl ssse3 svg symlink sysfs system-sqlite t1lib theora threads tiff tremor truetype unlock-notify usb utils vim-with-x vnc vorbis vpx webp wmf wmp xcb xcomposite xorg xpm xrandr xulrunner xv xvid xvmc zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" SANE_BACKENDS="epson" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS Mode: blackhat Linux lap 2.6.37.4-grsec #2 SMP PREEMPT Sat Mar 19 10:02:36 CET 2011 x86_64 Intel(R) Core(TM) i7 CPU Q 820 @ 1.73GHz GenuineIntel GNU/Linux Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable shared library bss : Killed Executable shared library data : Killed Executable anonymous mapping (mprotect) : Killed Executable bss (mprotect) : Killed Executable data (mprotect) : Killed Executable heap (mprotect) : Killed Executable stack (mprotect) : Killed Executable shared library bss (mprotect) : Killed Executable shared library data (mprotect): Killed Writable text segments : Killed Anonymous mapping randomisation test : 29 bits (guessed) Heap randomisation test (ET_EXEC) : 13 bits (guessed) Heap randomisation test (PIE) : 35 bits (guessed) Main executable randomisation (ET_EXEC) : 29 bits (guessed) Main executable randomisation (PIE) : 29 bits (guessed) Shared library randomisation test : 29 bits (guessed) Stack randomisation test (SEGMEXEC) : 35 bits (guessed) Stack randomisation test (PAGEEXEC) : 35 bits (guessed) Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy, PIE) : Vulnerable
ok, i think that you have hardened toolchain...so for me is invalid bug because if thunderbird does not work on hardened with pax, the ebuild needs pax-mark -m Assigning to maintainer.
We need to ensure it works for the majority of the users, a single case where the user is unhappy is not gonna change things.
1.) Gentoo is about choices. It is the (only) distribution which is expected to make the non-average user happy, too. And it is one of the few distributions which serve people with security requirements, in fact they make up a significant share in gentoo's user community. And thunderbird works in both modes. Functionality is equivalent, only speed isn't. If that's not the case, that needs to be analyzed and fixed. We know from firefox that thunderbird should work perfectly fine with mprotect on if configured for that case (JIT turned off either at compile time or in about:config). So there should be a USE flag which controls whether I want to have thunderbird safe or fast. 2.) Security first. Always. There is no excuse for silently reducing security. If people want to have it insecure, they should have to switch security off explicitely, but the default must be secure, especially for a mail program which is confronted with all kinds of security hazards. And a speed difference of 6 on Javascript benchmark between safe and fast mode might be a significant argument for Web Browsers, but is absolutely irrelevant for mail readers which in most cases do not need Javascript at all (and if they need it, it doesn't need to be fast: You don't run Web applications in your mailer, do you?). 3.) bug 345469 is a bug. It needs to be analyzed and fixed. Just because some people have a problem (I don't, for me thunderbird works fine even with mprotect turned on), and turning off security seems to make that problem go away (and it is not yet understood why!), it is unacceptabe to turn security off in general as a workaround.
(In reply to comment #7) > 1.) Gentoo is about choices. It is the (only) distribution which is expected > to make the non-average user happy, too. And it is one of the few distributions > which serve people with security requirements, in fact they make up a > significant share in gentoo's user community. > > And thunderbird works in both modes. Functionality is equivalent, only speed > isn't. If that's not the case, that needs to be analyzed and fixed. We know > from firefox that thunderbird should work perfectly fine with mprotect on if > configured for that case (JIT turned off either at compile time or in > about:config). > > So there should be a USE flag which controls whether I want to have thunderbird > safe or fast. no one forbids you to add -M on thunderbird, you're free to do so. > 2.) Security first. Always. There is no excuse for silently reducing security. > > If people want to have it insecure, they should have to switch security off > explicitely, but the default must be secure, especially for a mail program > which is confronted with all kinds of security hazards. > > And a speed difference of 6 on Javascript benchmark between safe and fast mode > might be a significant argument for Web Browsers, but is absolutely > irrelevant for mail readers which in most cases do not need Javascript at all > (and if they need it, it doesn't need to be fast: You don't run Web > applications in your mailer, do you?). > > 3.) bug 345469 is a bug. It needs to be analyzed and fixed. Just because some > people have a problem (I don't, for me thunderbird works fine even with > mprotect turned on), and turning off security seems to make that problem go > away (and it is not yet understood why!), it is unacceptabe to turn security > off in general as a workaround. For me, if tb for you works with -M, so pax does not work properly
> no one forbids you to add -M on thunderbird, you're free to do so. Bad idea: * It's easy to forget, especially if thunderbird is implicitely re-emerged as part of a revdep-rebuild or something like that. * It makes tb's checksum different from what emerge recorded in the CONTENTS file, so tb will show up a a suspicious file. > For me, if tb for you works with -M, so pax does not work properly Why? As the paxtest result I posted in comment 4 shows, pax works on my system. I have ~: paxctl -v /usr/lib/thunderbird/thunderbird-bin PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu> - PaX flags: ----M--x-e-- [/usr/lib/thunderbird/thunderbird-bin] MPROTECT is enabled RANDEXEC is disabled EMUTRAMP is disabled and thunderbird is happy. I don't have any JavaScript in my mails, and everything else is expected to work with mprotect. If it doesn't, there is a bug somewhere which needs to be found and fixed.
(In reply to comment #9) > > no one forbids you to add -M on thunderbird, you're free to do so. > > Bad idea: > * It's easy to forget, especially if thunderbird is implicitely re-emerged as > part of a revdep-rebuild or something like that. > * It makes tb's checksum different from what emerge recorded in the CONTENTS > file, so tb will show up a a suspicious file. > > > For me, if tb for you works with -M, so pax does not work properly > > Why? > As the paxtest result I posted in comment 4 shows, pax works on my system. > > I have > ~: paxctl -v /usr/lib/thunderbird/thunderbird-bin > PaX control v0.5 > Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu> > > - PaX flags: ----M--x-e-- [/usr/lib/thunderbird/thunderbird-bin] > MPROTECT is enabled > RANDEXEC is disabled > EMUTRAMP is disabled > > and thunderbird is happy. > > I don't have any JavaScript in my mails, and everything else is expected to > work with mprotect. If it doesn't, there is a bug somewhere which needs to be > found and fixed. obviously you do not understand how mozilla works, a simple addon can and will break thunderbird when mprotect is enabled, As far as your this is your choice, you are right, if you do not like the way the package is setup you can always setup an overlay and remove the paxmark from the ebuild.
jory, np view of the insistence, I'm testing thunderbird, on a not hardened system with only pax / grsec enabled..just for curiosity ;)
Why? I mean, what breaks? * I can't believe it is the addons mechanism in general which is incompatible with mprotect, because I have five addons up and running with mprotect, among them Lightning. Firefox addons also work with mprotect, so where is the problem? * A plugin depending on Javascript should be no problem as long as Javascript is compiled or configured non-JIT. * If it is not the addon mechanism and not Javascript, then the addon is doing something strange or evil if it is incompatible with mprotect.
My last comment was in reply to comment 10. Ad comment 11: That's what I have here. Not hardened, but PAX, 64 bit.
(In reply to comment #12) > Why? > I mean, what breaks? > > * I can't believe it is the addons mechanism in general which is incompatible > with mprotect, because I have five addons up and running with mprotect, among > them Lightning. > > Firefox addons also work with mprotect, so where is the problem? > > * A plugin depending on Javascript should be no problem as long as Javascript > is compiled or configured non-JIT. > > * If it is not the addon mechanism and not Javascript, then the addon is doing > something strange or evil if it is incompatible with mprotect. As mozilla lead I have made my decision, we will not remove paxmark from ebuild. You are free to do so in a local overlay. There is nothing else to discuss here.
Feel free to work in your personal overlay, but my job is to keep it working for all users of gentoo not the select few it might work for.
