464942 – www-client/firefox-20.0: paxctl -m set on firefox and firefox-bin

Bug 464942 - www-client/firefox-20.0: paxctl -m set on firefox and firefox-bin

Summary: www-client/firefox-20.0: paxctl -m set on firefox and firefox-bin

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-04-07 11:07 UTC by Klaus Kusche
Modified:	2013-04-11 01:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Klaus Kusche 2013-04-07 11:07:53 UTC

Before firefox-20, paxctl -m was set only for the plugin-container,
not for the firefox executable itself as long as firefox was built without jit.

The firefox-20 ebuild also sets paxctl -m on firefox and firefox bin,
even without jit.

This is absolutely unacceptable from a security point of view.

Any feature requiring paxctl in firefox needs to be configurable by a USE flag
to turn it off and build a pax-compatible firefox.

Comment 1 Jory A. Pratt gentoo-dev

2013-04-11 01:53:30 UTC

If you would like to provide a patch that will allow us to disable pax-marking firefox and firefox-bin we are more then open to it. As it stands there is no possible configuration to get back to disabling pax-marking on the binary.