Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 464942

Summary: www-client/firefox-20.0: paxctl -m set on firefox and firefox-bin
Product: Gentoo Linux Reporter: Klaus Kusche <klaus.kusche>
Component: HardenedAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED INVALID    
Severity: major CC: zerochaos
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Klaus Kusche 2013-04-07 11:07:53 UTC 
Before firefox-20, paxctl -m was set only for the plugin-container,
not for the firefox executable itself as long as firefox was built without jit.

The firefox-20 ebuild also sets paxctl -m on firefox and firefox bin,
even without jit.

This is absolutely unacceptable from a security point of view.

Any feature requiring paxctl in firefox needs to be configurable by a USE flag
to turn it off and build a pax-compatible firefox.
Comment 1 Jory A. Pratt gentoo-dev 2013-04-11 01:53:30 UTC 
If you would like to provide a patch that will allow us to disable pax-marking firefox and firefox-bin we are more then open to it. As it stands there is no possible configuration to get back to disabling pax-marking on the binary.