Bug 496908

Summary:	www-client/qupzilla-1.6.0 version bump
Product:	Gentoo Linux	Reporter:	Nikoli <nikoli>
Component:	Current packages	Assignee:	Qt Bug Alias <qt>
Status:	RESOLVED FIXED
Severity:	enhancement	CC:	fssirc, noctuorare
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://blog.qupzilla.com/2014/01/qupzilla-160-released.html
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=499182
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	An ebuild for 1.6.0 A better ebuild for 1.6.0

Description Nikoli 2014-01-03 17:37:11 UTC

QupZilla 1.6.0 was released 2014-01-01.

Comment 1 Davide Pesavento (RETIRED) gentoo-dev

2014-01-06 15:19:44 UTC

*** Bug 497204 has been marked as a duplicate of this bug. ***

Comment 2 Hongjiu Zhang 2014-01-08 11:10:59 UTC

Created attachment 367374 [details]
An ebuild for 1.6.0

This ebuild added kwallet and gnome-keyring support. Also it will pax-mark the executable file.

Comment 3 Hongjiu Zhang 2014-01-08 12:26:31 UTC

Created attachment 367384 [details]
A better ebuild for 1.6.0

Removed unexpected dependency of qtsingleapplication.

This ebuild also installs qupzilla-plugins, which is so small that I see no need to write a seperate ebuild.

Comment 4 Ben de Groot (RETIRED) gentoo-dev

2014-01-20 17:25:35 UTC

+  20 Jan 2014; Ben de Groot <yngwin@gentoo.org> +qupzilla-1.6.0.ebuild:
+  Version bump, including some improvements from bug #496908

Comment 5 Nikoli 2014-01-28 05:30:13 UTC

Zhang, why you added 'pax-mark m "${ED}"/usr/bin/qupzilla'? What are your video drivers?

Comment 6 Hongjiu Zhang 2014-01-29 01:50:34 UTC

(In reply to Nikoli from comment #5)
> Zhang, why you added 'pax-mark m "${ED}"/usr/bin/qupzilla'? What are your
> video drivers?

intel. This is necessary if you are going to use Flash in the hardened system. PaX here will kill qupzilla if it is not set that way.

If you are asking why we would compromise system security for Flash, this is just the convention that Chromium and Firefox's ebuilds all follow.

Comment 7 Nikoli 2014-01-29 06:35:24 UTC

I do not have flash or any other netscape plugins in my systems, so i would like to avoid pax marking qupzilla.

Comment 8 Hongjiu Zhang 2014-01-30 05:58:39 UTC

(In reply to Nikoli from comment #7)
> I do not have flash or any other netscape plugins in my systems, so i would
> like to avoid pax marking qupzilla.

Well, I think a /etc/portage/bashrc hook can help you.

#### Post pkg_postinst phase ##########################################

post_pkg_postinst() {

        ## Disable pax-mark for qupzilla
        if [ ${CATEGORY}/${PN} = "www-apps/qupzilla" ]; then
                paxctl-ng -z /usr/bin/qupzilla
        fi                                                                                                                                                                                                
}

Or you can write it in post_src_install() which operates the image before the files are actually installed.

Similarly, you can do this for any packages that pax-marked undesired binary files, if you know what you are doing.

Comment 9 Hongjiu Zhang 2014-01-30 06:02:59 UTC

Oops, should be www-client/qupzilla.

Comment 10 fssirc 2014-02-17 13:21:47 UTC

> If you are asking why we would compromise system security for Flash, this is just the convention that Chromium and Firefox's ebuilds all follow.

Is there a link where this convention is written, because I cannot find it. As far as I know, the MPROTECT PaX flag was enabled in Firefox up to the 24.1.1 version. The reason why it was disabled was because Firefox didn't start and MPROTECT was disabled due to ion jit. See these links:

http://forums.gentoo.org/viewtopic-t-974658-start-0.html
http://hardenedgentoo.blogspot.ru/2012/06/default-mprotect-restriction-for.html

It was not disabled because of flash.

Comment 11 Hongjiu Zhang 2014-02-17 14:08:55 UTC

(In reply to fssirc from comment #10)
> > If you are asking why we would compromise system security for Flash, this is just the convention that Chromium and Firefox's ebuilds all follow.
> 
> Is there a link where this convention is written, because I cannot find it.
> As far as I know, the MPROTECT PaX flag was enabled in Firefox up to the
> 24.1.1 version. The reason why it was disabled was because Firefox didn't
> start and MPROTECT was disabled due to ion jit. See these links:
> 
> http://forums.gentoo.org/viewtopic-t-974658-start-0.html
> http://hardenedgentoo.blogspot.ru/2012/06/default-mprotect-restriction-for.
> html
> 
> It was not disabled because of flash.

http://git.overlays.gentoo.org/gitweb/?p=proj/mozilla.git;a=commitdiff;h=90fdaec48345fc4dc6065fdf4537b5b3f6606b03

I am not sure whether there are any further old discussions. From what I see, they were taking that into account.

I think what you showed is not the same issue. Marking Qupzilla for Flash is because Qupzilla doesn't isolated their plugin module. Firefox has its plugin-container isolated (I think back to the days of 2.x it was not). I am not sure of the very beginning state of plugin-container marking.

(I wish I didn't report something wrong. I remember I also reported similar issues for Konqueror's nsplugins. If I were destroying the security of you guys, I am doomed...)

Comment 12 Nikoli 2014-02-17 14:22:37 UTC

Not all people use flash, most people who use hardened care about security and avoid flash. Even if you have flash installed, you may not want to use it in all browsers. I think pax marking qupzilla by default does not make sense, pkg_postint message is enough, something like this:

pkg_postinst(){
 if has_version www-plugins/adobe-flash; then
 ewarn "For using adobe flash plugin you most likely need to run \"paxctl-ng -m /usr/bin/qupzilla\""
fi
}

Comment 13 fssirc 2014-02-17 14:30:50 UTC

I think it would be a good solution. Personally, I have never used flash since I started using Hardened Gentoo.