Request to compile Firefox with -fpie and -pie options to fully support ASLR

[LinuxSpring1]

I was looking at firefox that is installed from the MX Repositories and noticed that the Firefox executable is not compiled with Position-Independent Code flag. Please see the code section below for more details. Due to this firefox executable does not use the power of ASLR (Address Space Layout Randomization). This is required so that attack vectors like Buffer Overflows are prevented. Would it be possible for the MX Developers to compile the entire firefox package, i.e. including binaries and shared libs, with the required flags for upcoming releases?

Code: Select all

$ file -e elf /opt/firefox/firefox
/opt/firefox/firefox: ELF 64-bit LSB executable, x86-64, version 1 (SYSV)
$
$ readelf -h /opt/firefox/firefox
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x2018dc
  Start of program headers:          64 (bytes into file)
  Start of section headers:          3640 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         11
  Size of section headers:           64 (bytes)
  Number of section headers:         28
  Section header string table index: 27

The output of the first command says LSB executable and the value of the key Type in the second command is given as EXEC (Executable file), which indicates that Firefox executable is not a PIC.
For reference see the output for LibreOffice which is installed from Debian repositories given below. Over there the output of the first command says LSB pie executable and the value of the key Type in the second command is given as DYN (Position-Independent Executable file). This indicates that the binary of LibreOffice is a PIC unlike Firefox.

Code: Select all

$ file -e elf /usr/lib/libreoffice/program/soffice.bin
/usr/lib/libreoffice/program/soffice.bin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV)
ultramarine@satyaki:~
$ readelf -h /usr/lib/libreoffice/program/soffice.bin
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              DYN (Position-Independent Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x1090
  Start of program headers:          64 (bytes into file)
  Start of section headers:          12752 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         13
  Size of section headers:           64 (bytes)
  Number of section headers:         30
  Section header string table index: 29

Also I have checked that most of the MX utilities like Boot Repair, Boot Cleanup, MX Cleanup, Date and Time, etc are compiled with the required flags to make them PIC.

[dolphin_oracle]

We actually package firefox binaries as provided by mozilla, so no.

[LinuxSpring1]

Would it be possible for MX Developers or technical architect/lead to broach this with Mozilla developers or its team? So that they can start to package binaries with the PIE option enabled? I would be a welcome step to increase the security of Firefox on Linux.

[Eadwine Rose]

You can open a report over at Mozilla for this. MX Developers have enough work to do after all.

https://support.mozilla.org/en-US/kb/fi ... st-mozilla

[LinuxSpring1]

I checked in Mozilla's Bugzilla. Found quite a few bugs related to this, 620058, 857628, etc. In all of them it seems that Mozilla has enabled the PIE option in their CLang compiler build files about 6-8 years ago.

Also noticed that in the discussions it is mentioned that other Linux Distributions like Ubuntu, Debian, etc build their own Firefox builds and all of them are built with the PIE option set. However in the case of MX Linux that is not the case. This leaves the users of MX Linux vulnerable to buffer exploits when they use Firefox.

[Stevo]

Then you may wish to try Mozilla's apt repository. https://support.mozilla.org/en-US/kb/in ... efox-linux

But our current mozillabinaries packages are statically built by...Mozilla.

This is relatively new, so we may think of switching to their apt repository if it works instead of wrapping their static binaries into debs. It'd be ironic if their apt repo is actually the same exact thing we are currently doing, but hey, more time for our own packaging!

Mozilla apps are built using the Rust compiler, and require just about the most recent version, too...except for the older LTS firefox-esr version in the released Debian repos. This makes the cutting edge releases impracticable to compile except on the testing and unstable Debian development versions.

Code: Select all

$ apt policy firefox-esr
firefox-esr:
  Installed: (none)
  Candidate: 115.15.0esr-1~deb12u1
  Version table:
     115.15.0esr-1~deb12u1 500
        500 http://security.debian.org/debian-security bookworm-security/main amd64 Packages
     115.14.0esr-1~deb12u1 500
        500 http://deb.debian.org/debian bookworm/main amd64 Packages

[LinuxSpring1]

Then you may wish to try Mozilla's apt repository. https://support.mozilla.org/en-US/kb/in ... efox-linux

But our current mozillabinaries packages are statically built by...Mozilla.

This is relatively new, so we may think of switching to their apt repository if it works instead of wrapping their static binaries into debs. It'd be ironic if their apt repo is actually the same exact thing we are currently doing, but hey, more time for our own packaging!

Just to be clear, in the Mozilla KB article page that was shared earlier there are two options mentioned to build Firefox. Firstly is the option of Install Firefox .deb package for Debian-based distributions and the second option is Install Firefox from Mozilla builds. And MX is using the first option, i.e. MX team downloads the firefox related packages from Mozilla's servers like https://packages.mozilla.org/apt/ and then hosts them inside MX Package servers. Without any modification. Is that correct?
MX Team does not use the second option, i.e. Install Firefox from Mozilla builds. Which will entail MX team to download the package and then build it for various architectures.

[Stevo]

We can't compile the Firefox source code on any MX version/Debian release because of the newer Rust and Cargo version build requirements. A few years back, Debian was doing backports for it, until Mozilla started really going to town on requiring the latest releases of Rust, and the backports maintainer threw up their hands and gave up.

A deb package is just an installable container for any kind of file. We just put the Mozilla-compiled packages into that container, along with some other customization and helper files, to make it easy to add to our repos.

I think I'm the only one building a fork of Firefox 24.5, called Pale Moon, from source code into Debian packages, though. That uses the the standard gcc compiler suite.

I don't know if this applies for Debian's compiled Firefox, but most Debian compiled packages are built with the aid of debhelper, which has a lot of "smarts" built into it. Some hardening is automatic depending on the compiler version, and more or less can be manually specified.

https://wiki.debian.org/Hardening

[LinuxSpring1]

Thanks @Stevo. So we are taking the first option. Will raise a ticket with Mozilla regarding this.

Update:
Created a post in the Mozilla community forums. Could not create an account in Mozilla Bugzilla due to which was not able to post a bug.

[siamhie]

You could use LibreWolf (FF clone).

1. Firefox telemetry stripped.
2. Cookies and History deleted when session is closed.
3. Cache is stored in RAM and not on disk.
4. ResistFingerprinting enabled by default.
5. WebGL disabled by default.
6. Enhanced Tracking Protection in Strict mode by default.
7. Comes with uBO installed.

Code: Select all

readelf -h /usr/share/librewolf/librewolf
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              DYN (Position-Independent Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x28690
  Start of program headers:          64 (bytes into file)
  Start of section headers:          804320 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         12
  Size of section headers:           64 (bytes)
  Number of section headers:         29
  Section header string table index: 28