[tor-bugs] #20439 [Applications/Tor Browser]: The firefox binary in Tor Browser on OSX is not PIE

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 24 11:16:23 UTC 2016 

#20439: The firefox binary in Tor Browser on OSX is not PIE
--------------------------------------+--------------------------
 Reporter:  boklm                     |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-hardened              |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by boklm):

 Replying to [comment:2 gk]:
 > I think ideally I'd like to have all necessary changes in one place and
 not split into different repos (especially if it is only about setting the
 proper compiler/linker flags).

 > I am not sure, though, I understand yet why your first try is failing
 while the second succeeds.

 I am not completely sure either, but it looks like libtool in
 `js/src/ctypes/libffi` is parsing the arguments to find the type of
 command it is running, and having `-fPIE` in the arguments makes it fail.
 I think the second succeeds because `-fPIE` is not in the list of
 arguments in this case.

 A better fix might be to patch libffi to use the `--tag=` options when
 calling libtool. I will try that.

 > Thus, it is a bit hard to make a good case for e.g. putting everything
 into .mozconfig-mac. That said, if missing PIE affects other components as
 well (tor comes to mind here) we might indeed want to think about a more
 general, non-mozconfig solution anyway...

 tor is not affected, I think because the configure.ac is adding the
 `-fPIE` and `-pie` flags. The pluggable transports are not PIE, but they
 are not built using llvm. So the only component affected by this at the
 moment seems to be firefox.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20439#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list