FS#49360 - [thunderbird] Harden thunderbird by building with full read-only relocation

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Monday, 16 May 2016, 20:46 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 08 June 2016, 15:55 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Evangelos Foutras (foutrelis)
Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Hi,

As a mailer parsing HTML, Thunderbird is more exposed to security issues than most programs. In addition to that, a fair number of flags fixed in Firefox impact Thunderbird as well but are fixed there several days later, even weeks sometimes, leaving a longer exposure window.
I think it would be nice to build Thunderbird with full RELRO, as is done for example by Red Hat [1]. We already have partial RELRO by default.
I have verified that simply adding the following line in build() function of the current PKGBUILD is enough to build Thunderbird with full RELRO (patched attached). This might have a slight performance impact on the startup time of Thunderbird, but I have found it to be negligible in my setup, and it didn't stop other distros from enabling this security measure either.

This is clearly a low priority request, but I think it's worth adding it to the next rebuild.

Thanks!

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1283945
This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 08 June 2016, 15:55 GMT
Reason for closing:  Implemented
Additional comments about closing:  thunderbird 45.1.1-1

Loading...