FS#49360 - [thunderbird] Harden thunderbird by building with full read-only relocation
Attached to Project:
Arch Linux
Opened by Remi Gacogne (rgacogne) - Monday, 16 May 2016, 20:46 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 08 June 2016, 15:55 GMT
Opened by Remi Gacogne (rgacogne) - Monday, 16 May 2016, 20:46 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 08 June 2016, 15:55 GMT
|
Details
Hi,
As a mailer parsing HTML, Thunderbird is more exposed to security issues than most programs. In addition to that, a fair number of flags fixed in Firefox impact Thunderbird as well but are fixed there several days later, even weeks sometimes, leaving a longer exposure window. I think it would be nice to build Thunderbird with full RELRO, as is done for example by Red Hat [1]. We already have partial RELRO by default. I have verified that simply adding the following line in build() function of the current PKGBUILD is enough to build Thunderbird with full RELRO (patched attached). This might have a slight performance impact on the startup time of Thunderbird, but I have found it to be negligible in my setup, and it didn't stop other distros from enabling this security measure either. This is clearly a low priority request, but I think it's worth adding it to the next rebuild. Thanks! [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1283945 |
This task depends upon
Closed by Doug Newgard (Scimmia)
Wednesday, 08 June 2016, 15:55 GMT
Reason for closing: Implemented
Additional comments about closing: thunderbird 45.1.1-1
Wednesday, 08 June 2016, 15:55 GMT
Reason for closing: Implemented
Additional comments about closing: thunderbird 45.1.1-1