https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233707
--- Comment #7 from Shawn Webb <shawn.w...@hardenedbsd.org> --- (In reply to Jan Beich from comment #6) > I've filed an upstream bug to get more feedback. I doubt this is a bug in upstream. Every major operating system in which Mozilla supports supports ASLR, with the sole exception of FreeBSD. The problem is that FreeBSD isn't compiling certain libraries with -fPIC. Once FreeBSD gains some form of address space randomization, whether it be ASR or ASLR, FreeBSD will also need to update base and ports to compile libraries with -fPIC, which HardenedBSD has already done (and, it appears, OpenBSD, too, but I haven't verified that). Granted, the `-fPIC`-ization could happen before the ASR[1] patch lands (and likely would be good preparation for it). I think Mozilla is in the right here because they're applying security hardening measures. There'd be two ways to fix this: 1) apply fewer security hardening measures in the browser; 2) apply -fPIC where appropriate. Option 2 is the more attractive option. Granted, browsers are extremely complex applications that are nearly impossible to properly secure, especially given that they execute arbitrary remote code locally. [1]: https://reviews.freebsd.org/D5603 -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-toolchain@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-toolchain To unsubscribe, send any mail to "freebsd-toolchain-unsubscr...@freebsd.org"
