Excerpts from Tóth Attila's message of Sat Dec 31 19:22:11 -0700 2011: > > Handling the firefox situation at the ebuild level is pretty simple, since > we have pax-marking available now for use. The real solution would be to > teach upstream about security and proper memory handling. As it was > mentioned by paxteam and others as well. Like it is not just erroneous > from the security point of view, but the whole concept of fixed address > mmap is not correct.
The bug [1] referenced earlier contains a patch which allows again the use of RANDMMAP (paxctl -R) with FF9. (At least it works for me and the for the filer of the bug.) As mentioned earlier, this is a better solution than pax-mark r. Many thanks to zakalwe and pageexec for making this patch available so quickly. (I'm getting a very full /etc/portage/patches lately. Only this one is related to hardened; the others are instead for silly things that probably shouldn't be installed anyway.) At least this "wake up call" had me test out some alternate browsers. [1] https://bugs.gentoo.org/show_bug.cgi?id=396275 -- Regards, wmw
