Open Bug 1843501 Opened 2 years ago Updated 1 year ago

Increase FORTIFY_SOURCE from 2 to 3

Categories

(Firefox Build System :: General, enhancement)

Product:
Firefox Build System
Component:
General
Version:
Firefox 115
Type:
enhancement

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: juippis, Unassigned)

Details

Steps to reproduce:

Modern compilers in their current releases support hardened FORTIFY_SOURCE=3 while Firefox's build system forces 2. Apparently just updating -D_FORTIFY_SOURCE=2 to -D_FORTIFY_SOURCE=3 works, but some people responsible of security side of things probably want to confirm the differences and caveats.

Actual results:

The FORTIFY_SOURCE in Firefox is outdated.

Expected results:

It should be updated to line with modern compilers capabilities.

Downstream bug with more information:
https://bugs.gentoo.org/910071

Component: Untriaged → Security
Product: Firefox → Core
Component: Security → General
Product: Core → Firefox Build System

Looks like Arch is building Firefox successfully with FORITFY_SOURCE=3.
Not sure if that tracks, due to bug 1418398 and https://searchfox.org/mozilla-central/rev/eadfec923e2b9c927ade8d0dd4f08a82da50a8a9/build/moz.configure/toolchain.configure#2383-2389.

But if we can confirm this working, it might be a cheap win.

In Gentoo we too already do a sed to enable FORTIFY_SOURCE=3 on build/moz.configure/toolchain.configure when +hardened use flag is specified.

https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/firefox/firefox-118.0.2.ebuild?id=673ff5ed9ae5da6c5fd58bf9c0b2fe2c138742a8#n930

So far no reports regarding this, so it's looking good.

You need to log in before you can comment on or make changes to this bug.