From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D77F613832E for ; Thu, 11 Aug 2016 16:01:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BAACB21C17B; Thu, 11 Aug 2016 16:01:48 +0000 (UTC) Received: from atoth.sote.hu (atoth.sote.hu [195.111.75.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id ECD0F21C098 for ; Thu, 11 Aug 2016 16:01:47 +0000 (UTC) Received: from atoth.sote.hu (apache@localhost [127.0.0.1]) by atoth.sote.hu (8.14.9/8.14.9/atoth@atoth.sote.hu) with ESMTP id u7BG1cOK027449 for ; Thu, 11 Aug 2016 18:01:38 +0200 DKIM-Filter: OpenDKIM Filter v2.10.3 atoth.sote.hu u7BG1cOK027449 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=atoth.sote.hu; s=dwokfur; t=1470931305; bh=GVBTXRh9OUP46H1S/7beQ2Ce1IALSzzzZOoYdXm/UBo=; h=Date:Subject:From:To; b=YUOoDBtcoFFy1UEyVd40YVyX2VnBUIMG9eNyF2iOL33Xixt+NwJjVLmSeMQxJlUob uGJngzp0gMSvpSfSgqYlGmNyHoprAMDEhl/2JNLI9xErrKf4vuORs5AHrrbUVqT77T cubTebg8QA4ikEXJSBTOnI4FgFACOfLrT94W4Xdk= X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.99.2 at atoth Received: from 10.97.100.79 (SquirrelMail authenticated user atoth) by atoth.sote.hu with HTTP; Thu, 11 Aug 2016 18:01:38 +0200 Message-ID: <27953337550eb7282b8cb15d33399aef.squirrel@atoth.sote.hu> Date: Thu, 11 Aug 2016 18:01:38 +0200 Subject: [gentoo-hardened] firefox and thunderbird uses compile-time python2.7 without -E From: =?utf-8?B?IlTDs3RoIEF0dGlsYSI=?= To: gentoo-hardened@lists.gentoo.org User-Agent: SquirrelMail/1.4.23 [SVN] Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: No, score=-99.5 required=5.0 tests=ALL_TRUSTED,AWL, DKIM_ADSP_ALL,USER_IN_WHITELIST autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on atoth.sote.hu X-List-Milter: local mail X-DCC-wuwien-Metrics: atoth 1290; Body=2 Fuz1=2 Fuz2=2 X-Archives-Salt: d82200aa-03dc-4bc7-806d-9314ee9c8ed3 X-Archives-Hash: 828d4fda6b9aecb548db79450c34b73e I was busy trying to figure out how it happens the system ends up generating binaries without GNU_STACK header in case pax marking suppose to happen during the ebuild (1-3), I also noticed current firefox and thunderbird ebuilds uses a compile-time python2.7 instance without -E marking, therefore throwing a bunch of "denied RWX mmap of " messages in the log. The two binaries are: /var/tmp/portage/mail-client/thunderbird-45.2.0/work/thunderbird-45.2.0/tbird/_virtualenv/bin/python2.7 and /var/tmp/portage/www-client/firefox-48.0/work/firefox-48.0/ff/_virtualenv/bin/python2.7 I'm not sure what would be the proper treatment here... 1. https://bugs.gentoo.org/show_bug.cgi?id=590422 2. https://bugs.gentoo.org/show_bug.cgi?id=590334 3. https://bugs.gentoo.org/show_bug.cgi?id=589828 -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057