chromium-browser not built PIE on ARM

chromium-browser-9.0.597.94~r73967-0's 10.10 build works well on 10.04, and hey share the same source
download from https://launchpad.net/ubuntu/+source/chromium-browser

however, I'd compare the different of buildlog between 10.04 and 10.10.
10.10 diabled hardening wrapper in the build, but 10.04 doesn't.
I'll try a natively build of chromium-browser-9.0.597.94~r73967 without hardening wrapper on 10.04 armel.

I think it's more related to armv7=0 on 10.10+ and armv7=1 in 10.04. I guess it should be the opposite.

See http://src.chromium.org/svn/branches/597/src/build/common.gypi for what's behind this flag.

I can't test myself as i don't have access to any ARM h/w, so i'm open to suggestions.

tried disable hardening wrapper and rebuild and it works well now.
attached the rebuilt binary package for test

my changes as below

debian/rules
- ifeq (,$(filter 10.10 11.04,$(DEBIAN_DIST_VERSION)))
+ ifeq (,$(filter 10.04 10.10 11.04,$(DEBIAN_DIST_VERSION)))

Browsers are the #1 target for attackers, so it's urgent that we make sure that chromium on ARM is as hardened as on the other architectures. The primary difference between default build and the hardening-wrapper is the use of PIE.

So to clarify, disabling PIE is not the solution we are looking for here, it's just a workaround? I. e. the actual bug is that it crashes with PIE?

We don't have arm hardware in the desktop team, so I reassign this to mobile for now. Also, note that chromium is not in main, so the canonical teams don't officially support it. I. e. if it's too hard to fix with PIE on arm, I guess PIE could just be disabled?

@pitti: yes, it's just a workaround. I (as maintainer) don't have the hardware to fix it myself either. Contributions welcome.

This bug was fixed in the package chromium-browser - 9.0.597.107~r75357-0ubuntu1

---------------
chromium-browser (9.0.597.107~r75357-0ubuntu1) natty; urgency=high

  * New upstream release from the Stable Channel (LP: #726895)
    This release fixes the following security issues:
    + Webkit bugs:
      - [54262] High, URL bar spoof with history interaction. Credit to Jordi
        Chancel.
      - [68263] High, Stylesheet node stale pointer. Credit to Sergey Glazunov.
      - [68741] High, Stale pointer with key frame rule. Credit to Sergey
        Glazunov.
      - [70078] High, Crash with forms controls. Credit to Stefan van Zanden.
      - [70244] High, Crash in SVG rendering. Credit to Sławomir Błażek.
      - [71114] High, Stale node in table child handling. Credit to Martin
        Barbella.
      - [71115] High, Stale pointer in table rendering. Credit to Martin
        Barbella.
      - [71296] High, Stale pointer in SVG animations. Credit to miaubiz.
      - [71386] High, Stale nodes in XHTML. Credit to wushi of team509.
      - [71388] High, Crash in textarea handling. Credit to wushi of team509.
      - [71595] High, Stale pointer in device orientation. Credit to Sergey
        Glazunov.
      - [71855] High, Integer overflow in textarea handling. Credit to miaubiz.
      - [71960] Medium, Out-of-bounds read in WebGL. Credit to Google Chrome
        Security Team (Inferno).
      - [73235] High, Stale pointer in layout. Credit to Martin Barbella.
    + Chromium bugs:
      - [63732] High, Crash with javascript dialogs. Credit to Sergey
        Radchenko.
      - [64-bit only] [70376] Medium, Out-of-bounds read in pickle
        deserialization. Credit to Evgeniy Stepanov of the Chromium development
        community.
      - [71717] Medium, Out-of-bounds read in WebGL. Credit to miaubiz.
      - [72214] High, Accidental exposure of internal extension functions.
        Credit to Tavis Ormandy of the Google Security Team.
      - [72437] High, Use-after-free with blocked plug-ins. Credit to Chamal de
        Silva.
  * Bump the lang-pack package from Suggests to Recommends (LP: #689267)
    - update debian/control
  * Disable PIE on Armel/Lucid (LP: #716703)
    - update debian/rules
  * Add the disk usage to the Apport hooks
    - update debian/apport/chromium-browser.py
  * Drop gyp from Build-Depends, use in-source gyp instead
    - update debian/control
  * Merge back the ffmpeg codecs (from the chromium-codecs-ffmpeg source package)
    - update debian/rules
    - update debian/control
    - add debian/chromium-codecs-ffmpeg-extra.install
    - add debian/chromium-codecs-ffmpeg.install
 -- Fabien Tassin <email address hidden> Tue, 01 Mar 2011 00:14:02 +0100

Just committed a workaround (disable PIE on arm) as I don't want to delay the security update, but a real fix is still preferred, reopening

This bug was fixed in the package chromium-browser - 9.0.597.107~r75357-0ubuntu0.10.04.1

---------------
chromium-browser (9.0.597.107~r75357-0ubuntu0.10.04.1) lucid-security; urgency=high

  * New upstream release from the Stable Channel (LP: #726895)
    This release fixes the following security issues:
    + Webkit bugs:
      - [54262] High, URL bar spoof with history interaction. Credit to Jordi
        Chancel.
      - [68263] High, Stylesheet node stale pointer. Credit to Sergey Glazunov.
      - [68741] High, Stale pointer with key frame rule. Credit to Sergey
        Glazunov.
      - [70078] High, Crash with forms controls. Credit to Stefan van Zanden.
      - [70244] High, Crash in SVG rendering. Credit to Sławomir Błażek.
      - [71114] High, Stale node in table child handling. Credit to Martin
        Barbella.
      - [71115] High, Stale pointer in table rendering. Credit to Martin
        Barbella.
      - [71296] High, Stale pointer in SVG animations. Credit to miaubiz.
      - [71386] High, Stale nodes in XHTML. Credit to wushi of team509.
      - [71388] High, Crash in textarea handling. Credit to wushi of team509.
      - [71595] High, Stale pointer in device orientation. Credit to Sergey
        Glazunov.
      - [71855] High, Integer overflow in textarea handling. Credit to miaubiz.
      - [71960] Medium, Out-of-bounds read in WebGL. Credit to Google Chrome
        Security Team (Inferno).
      - [73235] High, Stale pointer in layout. Credit to Martin Barbella.
    + Chromium bugs:
      - [63732] High, Crash with javascript dialogs. Credit to Sergey
        Radchenko.
      - [64-bit only] [70376] Medium, Out-of-bounds read in pickle
        deserialization. Credit to Evgeniy Stepanov of the Chromium development
        community.
      - [71717] Medium, Out-of-bounds read in WebGL. Credit to miaubiz.
      - [72214] High, Accidental exposure of internal extension functions.
        Credit to Tavis Ormandy of the Google Security Team.
      - [72437] High, Use-after-free with blocked plug-ins. Credit to Chamal de
        Silva.
  * Bump the lang-pack package from Suggests to Recommends (LP: #689267)
    - update debian/control
  * Disable PIE on Armel/Lucid (LP: #716703)
    - update debian/rules
  * Add the disk usage to the Apport hooks
    - update debian/apport/chromium-browser.py
  * Drop gyp from Build-Depends, use in-source gyp instead
    - update debian/control
  * Merge back the ffmpeg codecs (from the chromium-codecs-ffmpeg source package)
    - update debian/rules
    - update debian/control
    - add debian/chromium-codecs-ffmpeg-extra.install
    - add debian/chromium-codecs-ffmpeg.install
 -- Fabien Tassin <email address hidden> Tue, 01 Mar 2011 00:14:02 +0100

this is a crasher in Lucid when built with PIE I guess, but in this case the bug title is misleading.
related to bug 641126 which is about not being able to link with -fPIE in natty.
Should this bug be closed?