Ubuntu
nss package

libnss3 reads fips_enabled flag and automatically switches to FIPS mode

Bug #1837734 reported by Vineetha Kamath on 2019-07-24

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
nss (Ubuntu)	Fix Released	High	Vineetha Kamath	Ubuntu eoan-updates
Xenial	Won't Fix	Undecided	Unassigned
Bionic	Won't Fix	Undecided	Unassigned
Disco	Won't Fix	Undecided	Unassigned
Eoan	Fix Released	High	Vineetha Kamath	Ubuntu eoan-updates

Bug Description

[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode.

The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.

The issue impacts libnss3 versions in eoan, disco, bionic and xenial.

lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10

Version: 2:3.45-1ubuntu1

lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04

Version: 2:3.42-1ubuntu2

lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04

Version: 2:3.35-2ubuntu2.3

lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04

Version: 2:3.28.4-0ubuntu0.16.04

[FIX]
This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.

Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.

[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.

Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. With the patch fix, firefox worked as expected and no changes were observed.

[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed.

See original description

Tags:

Related branches

~lucaskanashiro/ubuntu/+source/nss:merge-focal

Superseded for merging into ubuntu/+source/nss:ubuntu/devel

Canonical Server: Pending requested 2019-10-31

Canonical Server Core Reviewers: Pending requested 2019-10-31

Diff: 212443 lines (+105527/-55021) (has conflicts)

243 files modified

debian/changelog (+21/-0)
debian/libnss3.symbols (+1/-0)
nss/.hg_archival.txt (+3/-3)
nss/.taskcluster.yml (+1/-1)
nss/Makefile (+1/-0)
nss/automation/abi-check/expected-report-libnss3.so.txt (+31/-2)
nss/automation/abi-check/expected-report-libsmime3.so.txt (+11/-0)
nss/automation/abi-check/expected-report-libssl3.so.txt (+7/-19)
nss/automation/abi-check/previous-nss-release (+1/-1)
nss/automation/release/nspr-version.txt (+1/-1)
nss/automation/taskcluster/docker-gcc-4.4/Dockerfile (+1/-0)
nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc (+143/-0)
nss/automation/taskcluster/docker-hacl/Dockerfile (+2/-1)
nss/automation/taskcluster/docker-hacl/setup.sh (+7/-3)
nss/automation/taskcluster/graph/src/extend.js (+127/-28)
nss/automation/taskcluster/graph/src/queue.js (+9/-1)
nss/automation/taskcluster/graph/src/try_syntax.js (+12/-1)
nss/automation/taskcluster/scripts/build.sh (+6/-0)
nss/automation/taskcluster/scripts/build_gyp.sh (+7/-1)
nss/automation/taskcluster/scripts/build_nspr.sh (+6/-0)
nss/automation/taskcluster/scripts/build_softoken.sh (+3/-2)
nss/automation/taskcluster/scripts/check_abi.sh (+6/-0)
nss/automation/taskcluster/scripts/gen_coverage_report.sh (+6/-0)
nss/automation/taskcluster/scripts/run_coverity.sh (+7/-1)
nss/automation/taskcluster/scripts/run_scan_build.sh (+6/-0)
nss/automation/taskcluster/windows/build.sh (+6/-0)
nss/automation/taskcluster/windows/build_gyp.sh (+7/-1)
nss/build.sh (+70/-40)
nss/cmd/addbuiltin/addbuiltin.c (+62/-27)
nss/cmd/httpserv/httpserv.c (+1/-1)
nss/cmd/lib/Makefile (+1/-0)
nss/cmd/lib/derprint.c (+3/-1)
nss/cmd/lib/lib.gyp (+2/-1)
nss/cmd/lib/manifest.mn (+2/-0)
nss/cmd/lib/pk11table.c (+2/-0)
nss/cmd/lib/secpwd.c (+1/-1)
nss/cmd/lib/secutil.c (+208/-28)
nss/cmd/lib/secutil.h (+14/-0)
nss/cmd/p7env/p7env.c (+2/-2)
nss/cmd/pk11importtest/pk11importtest.c (+3/-1)
nss/cmd/pk11mode/pk11mode.c (+1/-1)
nss/cmd/pk12util/pk12util.c (+1/-0)
nss/cmd/platlibs.mk (+2/-2)
nss/cmd/selfserv/selfserv.c (+36/-6)
nss/cmd/shlibsign/shlibsign.c (+1/-1)
nss/cmd/strsclnt/strsclnt.c (+34/-7)
nss/cmd/symkeyutil/symkeyutil.c (+1/-1)
nss/cmd/tstclnt/tstclnt.c (+38/-3)
nss/cmd/vfyserv/vfyserv.c (+6/-1)
nss/coreconf/UNIX.mk (+1/-3)
nss/coreconf/WIN32.mk (+3/-10)
nss/coreconf/config.gypi (+1/-0)
nss/coreconf/nspr.sh (+18/-3)
nss/cpputil/freebl_scoped_ptrs.h (+33/-0)
nss/cpputil/nss_scoped_ptrs.h (+18/-17)
nss/cpputil/scoped_ptrs_util.h (+5/-0)
nss/cpputil/tls_parser.h (+1/-0)
nss/fuzz/fuzz.gyp (+1/-0)
nss/gtests/common/testvectors/curve25519-vectors.h (+63/-3)
nss/gtests/common/testvectors/kw-vectors.h (+1940/-0)
nss/gtests/der_gtest/der_quickder_unittest.cc (+38/-13)
nss/gtests/freebl_gtest/cmac_unittests.cc (+187/-0)
nss/gtests/freebl_gtest/freebl_gtest.gyp (+2/-0)
nss/gtests/freebl_gtest/mpi_unittest.cc (+1/-1)
nss/gtests/mozpkix_gtest/mozpkix_gtest.gyp (+1/-0)
nss/gtests/mozpkix_gtest/pkixder_input_tests.cpp (+4/-2)
nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp (+50/-0)
nss/gtests/pk11_gtest/manifest.mn (+5/-1)
nss/gtests/pk11_gtest/pk11_aes_cmac_unittest.cc (+91/-0)
nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc (+60/-49)
nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc (+90/-100)
nss/gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc (+415/-0)
nss/gtests/pk11_gtest/pk11_cbc_unittest.cc (+217/-0)
nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc (+67/-23)
nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc (+67/-15)
nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc (+5/-0)
nss/gtests/pk11_gtest/pk11_ecdsa_vectors.h (+32/-0)
nss/gtests/pk11_gtest/pk11_find_certs_unittest.cc (+311/-111)
nss/gtests/pk11_gtest/pk11_gtest.gyp (+8/-2)
nss/gtests/pk11_gtest/pk11_import_unittest.cc (+25/-141)
nss/gtests/pk11_gtest/pk11_key_unittest.cc (+80/-0)
nss/gtests/pk11_gtest/pk11_keygen.cc (+143/-0)
nss/gtests/pk11_gtest/pk11_keygen.h (+34/-0)
nss/gtests/pk11_gtest/pk11_seed_cbc_unittest.cc (+71/-0)
nss/gtests/pk11_gtest/pk11_signature_test.h (+3/-0)
nss/gtests/softoken_gtest/manifest.mn (+10/-1)
nss/gtests/softoken_gtest/softoken_gtest.cc (+187/-0)
nss/gtests/softoken_gtest/softoken_gtest.gyp (+6/-0)
nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc (+124/-0)
nss/gtests/ssl_gtest/libssl_internals.c (+19/-0)
nss/gtests/ssl_gtest/libssl_internals.h (+2/-1)
nss/gtests/ssl_gtest/manifest.mn (+1/-0)
nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc (+41/-0)
nss/gtests/ssl_gtest/ssl_auth_unittest.cc (+153/-8)
nss/gtests/ssl_gtest/ssl_cert_ext_unittest.cc (+2/-2)
nss/gtests/ssl_gtest/ssl_cipherorder_unittest.cc (+241/-0)
nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc (+19/-0)
nss/gtests/ssl_gtest/ssl_extension_unittest.cc (+1/-1)
nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc (+1/-1)
nss/gtests/ssl_gtest/ssl_gtest.gyp (+1/-0)
nss/gtests/ssl_gtest/ssl_record_unittest.cc (+36/-0)
nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc (+3/-2)
nss/gtests/ssl_gtest/ssl_renegotiation_unittest.cc (+23/-0)
nss/gtests/ssl_gtest/ssl_resumption_unittest.cc (+105/-13)
nss/gtests/ssl_gtest/tls_agent.cc (+21/-17)
nss/gtests/ssl_gtest/tls_agent.h (+7/-6)
nss/gtests/ssl_gtest/tls_esni_unittest.cc (+1/-1)
nss/gtests/ssl_gtest/tls_subcerts_unittest.cc (+243/-33)
nss/help.txt (+6/-0)
nss/lib/certdb/certdb.c (+6/-20)
nss/lib/certdb/certt.h (+15/-0)
nss/lib/certdb/stanpcertdb.c (+11/-12)
nss/lib/certhigh/certvfy.c (+43/-23)
nss/lib/ckfw/builtins/README (+62/-1)
nss/lib/ckfw/builtins/certdata.txt (+313/-630)
nss/lib/ckfw/builtins/manifest.mn (+2/-0)
nss/lib/ckfw/builtins/nssckbi.h (+2/-2)
nss/lib/ckfw/builtins/testlib/Makefile (+52/-0)
nss/lib/ckfw/builtins/testlib/builtins-testlib.gyp (+64/-0)
nss/lib/ckfw/builtins/testlib/certdata-testlib.txt (+479/-0)
nss/lib/ckfw/builtins/testlib/config.mk (+38/-0)
nss/lib/ckfw/builtins/testlib/manifest.mn (+25/-0)
nss/lib/ckfw/builtins/testlib/nssckbi-testlib.rc (+52/-0)
nss/lib/ckfw/builtins/testlib/testcert_err_distrust.txt (+50/-0)
nss/lib/ckfw/builtins/testlib/testcert_no_distrust.txt (+50/-0)
nss/lib/ckfw/builtins/testlib/testcert_ok_distrust.txt (+50/-0)
nss/lib/ckfw/manifest.mn (+1/-1)
nss/lib/freebl/Makefile (+29/-1)
nss/lib/freebl/aes-armv8.c (+1168/-0)
nss/lib/freebl/aes-armv8.h (+103/-0)
nss/lib/freebl/aeskeywrap.c (+2/-1)
nss/lib/freebl/blapi.h (+1/-0)
nss/lib/freebl/blinit.c (+49/-1)
nss/lib/freebl/chacha20poly1305.c (+5/-0)
nss/lib/freebl/cmac.c (+322/-0)
nss/lib/freebl/cmac.h (+47/-0)
nss/lib/freebl/ctr.c (+12/-0)
nss/lib/freebl/drbg.c (+90/-9)
nss/lib/freebl/ec.c (+1/-1)
nss/lib/freebl/ecl/curve25519_32.c (+4/-0)
nss/lib/freebl/exports.gyp (+1/-0)
nss/lib/freebl/freebl.gyp (+68/-0)
nss/lib/freebl/freebl_base.gypi (+1/-0)
nss/lib/freebl/gcm-aarch64.c (+96/-0)
nss/lib/freebl/gcm.c (+27/-2)
nss/lib/freebl/gcm.h (+6/-0)
nss/lib/freebl/intel-aes.h (+3/-3)
nss/lib/freebl/intel-gcm-wrap.c (+31/-0)
nss/lib/freebl/ldvector.c (+10/-1)
nss/lib/freebl/loader.c (+51/-0)
nss/lib/freebl/loader.h (+15/-1)
nss/lib/freebl/manifest.mn (+3/-0)
nss/lib/freebl/mpi/README (+1/-0)
nss/lib/freebl/mpi/mpcpucache.c (+1/-1)
nss/lib/freebl/mpi/mpi.c (+30/-12)
nss/lib/freebl/mpi/mpi.h (+10/-1)
nss/lib/freebl/pqg.c (+4/-4)
nss/lib/freebl/rijndael.c (+17/-4)
nss/lib/freebl/rsapkcs.c (+13/-10)
nss/lib/freebl/seed.c (+26/-7)
nss/lib/freebl/verified/FStar.c (+1/-1)
nss/lib/freebl/verified/FStar.h (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20.c (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20.h (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h (+1/-1)
nss/lib/freebl/verified/Hacl_Curve25519.c (+1/-1)
nss/lib/freebl/verified/Hacl_Curve25519.h (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_32.c (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_32.h (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_64.c (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_64.h (+1/-1)
nss/lib/freebl/verified/kremlib.h (+1/-1)
nss/lib/freebl/verified/kremlib_base.h (+1/-1)
nss/lib/freebl/verified/vec128.h (+1/-1)
nss/lib/jar/jarfile.c (+26/-18)
nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c (+3/-2)
nss/lib/mozpkix/include/pkix/pkixder.h (+11/-0)
nss/lib/mozpkix/lib/pkixcert.cpp (+7/-12)
nss/lib/mozpkix/test-lib/pkixtestnss.cpp (+6/-5)
nss/lib/nss/nss.def (+7/-1)
nss/lib/nss/nss.h (+2/-2)
nss/lib/pk11wrap/debug_module.c (+2/-0)
nss/lib/pk11wrap/pk11cert.c (+87/-0)
nss/lib/pk11wrap/pk11load.c (+4/-6)
nss/lib/pk11wrap/pk11mech.c (+4/-0)
nss/lib/pk11wrap/pk11pk12.c (+4/-0)
nss/lib/pk11wrap/pk11pub.h (+8/-0)
nss/lib/pki/pki3hack.c (+42/-13)
nss/lib/smime/cmssiginfo.c (+82/-25)
nss/lib/softoken/fipstokn.c (+24/-4)
nss/lib/softoken/legacydb/lgattr.c (+1/-1)
nss/lib/softoken/pkcs11.c (+18/-8)
nss/lib/softoken/pkcs11c.c (+323/-69)
nss/lib/softoken/pkcs11i.h (+2/-2)
nss/lib/softoken/pkcs11u.c (+5/-18)
nss/lib/softoken/sdb.c (+1/-1)
nss/lib/softoken/softkver.h (+2/-2)
nss/lib/softoken/tlsprf.c (+1/-1)
nss/lib/sqlite/Makefile (+2/-0)
nss/lib/sqlite/README (+1/-1)
nss/lib/sqlite/sqlite.gyp (+9/-1)
nss/lib/sqlite/sqlite3.c (+90169/-52437)
nss/lib/sqlite/sqlite3.h (+3773/-611)
nss/lib/ssl/ssl3con.c (+283/-154)
nss/lib/ssl/ssl3ext.c (+3/-0)
nss/lib/ssl/ssl3exthandle.c (+8/-3)
nss/lib/ssl/sslexp.h (+39/-0)
nss/lib/ssl/sslimpl.h (+10/-6)
nss/lib/ssl/sslsock.c (+115/-0)
nss/lib/ssl/sslt.h (+7/-1)
nss/lib/ssl/tls13con.c (+23/-16)
nss/lib/ssl/tls13esni.c (+1/-1)
nss/lib/ssl/tls13subcerts.c (+184/-11)
nss/lib/util/nssutil.h (+2/-2)
nss/lib/util/pkcs11n.h (+2/-0)
nss/lib/util/pkcs11t.h (+3/-0)
nss/lib/util/quickder.c (+1/-1)
nss/lib/util/utilmod.c (+4/-1)
nss/mach (+11/-3)
nss/nss.gyp (+3/-0)
nss/tests/all.sh (+3/-9)
nss/tests/cert/cert.sh (+1/-1)
nss/tests/common/certsetup.sh (+9/-2)
nss/tests/common/cleanup.sh (+9/-2)
nss/tests/fips/cavs_scripts/aes.sh (+2/-0)
nss/tests/fips/cavs_scripts/aesgcm.sh (+2/-0)
nss/tests/fips/cavs_scripts/dsa.sh (+2/-0)
nss/tests/fips/cavs_scripts/ecdsa.sh (+2/-0)
nss/tests/fips/cavs_scripts/hmac.sh (+3/-0)
nss/tests/fips/cavs_scripts/ike.sh (+2/-0)
nss/tests/fips/cavs_scripts/kas.sh (+2/-0)
nss/tests/fips/cavs_scripts/rng.sh (+3/-0)
nss/tests/fips/cavs_scripts/rsa.sh (+2/-0)
nss/tests/fips/cavs_scripts/sha.sh (+2/-0)
nss/tests/fips/cavs_scripts/tdea.sh (+2/-0)
nss/tests/fips/cavs_scripts/tls.sh (+3/-0)
nss/tests/policy/policy.sh (+1/-1)
nss/tests/smime/smime.sh (+213/-22)
nss/tests/ssl/ssl.sh (+64/-9)
nss/tests/ssl_gtests/ssl_gtests.sh (+1/-0)
nss/tests/tlsfuzzer/config.json.in (+20/-0)
nss/tests/tlsfuzzer/tlsfuzzer.sh (+3/-3)

Vineetha Kamath (vineetha) on 2019-07-24

description:

updated

Revision history for this message

Vineetha Kamath (vineetha) wrote on 2019-07-24:

The build log and test runs for eoan build is on my test ppa
https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17312645

The build log and test runs for disco build is on my test ppa
https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17315636

The build log and test runs for bionic build is on my test ppa
https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17311607

The build log and test runs for xenial build is on my test ppa
https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17311225

Revision history for this message

Vineetha Kamath (vineetha) wrote on 2019-07-24:

debdiff.eoan Edit (2.5 KiB, text/plain)

debdiff.eoan

Revision history for this message

Vineetha Kamath (vineetha) wrote on 2019-07-24:

debdiff.disco Edit (2.6 KiB, text/plain)

debdiff.disco

Revision history for this message

Vineetha Kamath (vineetha) wrote on 2019-07-24:

debdiff.bionic Edit (2.6 KiB, text/plain)

Revision history for this message

Vineetha Kamath (vineetha) wrote on 2019-07-24:

debdiff.xenial Edit (2.5 KiB, text/plain)

debdiff.xenial

description:

updated

Vineetha Kamath (vineetha) on 2019-07-24

description:	updated
description:	updated
summary:	- firefox crash on a FIPS enabled machine due to libnss3 + Firefox crash on a FIPS enabled machine due to libnss3

Marc Deslauriers (mdeslaur) on 2019-07-24

Changed in nss (Ubuntu Xenial):
status:	New → Confirmed
Changed in nss (Ubuntu Bionic):
status:	New → Confirmed
Changed in nss (Ubuntu Disco):
status:	New → Confirmed
Changed in nss (Ubuntu Eoan):
status:	New → Confirmed

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2019-07-24:

ACK on the debdiffs. Uploaded to eoan and to previous releases for processing by the SRU team, with slight versioning adjustment and the bug tag added to the changelog.

Thanks!

Changed in nss (Ubuntu Xenial):
status:	Confirmed → In Progress
Changed in nss (Ubuntu Bionic):
status:	Confirmed → In Progress
Changed in nss (Ubuntu Disco):
status:	Confirmed → In Progress
Changed in nss (Ubuntu Eoan):
status:	Confirmed → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-07-25:

This bug was fixed in the package nss - 2:3.45-1ubuntu2

---------------
nss (2:3.45-1ubuntu2) eoan; urgency=medium

* Disable reading fips_enabled flag in FIPS mode. libnss is
not a FIPS certified library. (LP: #1837734)

-- Vineetha Kamath <email address hidden> Tue, 23 Jul 2019 20:58:12 +0000

Changed in nss (Ubuntu Eoan):
status:	Fix Committed → Fix Released

Revision history for this message

Brian Murray (brian-murray) wrote on 2019-07-30: Please test proposed package

Hello Vineetha, or anyone else affected,

Accepted nss into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss/2:3.42-1ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in nss (Ubuntu Disco):
status:	In Progress → Fix Committed
tags:	added: verification-needed verification-needed-disco
Changed in nss (Ubuntu Bionic):
status:	In Progress → Fix Committed
tags:	added: verification-needed-bionic

Revision history for this message

Brian Murray (brian-murray) wrote on 2019-07-30:

Hello Vineetha, or anyone else affected,

Accepted nss into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss/2:3.35-2ubuntu2.4 in a few hours, and then in the -proposed repository.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message

Brian Murray (brian-murray) wrote on 2019-07-30:

#10

Hello Vineetha, or anyone else affected,

Accepted nss into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.7 in a few hours, and then in the -proposed repository.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in nss (Ubuntu Xenial):
status:	In Progress → Fix Committed
tags:	added: verification-needed-xenial

Revision history for this message

David Negreira (dnegreira) wrote on 2019-08-14: Re: Firefox crash on a FIPS enabled machine due to libnss3

#11

Test failed on xenial 16.04: https://paste.ubuntu.com/p/qbmkGS5RSB/

Already shared latest info and straces with Vineetha.

tags:	added: verification-failed-xenial removed: verification-needed-disco verification-needed-xenial
tags:	added: verification-needed-disco

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2019-08-29: Autopkgtest regression report (nss/2:3.35-2ubuntu2.4)

#12

All autopkgtests for the newly accepted nss (2:3.35-2ubuntu2.4) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

openjdk-8/8u222-b10-1ubuntu1~18.04.1 (i386)
chrony/3.2-4ubuntu4.2 (arm64, ppc64el, armhf, i386, amd64, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#nss

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Vineetha Kamath (vineetha) on 2019-09-06

summary:

- Firefox crash on a FIPS enabled machine due to libnss3
+ libnss3 reads fips_enabled flag and automatically switches to FIPS mode

Vineetha Kamath (vineetha) on 2019-09-06

description:

updated

Revision history for this message

Vineetha Kamath (vineetha) wrote on 2019-09-09:

#13

The SRU was originally filed since firefox crashed due to libnss3 automatically entering FIPS mode. Firefox uses bundled nss and hence a fix is being worked into firefox library to address the crash.

libnss3 does not need this change. Upon careful examination of code, the code to read "fips_enabled" does not get compiled on Ubuntu.

Revision history for this message

Steve Langasek (vorlon) wrote on 2019-09-17: Proposed package removed from archive

#14

The version of nss in the proposed pocket of Xenial that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

Changed in nss (Ubuntu Xenial):
status:	Fix Committed → Won't Fix

Steve Langasek (vorlon) on 2020-07-02

Changed in nss (Ubuntu Disco):
status:	Fix Committed → Won't Fix

Revision history for this message

Brian Murray (brian-murray) wrote on 2020-07-21:

#19

I'm setting this to Won't Fix as it seems unnecessary based off a later comment about Firefox. Additionally, the the version of nss with the fix for this bug was superseded by a security upload.

Changed in nss (Ubuntu Bionic):
status:	Fix Committed → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntunss package

libnss3 reads fips_enabled flag and automatically switches to FIPS mode

Bug Description

Related branches

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
nss package