Ubuntu
nss package

attempt to add opensc using modutil suddenly fails

Bug #2060906 reported by Garrett Warnell
284
This bug affects 4 people
Affects Status Importance Assigned to Milestone
nss (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Critical
Marc Deslauriers
Jammy
Fix Released
Critical
Marc Deslauriers

Bug Description

The following command to add the OpenSC PKCS11 module for use in, eg, Chrome fails:

modutil -dbdir sql:$HOME/.pki/nssdb -add "OpenSC" -libfile /usr/lib/opensc-pkcs11.so

This has worked for me several times in the past, but today Chrome stopped detecting my smart card and when I tried to re-initialize ~/.pki/nssdb and re-add OpenSC using the command above, I received the following error:

ERROR: Failed to add module "OpenSC". Probable cause : "Unknown code ___P 3".

See original description
Revision history for this message
Maxim (max-345) wrote :

Confirming same issue, downgrade to previous version are solve situation:

sudo apt install libnss3=2:3.68.2-0ubuntu1 libnss3-tools=2:3.68.2-0ubuntu1 libnss3-dev=2:3.68.2-0ubuntu1

update was today:

Log started: 2024-04-11 06:49:32
(Reading database ... ^M(Reading database ... 5%^M(Reading database ... 10%^M(Reading database ... 15%^M(Reading database ... 20%^M(Reading database ... 25%^M(Reading database ... 30%^M(
Reading database ... 35%^M(Reading database ... 40%^M(Reading database ... 45%^M(Reading database ... 50%^M(Reading database ... 55%^M(Reading database ... 60%^M(Reading database ... 65%
^M(Reading database ... 70%^M(Reading database ... 75%^M(Reading database ... 80%^M(Reading database ... 85%^M(Reading database ... 90%^M(Reading database ... 95%^M(Reading database ...
100%^M(Reading database ... 331955 files and directories currently installed.)
Preparing to unpack .../libnss3_2%3a3.98-0ubuntu0.22.04.1_amd64.deb ...
Unpacking libnss3:amd64 (2:3.98-0ubuntu0.22.04.1) over (2:3.68.2-0ubuntu1.2) ...
Preparing to unpack .../libnss3-tools_2%3a3.98-0ubuntu0.22.04.1_amd64.deb ...
Unpacking libnss3-tools (2:3.98-0ubuntu0.22.04.1) over (2:3.68.2-0ubuntu1.2) ...
Setting up libnss3:amd64 (2:3.98-0ubuntu0.22.04.1) ...
Setting up libnss3-tools (2:3.98-0ubuntu0.22.04.1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.6) ...
Log ended: 2024-04-11 06:49:38

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nss (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
information type: Public → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue, I am currently investigating and will have an updated package for testing soon.

Changed in nss (Ubuntu Focal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Jammy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Focal):
status: New → In Progress
Changed in nss (Ubuntu Jammy):
status: New → In Progress
Changed in nss (Ubuntu Focal):
importance: Undecided → Critical
Changed in nss (Ubuntu Jammy):
importance: Undecided → Critical
Revision history for this message
Garrett Warnell (warnellg-t) wrote :

Thanks, @max-345. Confirming that downgrade also works on 20.04 with the following command:

sudo apt install libnss3=2:3.49.1-1ubuntu1 libnss3-tools=2:3.49.1-1ubuntu1 libnss3-dev=2:3.49.1-1ubuntu1

Garrett Warnell (warnellg-t)
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have uploaded packages that fix this issue for focal and jammy to the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once they have finished building, please test them to make sure they fix the issue for you, and I will publish them as a security regression fix this afternoon.

Thanks!

Revision history for this message
Nils Ballmann (nils-ballmann) wrote :
Download full text (9.8 KiB)

Can confirm on Ubuntu Jammy, package fixes the issue:

```console
vagrant@ubuntu2204:~/Downloads$ wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+files/libnss3_3.98-0ubuntu0.22.04.2_amd64.deb
--2024-04-11 15:58:37-- https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+files/libnss3_3.98-0ubuntu0.22.04.2_amd64.deb
Resolving launchpad.net (launchpad.net)... 185.125.189.222, 185.125.189.223, 2620:2d:4000:1009::3ba, ...
Connecting to launchpad.net (launchpad.net)|185.125.189.222|:443... connected.
HTTP request sent, awaiting response... 303 See Other
Location: https://launchpadlibrarian.net/724214470/libnss3_3.98-0ubuntu0.22.04.2_amd64.deb [following]
--2024-04-11 15:58:37-- https://launchpadlibrarian.net/724214470/libnss3_3.98-0ubuntu0.22.04.2_amd64.deb
Resolving launchpadlibrarian.net (launchpadlibrarian.net)... 185.125.189.228, 185.125.189.229, 2620:2d:4000:1009::13e, ...
Connecting to launchpadlibrarian.net (launchpadlibrarian.net)|185.125.189.228|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1346964 (1.3M) [application/x-debian-package]
Saving to: ‘libnss3_3.98-0ubuntu0.22.04.2_amd64.deb’

libnss3_3.98-0ubuntu0.22.04.2_amd64.deb 100%[====================================================================================================>] 1.28M 4.87MB/s in 0.3s

2024-04-11 15:58:37 (4.87 MB/s) - ‘libnss3_3.98-0ubuntu0.22.04.2_amd64.deb’ saved [1346964/1346964]

vagrant@ubuntu2204:~/Downloads$ wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+files/libnss3-tools_3.98-0ubuntu0.22.04.2_amd64.deb
--2024-04-11 15:59:00-- https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+files/libnss3-tools_3.98-0ubuntu0.22.04.2_amd64.deb
Resolving launchpad.net (launchpad.net)... 185.125.189.222, 185.125.189.223, 2620:2d:4000:1009::f3, ...
Connecting to launchpad.net (launchpad.net)|185.125.189.222|:443... connected.
HTTP request sent, awaiting response... 303 See Other
Location: https://launchpadlibrarian.net/724214469/libnss3-tools_3.98-0ubuntu0.22.04.2_amd64.deb [following]
--2024-04-11 15:59:00-- https://launchpadlibrarian.net/724214469/libnss3-tools_3.98-0ubuntu0.22.04.2_amd64.deb
Resolving launchpadlibrarian.net (launchpadlibrarian.net)... 185.125.189.229, 185.125.189.228, 2620:2d:4000:1009::13e, ...
Connecting to launchpadlibrarian.net (launchpadlibrarian.net)|185.125.189.229|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 570044 (557K) [application/x-debian-package]
Saving to: ‘libnss3-tools_3.98-0ubuntu0.22.04.2_amd64.deb’

libnss3-tools_3.98-0ubuntu0.22.04.2_amd64.deb 100%[====================================================================================================>] 556.68K --.-KB/s in 0.1s

2024-04-11 15:59:00 (4.98 MB/s) - ‘libnss3-tools_3.98-0ubuntu0.22.04.2_amd64.deb’ saved [570044/570044]

vagrant@ubuntu2204:~/Downloads$ LC_ALL=C apt-cache policy libnss3 libnss3-tools
libnss3:
  Installed: 2:3.68.2-0ubuntu1
  Candidate: 2:3.98-0ubuntu0.22.04.1
  Version table:
     2:3.98-0ubuntu0.22.04.1 500
        500 https://mirrors.edge.kernel.org/ubuntu jammy-updates/main amd64 Packages
...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for testing, I'll publish the regression fix as soon as all archs have finished building.

Revision history for this message
Nils Ballmann (nils-ballmann) wrote (last edit ):
Download full text (6.1 KiB)

Same for Ubuntu Focal:

```console
vagrant@ubuntu2004:~/Downloads$ wget -q https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+files/libnss3_3.98-0ubuntu0.20.04.2_amd64.deb
vagrant@ubuntu2004:~/Downloads$ wget -q https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+files/libnss3-tools_3.98-0ubuntu0.20.04.2_amd64.deb
vagrant@ubuntu2004:~/Downloads$ ls -lah libnss*.deb
-rw-rw---- 1 vagrant vagrant 1.4M Apr 11 15:22 libnss3_3.98-0ubuntu0.20.04.2_amd64.deb
-rw-rw---- 1 vagrant vagrant 1.1M Apr 11 15:22 libnss3-tools_3.98-0ubuntu0.20.04.2_amd64.deb
vagrant@ubuntu2004:~/Downloads$ LC_ALL=C apt-cache policy libnss3 libnss3-tools
libnss3:
  Installed: 2:3.49.1-1ubuntu1
  Candidate: 2:3.98-0ubuntu0.20.04.1
  Version table:
     2:3.98-0ubuntu0.20.04.1 500
        500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
 *** 2:3.49.1-1ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status
libnss3-tools:
  Installed: 2:3.49.1-1ubuntu1
  Candidate: 2:3.98-0ubuntu0.20.04.1
  Version table:
     2:3.98-0ubuntu0.20.04.1 500
        500 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages
 *** 2:3.49.1-1ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
        100 /var/lib/dpkg/status
vagrant@ubuntu2004:~/Downloads$ LC_ALL=C sudo apt-mark unhold libnss3 libnss3-tools
Canceled hold on libnss3.
Canceled hold on libnss3-tools.
vagrant@ubuntu2004:~/Downloads$ LC_ALL=C sudo apt install --yes ./libnss3*.deb
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'libnss3' instead of './libnss3_3.98-0ubuntu0.20.04.2_amd64.deb'
Note, selecting 'libnss3-tools' instead of './libnss3-tools_3.98-0ubuntu0.20.04.2_amd64.deb'
The following packages will be upgraded:
  libnss3 libnss3-tools
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/2446 kB of archives.
After this operation, 811 kB of additional disk space will be used.
Get:1 /home/vagrant/Downloads/libnss3_3.98-0ubuntu0.20.04.2_amd64.deb libnss3 amd64 2:3.98-0ubuntu0.20.04.2 [1391 kB]
Get:2 /home/vagrant/Downloads/libnss3-tools_3.98-0ubuntu0.20.04.2_amd64.deb libnss3-tools amd64 2:3.98-0ubuntu0.20.04.2 [1055 kB]
(Reading database ... 212155 files and directories currently installed.)
Preparing to unpack .../libnss3_3.98-0ubuntu0.20.04.2_amd64.deb ...
Unpacking libnss3:amd64 (2:3.98-0ubuntu0.20.04.2) over (2:3.49.1-1ubuntu1) ...
Preparing to unpack .../libnss3-tools_3.98-0ubuntu0.20.04.2_amd64.deb ...
Unpacking libnss3-tools (2:3.98-0ubuntu0.20.04.2) over (2:3.49.1-1ubuntu1) ...
Setting up libnss3:amd64 (2:3.98-0ubuntu0.20.04.2) ...
Setting up libnss3-tools (2:3.98-0ubuntu0.20.04.2) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.14) ...
N: Download is performed unsandboxed as root as file '/home/vagrant/Downloads/libnss3_3.98-0ubuntu0.20.04.2_amd64.d...

Read more...

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.98-0ubuntu0.22.04.2

---------------
nss (2:3.98-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY REGRESSION: failure to open modules (LP: #2060906)
    - debian/patches/85_security_load.patch: fix broken patch preventing
      module loading.

 -- Marc Deslauriers <email address hidden> Thu, 11 Apr 2024 10:19:22 -0400

Changed in nss (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.98-0ubuntu0.20.04.2

---------------
nss (2:3.98-0ubuntu0.20.04.2) focal-security; urgency=medium

  * SECURITY REGRESSION: failure to open modules (LP: #2060906)
    - debian/patches/85_security_load.patch: fix broken patch preventing
      module loading.

 -- Marc Deslauriers <email address hidden> Thu, 11 Apr 2024 10:23:19 -0400

Changed in nss (Ubuntu Focal):
status: In Progress → Fix Released
Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

https://ubuntu.com/security/notices/USN-6727-2

Revision history for this message
Adam Pankow (adampankow) wrote :

@mdeslaur did you mean to set this bug invalid? It looked like you intended to set bug #2060968 instead?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@adampankow: the bug only applied to focal and jammy, which are marked as "fix released", the "invalid" task is the development release noble, which isn't affected by this bug. This looks a bit odd, but it's how launchpad bugs work.

Revision history for this message
Maxim (max-345) wrote :

@mdeslaur, Thank you, fix working. Checked just now

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.