Package: libnss3 Version: 2:3.67-1 Severity: serious Tags: patch Justification: Policy 8.6.3.3 X-Debbugs-Cc: Sebastian Ramacher <sramac...@debian.org>, Carsten Schoenert <c.schoen...@t-online.de>
Dear Maintainer, Thunderbird 1:78.11.0-1 in testing is unable to establish some (all?) TLS connections when run with libnss3 2:3.61-1, because it was built with libnss3-dev 2:3.66-1. The issue occurs because the size of SSLChannelInfo increased between NSS 3.61 and 3.66 (due to the addition of PRBool isFIPS). SSL_GetChannelInfo takes both a pointer to and size of SSLChannelInfo as arguments. If the size is greater than the size it expects, it returns SECFailure, causing the connection to fail. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989839#48 for details. The issue is being discussed on debian-release, where Sebastian Ramacher pointed out that the libnss3 symbol file should bump the minimum version requirement for all symbols that works with SSLChannelInfo.[1] I agree. As far as I can tell, SSL_GetChannelInfo is the only such symbol. I believe it should be bumped to 2:3.66 for package 2:3.67 and bumped in future versions whenever the size of SSLChannelInfo changes. I've attached a patch to do so. Thanks for considering, Kevin [1]: https://lists.debian.org/debian-release/2021/06/msg00597.html -- System Information: Debian Release: 11.0 APT prefers testing-debug APT policy: (990, 'testing-debug'), (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-security'), (500, 'stable-debug'), (500, 'unstable'), (500, 'oldstable'), (101, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.13.0-rc6 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libnss3 depends on: ii libc6 2.31-12 ii libnspr4 2:4.29-1 ii libsqlite3-0 3.34.1-3 libnss3 recommends no packages. libnss3 suggests no packages. -- no debconf information
>From eaffc616b99dd2be285ade5df072cfa1e30924fe Mon Sep 17 00:00:00 2001 Message-Id: <eaffc616b99dd2be285ade5df072cfa1e30924fe.1624049387.git.ke...@kevinlocke.name> From: Kevin Locke <ke...@kevinlocke.name> Date: Fri, 18 Jun 2021 14:41:27 -0600 Subject: [PATCH] libnss3.symbols: bump SSL_GetChannelInfo to 2:3.66 PRBool isFIPS was added to SSLChannelInfo in NSS 3.66, causing its size to increase. Since SSL_GetChannelInfo is called with sizeof(SSLChannelInfo) and returns SECFailure when called with a larger size than it expects, it creates a version incompatibility where programs compiled with NSS >= 3.66 do not function correction when loaded with NSS < 3.66, as in #989839 for thunderbird. To avoid breakage, bump the version of SSL_GetChannelInfo, as suggested by Sebastian Ramacher in https://lists.debian.org/debian-release/2021/06/msg00597.html Signed-off-by: Kevin Locke <ke...@kevinlocke.name> --- debian/libnss3.symbols | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/libnss3.symbols b/debian/libnss3.symbols index 5213379c..2bb7294a 100644 --- a/debian/libnss3.symbols +++ b/debian/libnss3.symbols @@ -154,5 +154,5 @@ libssl3.so libnss3 #MINVER# (symver)NSS_3.4 2:3.13.4-2~ (symver)NSS_3.7.4 2:3.13.4-2~ SSL_GetCipherSuiteInfo@NSS_3.4 2:3.44.0 - SSL_GetChannelInfo@NSS_3.4 2:3.34 + SSL_GetChannelInfo@NSS_3.4 2:3.66 SSL_GetPreliminaryChannelInfo@NSS_3.21 2:3.44.0 -- 2.30.2