severity 990058 normal thanks With #990059 addressed in 2:3.67-2, this can be downgraded to normal. The problem also exists with other functions, which is why I'll keep this open for a more complete and long-term solution.
Mike On Fri, Jun 18, 2021 at 03:09:36PM -0600, Kevin Locke wrote: > Package: libnss3 > Version: 2:3.67-1 > Severity: serious > Tags: patch > Justification: Policy 8.6.3.3 > X-Debbugs-Cc: Sebastian Ramacher <sramac...@debian.org>, Carsten Schoenert > <c.schoen...@t-online.de> > > Dear Maintainer, > > Thunderbird 1:78.11.0-1 in testing is unable to establish some (all?) > TLS connections when run with libnss3 2:3.61-1, because it was built > with libnss3-dev 2:3.66-1. The issue occurs because the size of > SSLChannelInfo increased between NSS 3.61 and 3.66 (due to the addition > of PRBool isFIPS). SSL_GetChannelInfo takes both a pointer to and size > of SSLChannelInfo as arguments. If the size is greater than the size it > expects, it returns SECFailure, causing the connection to fail. See > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989839#48 for details. > > The issue is being discussed on debian-release, where Sebastian Ramacher > pointed out that the libnss3 symbol file should bump the minimum version > requirement for all symbols that works with SSLChannelInfo.[1] I agree. > As far as I can tell, SSL_GetChannelInfo is the only such symbol. I > believe it should be bumped to 2:3.66 for package 2:3.67 and bumped in > future versions whenever the size of SSLChannelInfo changes. I've > attached a patch to do so. > > Thanks for considering, > Kevin > > [1]: https://lists.debian.org/debian-release/2021/06/msg00597.html > > -- System Information: > Debian Release: 11.0 > APT prefers testing-debug > APT policy: (990, 'testing-debug'), (990, 'testing'), (500, > 'unstable-debug'), (500, 'testing-security'), (500, 'stable-debug'), (500, > 'unstable'), (500, 'oldstable'), (101, 'experimental'), (1, > 'experimental-debug') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.13.0-rc6 (SMP w/4 CPU threads) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not > set > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages libnss3 depends on: > ii libc6 2.31-12 > ii libnspr4 2:4.29-1 > ii libsqlite3-0 3.34.1-3 > > libnss3 recommends no packages. > > libnss3 suggests no packages. > > -- no debconf information > >From eaffc616b99dd2be285ade5df072cfa1e30924fe Mon Sep 17 00:00:00 2001 > Message-Id: > <eaffc616b99dd2be285ade5df072cfa1e30924fe.1624049387.git.ke...@kevinlocke.name> > From: Kevin Locke <ke...@kevinlocke.name> > Date: Fri, 18 Jun 2021 14:41:27 -0600 > Subject: [PATCH] libnss3.symbols: bump SSL_GetChannelInfo to 2:3.66 > > PRBool isFIPS was added to SSLChannelInfo in NSS 3.66, causing its size > to increase. Since SSL_GetChannelInfo is called with > sizeof(SSLChannelInfo) and returns SECFailure when called with a larger > size than it expects, it creates a version incompatibility where > programs compiled with NSS >= 3.66 do not function correction when > loaded with NSS < 3.66, as in #989839 for thunderbird. > > To avoid breakage, bump the version of SSL_GetChannelInfo, as suggested > by Sebastian Ramacher in > https://lists.debian.org/debian-release/2021/06/msg00597.html > > Signed-off-by: Kevin Locke <ke...@kevinlocke.name> > --- > debian/libnss3.symbols | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian/libnss3.symbols b/debian/libnss3.symbols > index 5213379c..2bb7294a 100644 > --- a/debian/libnss3.symbols > +++ b/debian/libnss3.symbols > @@ -154,5 +154,5 @@ libssl3.so libnss3 #MINVER# > (symver)NSS_3.4 2:3.13.4-2~ > (symver)NSS_3.7.4 2:3.13.4-2~ > SSL_GetCipherSuiteInfo@NSS_3.4 2:3.44.0 > - SSL_GetChannelInfo@NSS_3.4 2:3.34 > + SSL_GetChannelInfo@NSS_3.4 2:3.66 > SSL_GetPreliminaryChannelInfo@NSS_3.21 2:3.44.0 > -- > 2.30.2 >