Marius Bakke <mba...@fastmail.com> writes: > Mark H Weaver <m...@netris.org> writes: > >> Leo Famulari <l...@famulari.name> writes: >> >>> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote: >>>> Hello! >>>> >>>> Since version 3.30.1, one test consistently fails on armhf. It is the >>>> same as in this bug report, although we don't see the exception: >>>> >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459 >>>> >>>> I initially thought this was due to stalls in the build process as we've >>>> seen before and tried increasing the timeouts in a790f2620, but that >>>> should probably be reverted. >>>> >>>> What should we do? We can either patch out this test, or go back to >>>> 3.30. Here are the release notes for 3.30.1: >>>> >>>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes >>>> >>>> It fixes a non-public bug in the base64 implementation, but introduced a >>>> test failure on at least two arches. >>>> >>>> Any preference? >>> >>> Since there were no changes to the set of certificates between 3.30 and >>> 3.30.1 [0], I would revert it for now. >> >> It turns out that the bug fix in 3.30.1 is critical: it fixes >> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 >> has since been released, so I'm currently testing it and will push an >> update to it soon. Any issues on armhf will need to be dealt with in >> another way. > > Mark, > > I checked this. The upstream 3.30 branch[0] contains a fix, but it was > not picked to the 3.30.2 release which only contains certificate > changes[1]. > > Squashing these two commits into one should fix the problem (the first > fix was incomplete[2]): > > https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 > https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
Here is a patch that updates to 3.30.1 and disables the b64 test. I'm building it on x86_64 now, but think it should be safe to push. What do you think?
From 7f1a8eda567edb851e0f2cd1f08c6ac07e8a45cd Mon Sep 17 00:00:00 2001
From: Marius Bakke <mba...@fastmail.com>
Date: Thu, 20 Apr 2017 21:36:21 +0200
Subject: [PATCH] gnu: nss: Update to 3.30.1 and disable failing test [fixes
CVE-2017-5461].
* gnu/packages/patches/nss-disable-b64_unittest.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (nss): Update to 3.30.1.
[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/gnuzilla.scm | 5 +--
.../patches/nss-disable-b64_unittest.patch | 40 ++++++++++++++++++++++
3 files changed, 44 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/nss-disable-b64_unittest.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index f38126251..d17f139a5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -803,6 +803,7 @@ dist_patch_DATA = \
%D%/packages/patches/ngircd-handle-zombies.patch \
%D%/packages/patches/ninja-zero-mtime.patch \
%D%/packages/patches/node-9077.patch \
+ %D%/packages/patches/nss-disable-b64_unittest.patch \
%D%/packages/patches/nss-increase-test-timeout.patch \
%D%/packages/patches/nss-pkgconfig.patch \
%D%/packages/patches/ntfs-3g-CVE-2017-0358.patch \
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 87695329c..21902b427 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -194,7 +194,7 @@ in the Mozilla clients.")
(define-public nss
(package
(name "nss")
- (version "3.30")
+ (version "3.30.1")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -205,9 +205,10 @@ in the Mozilla clients.")
"nss-" version ".tar.gz")))
(sha256
(base32
- "1agkkwb51si4raw46p44vl3d0l7wzvdjcblpcdjjz6aymq6h1h58"))
+ "1djypq081m22iw0wg0q7gnpndam5f8qjhqfd5v9by4c6l6lp78hz"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-pkgconfig.patch"
+ "nss-disable-b64_unittest.patch"
"nss-increase-test-timeout.patch"))))
(build-system gnu-build-system)
(outputs '("out" "bin"))
diff --git a/gnu/packages/patches/nss-disable-b64_unittest.patch b/gnu/packages/patches/nss-disable-b64_unittest.patch
new file mode 100644
index 000000000..8d2f1deb7
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-b64_unittest.patch
@@ -0,0 +1,40 @@
+This disables a test that fails on armhf and ppc32.
+
+Upstream bug URL:
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1351459
+
+Patch copied from upstream source repository:
+
+https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
+
+diff --git a/nss/gtests/util_gtest/util_b64_unittest.cc b/nss/gtests/util_gtest/util_b64_unittest.cc
+--- a/nss/gtests/util_gtest/util_b64_unittest.cc
++++ b/nss/gtests/util_gtest/util_b64_unittest.cc
+@@ -63,17 +63,19 @@ TEST_F(B64EncodeDecodeTest, EncDecTest)
+
+ TEST_F(B64EncodeDecodeTest, FakeDecTest) { EXPECT_TRUE(TestFakeDecode(100)); }
+
+ TEST_F(B64EncodeDecodeTest, FakeEncDecTest) {
+ EXPECT_TRUE(TestFakeEncode(100));
+ }
+
+ // These takes a while ...
+-TEST_F(B64EncodeDecodeTest, LongFakeDecTest1) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeDecTest1) {
+ EXPECT_TRUE(TestFakeDecode(0x66666666));
+ }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest1) { TestFakeEncode(0x3fffffff); }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest2) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest1) {
++ TestFakeEncode(0x3fffffff);
++}
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest2) {
+ EXPECT_FALSE(TestFakeEncode(0x40000000));
+ }
+
+ } // namespace nss_test
+
+
+
+
--
2.12.2
signature.asc
Description: PGP signature
