Re: NSS test failure on armhf
Mark H Weaver writes: > Marius Bakke writes: > >> Marius Bakke writes: >> > It turns out that the bug fix in 3.30.1 is critical: it fixes > CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 > has since been released, so I'm currently testing it and will push an > update to it soon. Any issues on armhf will need to be dealt with in > another way. Mark, I checked this. The upstream 3.30 branch[0] contains a fix, but it was not picked to the 3.30.2 release which only contains certificate changes[1]. Squashing these two commits into one should fix the problem (the first fix was incomplete[2]): https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 > > Good find, thank you! Since seeing the above post, I prepared my own > patches to update NSS to 3.30.2 and disable the long b64 tests. > > And now I see you've prepared your own patch that only updates to > 3.30.1. I'm not sure why we would consider rebuilding everything with > 3.30.1 when 3.30.2 already exists, even if the only changes are to > certs. > > I'll push this batch of patches soon, including fixes to graphite2 and > the icecat update, after a bit more testing. Great, thanks! I could not find any compelling reason to use the 3.30.2 tarball (other than disk space on builders), and found the version "mismatch" with between 'nss-certs' and 'nss' more distinctive. However, after diffing 3.30.1 and 3.30.2, it seems certificate changes also bump the library version: https://hg.mozilla.org/projects/nss/diff/dc97a4930479/lib/ckfw/builtins/nssckbi.h So I guess we should keep updating these together to the extent possible. signature.asc Description: PGP signature
Re: NSS test failure on armhf
Marius Bakke writes: > Marius Bakke writes: > It turns out that the bug fix in 3.30.1 is critical: it fixes CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 has since been released, so I'm currently testing it and will push an update to it soon. Any issues on armhf will need to be dealt with in another way. >>> >>> Mark, >>> >>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was >>> not picked to the 3.30.2 release which only contains certificate >>> changes[1]. >>> >>> Squashing these two commits into one should fix the problem (the first >>> fix was incomplete[2]): >>> >>> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 >>> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 Good find, thank you! Since seeing the above post, I prepared my own patches to update NSS to 3.30.2 and disable the long b64 tests. And now I see you've prepared your own patch that only updates to 3.30.1. I'm not sure why we would consider rebuilding everything with 3.30.1 when 3.30.2 already exists, even if the only changes are to certs. I'll push this batch of patches soon, including fixes to graphite2 and the icecat update, after a bit more testing. Thanks! Mark
Re: NSS test failure on armhf
Marius Bakke writes: >>> It turns out that the bug fix in 3.30.1 is critical: it fixes >>> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 >>> has since been released, so I'm currently testing it and will push an >>> update to it soon. Any issues on armhf will need to be dealt with in >>> another way. >> >> Mark, >> >> I checked this. The upstream 3.30 branch[0] contains a fix, but it was >> not picked to the 3.30.2 release which only contains certificate >> changes[1]. >> >> Squashing these two commits into one should fix the problem (the first >> fix was incomplete[2]): >> >> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 >> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 > > Here is a patch that updates to 3.30.1 and disables the b64 test. > > I'm building it on x86_64 now, but think it should be safe to push. > > What do you think? > > From 7f1a8eda567edb851e0f2cd1f08c6ac07e8a45cd Mon Sep 17 00:00:00 2001 > From: Marius Bakke > Date: Thu, 20 Apr 2017 21:36:21 +0200 > Subject: [PATCH] gnu: nss: Update to 3.30.1 [fixes CVE-2017-5461]. > > * gnu/packages/patches/nss-disable-b64_unittest.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/gnuzilla.scm (nss): Update to 3.30.1. > [source]: Use it. This built successfully on x86_64. Here's an excerpt from the log: 'B64EncodeDecodeTest: DISABLED_LongFakeDecTest1' SKIPPED 'B64EncodeDecodeTest: DISABLED_LongFakeEncDecTest1' SKIPPED 'B64EncodeDecodeTest: DISABLED_LongFakeEncDecTest2' SKIPPED Are you currently building a version of this patch on armhf? If not I'd like to push it. signature.asc Description: PGP signature
Re: NSS test failure on armhf
Marius Bakke writes: > Mark H Weaver writes: > >> Leo Famulari writes: >> >>> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote: Hello! Since version 3.30.1, one test consistently fails on armhf. It is the same as in this bug report, although we don't see the exception: https://bugzilla.mozilla.org/show_bug.cgi?id=1351459 I initially thought this was due to stalls in the build process as we've seen before and tried increasing the timeouts in a790f2620, but that should probably be reverted. What should we do? We can either patch out this test, or go back to 3.30. Here are the release notes for 3.30.1: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes It fixes a non-public bug in the base64 implementation, but introduced a test failure on at least two arches. Any preference? >>> >>> Since there were no changes to the set of certificates between 3.30 and >>> 3.30.1 [0], I would revert it for now. >> >> It turns out that the bug fix in 3.30.1 is critical: it fixes >> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 >> has since been released, so I'm currently testing it and will push an >> update to it soon. Any issues on armhf will need to be dealt with in >> another way. > > Mark, > > I checked this. The upstream 3.30 branch[0] contains a fix, but it was > not picked to the 3.30.2 release which only contains certificate > changes[1]. > > Squashing these two commits into one should fix the problem (the first > fix was incomplete[2]): > > https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 > https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 Here is a patch that updates to 3.30.1 and disables the b64 test. I'm building it on x86_64 now, but think it should be safe to push. What do you think? From 7f1a8eda567edb851e0f2cd1f08c6ac07e8a45cd Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 20 Apr 2017 21:36:21 +0200 Subject: [PATCH] gnu: nss: Update to 3.30.1 and disable failing test [fixes CVE-2017-5461]. * gnu/packages/patches/nss-disable-b64_unittest.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnuzilla.scm (nss): Update to 3.30.1. [source]: Use it. --- gnu/local.mk | 1 + gnu/packages/gnuzilla.scm | 5 +-- .../patches/nss-disable-b64_unittest.patch | 40 ++ 3 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/nss-disable-b64_unittest.patch diff --git a/gnu/local.mk b/gnu/local.mk index f38126251..d17f139a5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -803,6 +803,7 @@ dist_patch_DATA = \ %D%/packages/patches/ngircd-handle-zombies.patch \ %D%/packages/patches/ninja-zero-mtime.patch \ %D%/packages/patches/node-9077.patch\ + %D%/packages/patches/nss-disable-b64_unittest.patch \ %D%/packages/patches/nss-increase-test-timeout.patch \ %D%/packages/patches/nss-pkgconfig.patch \ %D%/packages/patches/ntfs-3g-CVE-2017-0358.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 87695329c..21902b427 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -194,7 +194,7 @@ in the Mozilla clients.") (define-public nss (package (name "nss") -(version "3.30") +(version "3.30.1") (source (origin (method url-fetch) (uri (let ((version-with-underscores @@ -205,9 +205,10 @@ in the Mozilla clients.") "nss-" version ".tar.gz"))) (sha256 (base32 -"1agkkwb51si4raw46p44vl3d0l7wzvdjcblpcdjjz6aymq6h1h58")) +"1djypq081m22iw0wg0q7gnpndam5f8qjhqfd5v9by4c6l6lp78hz")) ;; Create nss.pc and nss-config. (patches (search-patches "nss-pkgconfig.patch" + "nss-disable-b64_unittest.patch" "nss-increase-test-timeout.patch" (build-system gnu-build-system) (outputs '("out" "bin")) diff --git a/gnu/packages/patches/nss-disable-b64_unittest.patch b/gnu/packages/patches/nss-disable-b64_unittest.patch new file mode 100644 index 0..8d2f1deb7 --- /dev/null +++ b/gnu/packages/patches/nss-disable-b64_unittest.patch @@ -0,0 +1,40 @@ +This disables a test that fails on armhf and ppc32. + +Upstream bug URL: + +https://bugzilla.mozilla.org/show_bug.cgi?id=1351459 + +Patch copied from upstream source repository: + +https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 + +diff --git a/nss/gtests/util_gtest/util_b64_unittest.cc b/nss/gtests/util_gtest/util_b64_unittest.cc +--- a/nss/gtests/util_gtest/util_b64_unittest.cc b/nss/gtests/util_gtest/util_b64_unittest.cc +@@ -63,17 +63,19 @@ TEST_F(B64EncodeDecodeTest, EncDecTest) + + TEST_F(B64EncodeDecodeTest, FakeDecTe
Re: NSS test failure on armhf
Mark H Weaver writes: > Leo Famulari writes: > >> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote: >>> Hello! >>> >>> Since version 3.30.1, one test consistently fails on armhf. It is the >>> same as in this bug report, although we don't see the exception: >>> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459 >>> >>> I initially thought this was due to stalls in the build process as we've >>> seen before and tried increasing the timeouts in a790f2620, but that >>> should probably be reverted. >>> >>> What should we do? We can either patch out this test, or go back to >>> 3.30. Here are the release notes for 3.30.1: >>> >>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes >>> >>> It fixes a non-public bug in the base64 implementation, but introduced a >>> test failure on at least two arches. >>> >>> Any preference? >> >> Since there were no changes to the set of certificates between 3.30 and >> 3.30.1 [0], I would revert it for now. > > It turns out that the bug fix in 3.30.1 is critical: it fixes > CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 > has since been released, so I'm currently testing it and will push an > update to it soon. Any issues on armhf will need to be dealt with in > another way. Mark, I checked this. The upstream 3.30 branch[0] contains a fix, but it was not picked to the 3.30.2 release which only contains certificate changes[1]. Squashing these two commits into one should fix the problem (the first fix was incomplete[2]): https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 [0] https://hg.mozilla.org/projects/nss/shortlog/NSS_3_30_BRANCH [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.2_release_notes [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1351459#c6 signature.asc Description: PGP signature
Re: NSS test failure on armhf
On Thu, Apr 20, 2017 at 02:39:17PM -0400, Mark H Weaver wrote: > It turns out that the bug fix in 3.30.1 is critical: it fixes > CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 > has since been released, so I'm currently testing it and will push an > update to it soon. Any issues on armhf will need to be dealt with in > another way. Yikes, good catch! signature.asc Description: PGP signature
Re: NSS test failure on armhf
Leo Famulari writes: > On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote: >> Hello! >> >> Since version 3.30.1, one test consistently fails on armhf. It is the >> same as in this bug report, although we don't see the exception: >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459 >> >> I initially thought this was due to stalls in the build process as we've >> seen before and tried increasing the timeouts in a790f2620, but that >> should probably be reverted. >> >> What should we do? We can either patch out this test, or go back to >> 3.30. Here are the release notes for 3.30.1: >> >> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes >> >> It fixes a non-public bug in the base64 implementation, but introduced a >> test failure on at least two arches. >> >> Any preference? > > Since there were no changes to the set of certificates between 3.30 and > 3.30.1 [0], I would revert it for now. It turns out that the bug fix in 3.30.1 is critical: it fixes CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 has since been released, so I'm currently testing it and will push an update to it soon. Any issues on armhf will need to be dealt with in another way. Mark
Re: NSS test failure on armhf
Leo Famulari writes: > On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote: >> Hello! >> >> Since version 3.30.1, one test consistently fails on armhf. It is the >> same as in this bug report, although we don't see the exception: >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459 >> >> I initially thought this was due to stalls in the build process as we've >> seen before and tried increasing the timeouts in a790f2620, but that >> should probably be reverted. >> >> What should we do? We can either patch out this test, or go back to >> 3.30. Here are the release notes for 3.30.1: >> >> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes >> >> It fixes a non-public bug in the base64 implementation, but introduced a >> test failure on at least two arches. >> >> Any preference? > > Since there were no changes to the set of certificates between 3.30 and > 3.30.1 [0], I would revert it for now. I reverted it. Luckily Hydra still has substitutes for 3.30 :) signature.asc Description: PGP signature
Re: NSS test failure on armhf
On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote: > Hello! > > Since version 3.30.1, one test consistently fails on armhf. It is the > same as in this bug report, although we don't see the exception: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1351459 > > I initially thought this was due to stalls in the build process as we've > seen before and tried increasing the timeouts in a790f2620, but that > should probably be reverted. > > What should we do? We can either patch out this test, or go back to > 3.30. Here are the release notes for 3.30.1: > > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes > > It fixes a non-public bug in the base64 implementation, but introduced a > test failure on at least two arches. > > Any preference? Since there were no changes to the set of certificates between 3.30 and 3.30.1 [0], I would revert it for now. [0] https://wiki.mozilla.org/NSS:Release_Versions signature.asc Description: PGP signature
NSS test failure on armhf
Hello! Since version 3.30.1, one test consistently fails on armhf. It is the same as in this bug report, although we don't see the exception: https://bugzilla.mozilla.org/show_bug.cgi?id=1351459 I initially thought this was due to stalls in the build process as we've seen before and tried increasing the timeouts in a790f2620, but that should probably be reverted. What should we do? We can either patch out this test, or go back to 3.30. Here are the release notes for 3.30.1: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes It fixes a non-public bug in the base64 implementation, but introduced a test failure on at least two arches. Any preference? signature.asc Description: PGP signature