[Touch-packages] [Bug 1837734] [NEW] firefox crash on a FIPS enabled machine due to libnss3

Wed, 24 Jul 2019 06:50:57 -0700 

Public bug reported:

[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, 
the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. 
This is an untested configuration and since libnss3 is not a certified library 
we propose disabling reading the 'fips_enabled' flag and therefore switching 
the library automatically into FIPS mode. A FIPS customer reported firefox 
crash on a FIPS enabled system and strace showed it was repeatedly trying to 
read the fips_enabled flag from libnss3 before crashing. 

The proposed patch disables reading the /proc/sys/crypto/fips_enabled
flag. The users of the library however can force nss into FIPS mode via
an environment variable. We plan to leave it as is so as not to regress
existing users who may be using it.

The issue impacts libnss3 versions in eoan, disco, bionic and xenial.

lsb_release -rd
Description:    Ubuntu Eoan Ermine (development branch)
Release: 19.10

** Affects: nss (Ubuntu)
     Importance: High
     Assignee: Vineetha Kamath (vineetha)
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1837734

Title:
  firefox crash on a FIPS enabled machine due to libnss3

Status in nss package in Ubuntu:
  New

Bug description:
  [IMPACT]
  nss is not a FIPS certified library. On a machine running FIPS enabled 
kernel, the library by default goes into FIPS mode if 
/proc/sys/crypto/fips_enabled=1. This is an untested configuration and since 
libnss3 is not a certified library we propose disabling reading the 
'fips_enabled' flag and therefore switching the library automatically into FIPS 
mode. A FIPS customer reported firefox crash on a FIPS enabled system and 
strace showed it was repeatedly trying to read the fips_enabled flag from 
libnss3 before crashing. 

  The proposed patch disables reading the /proc/sys/crypto/fips_enabled
  flag. The users of the library however can force nss into FIPS mode
  via an environment variable. We plan to leave it as is so as not to
  regress existing users who may be using it.

  The issue impacts libnss3 versions in eoan, disco, bionic and xenial.

  lsb_release -rd
  Description:  Ubuntu Eoan Ermine (development branch)
  Release: 19.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to