Public bug reported: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 ** Affects: nss (Ubuntu) Importance: High Assignee: Vineetha Kamath (vineetha) Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: firefox crash on a FIPS enabled machine due to libnss3 Status in nss package in Ubuntu: New Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp