From: Marius Bakke <mbakke@fastmail.com>
To: Mark H Weaver <mhw@netris.org>, Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: NSS test failure on armhf
Date: Thu, 20 Apr 2017 21:43:26 +0200 [thread overview]
Message-ID: <878tmuuaox.fsf@fastmail.com> (raw)
In-Reply-To: <87bmrqubed.fsf@fastmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 2018 bytes --]
Marius Bakke <mbakke@fastmail.com> writes:
> Mark H Weaver <mhw@netris.org> writes:
>
>> Leo Famulari <leo@famulari.name> writes:
>>
>>> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote:
>>>> Hello!
>>>>
>>>> Since version 3.30.1, one test consistently fails on armhf. It is the
>>>> same as in this bug report, although we don't see the exception:
>>>>
>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459
>>>>
>>>> I initially thought this was due to stalls in the build process as we've
>>>> seen before and tried increasing the timeouts in a790f2620, but that
>>>> should probably be reverted.
>>>>
>>>> What should we do? We can either patch out this test, or go back to
>>>> 3.30. Here are the release notes for 3.30.1:
>>>>
>>>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes
>>>>
>>>> It fixes a non-public bug in the base64 implementation, but introduced a
>>>> test failure on at least two arches.
>>>>
>>>> Any preference?
>>>
>>> Since there were no changes to the set of certificates between 3.30 and
>>> 3.30.1 [0], I would revert it for now.
>>
>> It turns out that the bug fix in 3.30.1 is critical: it fixes
>> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2
>> has since been released, so I'm currently testing it and will push an
>> update to it soon. Any issues on armhf will need to be dealt with in
>> another way.
>
> Mark,
>
> I checked this. The upstream 3.30 branch[0] contains a fix, but it was
> not picked to the 3.30.2 release which only contains certificate
> changes[1].
>
> Squashing these two commits into one should fix the problem (the first
> fix was incomplete[2]):
>
> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1
> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
Here is a patch that updates to 3.30.1 and disables the b64 test.
I'm building it on x86_64 now, but think it should be safe to push.
What do you think?
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-nss-Update-to-3.30.1-and-disable-failing-test-fi.patch --]
[-- Type: text/x-patch, Size: 3937 bytes --]
From 7f1a8eda567edb851e0f2cd1f08c6ac07e8a45cd Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Thu, 20 Apr 2017 21:36:21 +0200
Subject: [PATCH] gnu: nss: Update to 3.30.1 and disable failing test [fixes
CVE-2017-5461].
* gnu/packages/patches/nss-disable-b64_unittest.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (nss): Update to 3.30.1.
[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/gnuzilla.scm | 5 +--
.../patches/nss-disable-b64_unittest.patch | 40 ++++++++++++++++++++++
3 files changed, 44 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/nss-disable-b64_unittest.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index f38126251..d17f139a5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -803,6 +803,7 @@ dist_patch_DATA = \
%D%/packages/patches/ngircd-handle-zombies.patch \
%D%/packages/patches/ninja-zero-mtime.patch \
%D%/packages/patches/node-9077.patch \
+ %D%/packages/patches/nss-disable-b64_unittest.patch \
%D%/packages/patches/nss-increase-test-timeout.patch \
%D%/packages/patches/nss-pkgconfig.patch \
%D%/packages/patches/ntfs-3g-CVE-2017-0358.patch \
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 87695329c..21902b427 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -194,7 +194,7 @@ in the Mozilla clients.")
(define-public nss
(package
(name "nss")
- (version "3.30")
+ (version "3.30.1")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -205,9 +205,10 @@ in the Mozilla clients.")
"nss-" version ".tar.gz")))
(sha256
(base32
- "1agkkwb51si4raw46p44vl3d0l7wzvdjcblpcdjjz6aymq6h1h58"))
+ "1djypq081m22iw0wg0q7gnpndam5f8qjhqfd5v9by4c6l6lp78hz"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-pkgconfig.patch"
+ "nss-disable-b64_unittest.patch"
"nss-increase-test-timeout.patch"))))
(build-system gnu-build-system)
(outputs '("out" "bin"))
diff --git a/gnu/packages/patches/nss-disable-b64_unittest.patch b/gnu/packages/patches/nss-disable-b64_unittest.patch
new file mode 100644
index 000000000..8d2f1deb7
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-b64_unittest.patch
@@ -0,0 +1,40 @@
+This disables a test that fails on armhf and ppc32.
+
+Upstream bug URL:
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1351459
+
+Patch copied from upstream source repository:
+
+https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
+
+diff --git a/nss/gtests/util_gtest/util_b64_unittest.cc b/nss/gtests/util_gtest/util_b64_unittest.cc
+--- a/nss/gtests/util_gtest/util_b64_unittest.cc
++++ b/nss/gtests/util_gtest/util_b64_unittest.cc
+@@ -63,17 +63,19 @@ TEST_F(B64EncodeDecodeTest, EncDecTest)
+
+ TEST_F(B64EncodeDecodeTest, FakeDecTest) { EXPECT_TRUE(TestFakeDecode(100)); }
+
+ TEST_F(B64EncodeDecodeTest, FakeEncDecTest) {
+ EXPECT_TRUE(TestFakeEncode(100));
+ }
+
+ // These takes a while ...
+-TEST_F(B64EncodeDecodeTest, LongFakeDecTest1) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeDecTest1) {
+ EXPECT_TRUE(TestFakeDecode(0x66666666));
+ }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest1) { TestFakeEncode(0x3fffffff); }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest2) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest1) {
++ TestFakeEncode(0x3fffffff);
++}
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest2) {
+ EXPECT_FALSE(TestFakeEncode(0x40000000));
+ }
+
+ } // namespace nss_test
+
+
+
+
--
2.12.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
next prev parent reply other threads:[~2017-04-20 19:43 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-17 21:23 NSS test failure on armhf Marius Bakke
2017-04-17 21:52 ` Leo Famulari
2017-04-17 22:35 ` Marius Bakke
2017-04-20 18:39 ` Mark H Weaver
2017-04-20 18:49 ` Leo Famulari
2017-04-20 19:28 ` Marius Bakke
2017-04-20 19:43 ` Marius Bakke [this message]
2017-04-20 21:14 ` Marius Bakke
2017-04-20 21:52 ` Mark H Weaver
2017-04-20 22:18 ` Marius Bakke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878tmuuaox.fsf@fastmail.com \
--to=mbakke@fastmail.com \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).