From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: NSS test failure on armhf Date: Thu, 20 Apr 2017 21:28:10 +0200 Message-ID: <87bmrqubed.fsf@fastmail.com> References: <874lxmlodc.fsf@fastmail.com> <20170417215234.GA32573@jasmine> <87k26e7wkq.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57555) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d1HkW-0008T2-Vl for guix-devel@gnu.org; Thu, 20 Apr 2017 15:28:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d1HkT-0000v4-Qy for guix-devel@gnu.org; Thu, 20 Apr 2017 15:28:16 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:39969) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d1HkT-0000ur-CK for guix-devel@gnu.org; Thu, 20 Apr 2017 15:28:13 -0400 In-Reply-To: <87k26e7wkq.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver , Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Mark H Weaver writes: > Leo Famulari writes: > >> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote: >>> Hello! >>>=20 >>> Since version 3.30.1, one test consistently fails on armhf. It is the >>> same as in this bug report, although we don't see the exception: >>>=20 >>> https://bugzilla.mozilla.org/show_bug.cgi?id=3D1351459 >>>=20 >>> I initially thought this was due to stalls in the build process as we've >>> seen before and tried increasing the timeouts in a790f2620, but that >>> should probably be reverted. >>>=20 >>> What should we do? We can either patch out this test, or go back to >>> 3.30. Here are the release notes for 3.30.1: >>>=20 >>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.= 1_release_notes >>>=20 >>> It fixes a non-public bug in the base64 implementation, but introduced a >>> test failure on at least two arches. >>>=20 >>> Any preference? >> >> Since there were no changes to the set of certificates between 3.30 and >> 3.30.1 [0], I would revert it for now. > > It turns out that the bug fix in 3.30.1 is critical: it fixes > CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 > has since been released, so I'm currently testing it and will push an > update to it soon. Any issues on armhf will need to be dealt with in > another way. Mark, I checked this. The upstream 3.30 branch[0] contains a fix, but it was not picked to the 3.30.2 release which only contains certificate changes[1]. Squashing these two commits into one should fix the problem (the first fix was incomplete[2]): https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 [0] https://hg.mozilla.org/projects/nss/shortlog/NSS_3_30_BRANCH [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.= 2_release_notes [2] https://bugzilla.mozilla.org/show_bug.cgi?id=3D1351459#c6 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlj5C8oACgkQoqBt8qM6 VPriPggAwH8DDgx5Y82fyDaj/GIShzQTD7D5nW+e8GLsvf5RdzRQY+Hw4PV4r7Lv u1xnxvKQtkEvYvGBbr5+3Ho8p2nNevfrPTpkiW+ce/oDNaOb8eZ7s3+SWLaYhj7Z fHr9LPtz7neqRuDBhxoK6e/ldprcJhJSM12ubmfsV/gUwBj1pvIZYD5hGBhFkgKd wAq7iEQ5dRc9UWqaNFS9Y2wpZTrXX7tZwk76s1MS076zYX88lANbJx0Ilp3XlAQi y20vxU8xqbzG+1UlrY+AOlQwaueVmEtMO7Zz/zZQsXRwFu1K+OaZPqmU8oxQ0+Qq A6oPxV5IBRxNNUY7nhPwD1PjvLXUdw== =JPWf -----END PGP SIGNATURE----- --=-=-=--