* [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
@ 2017-04-20 22:29 Mark H Weaver
2017-04-21 17:59 ` Mark H Weaver
0 siblings, 1 reply; 5+ messages in thread
From: Mark H Weaver @ 2017-04-20 22:29 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 166 bytes --]
These patches update nss to 3.30.2 and disable long b64 tests which fail
on some systems including armhf. I'll push them soon after some light
testing.
Mark
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: [PATCH 1/2] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461] --]
[-- Type: text/x-patch, Size: 1302 bytes --]
From c1ba9c385a23ede10cb5e79c24f66dbb86c1f6fe Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Thu, 20 Apr 2017 14:55:31 -0400
Subject: [PATCH 1/2] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
* gnu/packages/gnuzilla.scm (nss): Update to 3.30.2.
---
gnu/packages/gnuzilla.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 87695329c..59f790a6e 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -194,7 +194,7 @@ in the Mozilla clients.")
(define-public nss
(package
(name "nss")
- (version "3.30")
+ (version "3.30.2")
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -205,7 +205,7 @@ in the Mozilla clients.")
"nss-" version ".tar.gz")))
(sha256
(base32
- "1agkkwb51si4raw46p44vl3d0l7wzvdjcblpcdjjz6aymq6h1h58"))
+ "096frzvyp3z257x84rxknscfgsbavzh2a0gyibx7kvmw4vzpfjhd"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-pkgconfig.patch"
"nss-increase-test-timeout.patch"))))
--
2.12.2
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.3: [PATCH 2/2] gnu: nss: Disable long b64 tests --]
[-- Type: text/x-patch, Size: 3598 bytes --]
From e07aa7534aa97617ce15fa07c244dc6f901af92f Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Thu, 20 Apr 2017 17:42:52 -0400
Subject: [PATCH 2/2] gnu: nss: Disable long b64 tests.
Suggested by Marius Bakke <mbakke@fastmail.com> in
<https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00440.html>.
* gnu/packages/patches/nss-disable-long-b64-tests.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (nss)[source]: Add patch.
---
gnu/local.mk | 1 +
gnu/packages/gnuzilla.scm | 1 +
.../patches/nss-disable-long-b64-tests.patch | 34 ++++++++++++++++++++++
3 files changed, 36 insertions(+)
create mode 100644 gnu/packages/patches/nss-disable-long-b64-tests.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index ec27e8765..ed3683f19 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -814,6 +814,7 @@ dist_patch_DATA = \
%D%/packages/patches/ngircd-handle-zombies.patch \
%D%/packages/patches/ninja-zero-mtime.patch \
%D%/packages/patches/node-9077.patch \
+ %D%/packages/patches/nss-disable-long-b64-tests.patch \
%D%/packages/patches/nss-increase-test-timeout.patch \
%D%/packages/patches/nss-pkgconfig.patch \
%D%/packages/patches/ntfs-3g-CVE-2017-0358.patch \
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 59f790a6e..fd058d022 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -208,6 +208,7 @@ in the Mozilla clients.")
"096frzvyp3z257x84rxknscfgsbavzh2a0gyibx7kvmw4vzpfjhd"))
;; Create nss.pc and nss-config.
(patches (search-patches "nss-pkgconfig.patch"
+ "nss-disable-long-b64-tests.patch"
"nss-increase-test-timeout.patch"))))
(build-system gnu-build-system)
(outputs '("out" "bin"))
diff --git a/gnu/packages/patches/nss-disable-long-b64-tests.patch b/gnu/packages/patches/nss-disable-long-b64-tests.patch
new file mode 100644
index 000000000..612d94128
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-long-b64-tests.patch
@@ -0,0 +1,34 @@
+Disable long b64 tests, which consistently fail on armhf.
+This is based on an excerpt of the following upstream patch:
+
+ https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
+
+(we exclude the part of the upstream patch that reverts
+an earlier failed attempt, and adapt the file names)
+
+diff --git a/gtests/util_gtest/util_b64_unittest.cc b/gtests/util_gtest/util_b64_unittest.cc
+--- a/nss/gtests/util_gtest/util_b64_unittest.cc
++++ b/nss/gtests/util_gtest/util_b64_unittest.cc
+@@ -63,17 +63,19 @@ TEST_F(B64EncodeDecodeTest, EncDecTest)
+
+ TEST_F(B64EncodeDecodeTest, FakeDecTest) { EXPECT_TRUE(TestFakeDecode(100)); }
+
+ TEST_F(B64EncodeDecodeTest, FakeEncDecTest) {
+ EXPECT_TRUE(TestFakeEncode(100));
+ }
+
+ // These takes a while ...
+-TEST_F(B64EncodeDecodeTest, LongFakeDecTest1) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeDecTest1) {
+ EXPECT_TRUE(TestFakeDecode(0x66666666));
+ }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest1) { TestFakeEncode(0x3fffffff); }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest2) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest1) {
++ TestFakeEncode(0x3fffffff);
++}
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest2) {
+ EXPECT_FALSE(TestFakeEncode(0x40000000));
+ }
+
+ } // namespace nss_test
--
2.12.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
2017-04-20 22:29 [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461] Mark H Weaver
@ 2017-04-21 17:59 ` Mark H Weaver
2017-04-22 7:40 ` Marius Bakke
0 siblings, 1 reply; 5+ messages in thread
From: Mark H Weaver @ 2017-04-21 17:59 UTC (permalink / raw)
To: guix-devel
Mark H Weaver <mhw@netris.org> writes:
> These patches update nss to 3.30.2 and disable long b64 tests which fail
> on some systems including armhf. I'll push them soon after some light
> testing.
Unfortunately, even with "nss-increase-test-timeout.patch" and
"nss-disable-long-b64-tests.patch", the build still failed on armhf:
https://hydra.gnu.org/build/2010324
It would be good to find a way to fix or work around this issue without
forcing rebuilds on other platforms. Also, I feel it's important to
always run tests on NSS on all platforms.
Mark
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
2017-04-21 17:59 ` Mark H Weaver
@ 2017-04-22 7:40 ` Marius Bakke
2017-04-22 19:51 ` Mark H Weaver
0 siblings, 1 reply; 5+ messages in thread
From: Marius Bakke @ 2017-04-22 7:40 UTC (permalink / raw)
To: Mark H Weaver, guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 2191 bytes --]
Mark H Weaver <mhw@netris.org> writes:
> Mark H Weaver <mhw@netris.org> writes:
>
>> These patches update nss to 3.30.2 and disable long b64 tests which fail
>> on some systems including armhf. I'll push them soon after some light
>> testing.
>
> Unfortunately, even with "nss-increase-test-timeout.patch" and
> "nss-disable-long-b64-tests.patch", the build still failed on armhf:
>
> https://hydra.gnu.org/build/2010324
>
> It would be good to find a way to fix or work around this issue without
> forcing rebuilds on other platforms. Also, I feel it's important to
> always run tests on NSS on all platforms.
Here is the relevant excerpt from the log:
[ RUN ] SkipVariants/TlsSkipTest.SkipCertificateRsa/0
Version: TLS 1.1
server: Changing state from INIT to CONNECTING
client: Changing state from INIT to CONNECTING
Dropping handshake: 11
record old: [531] 020000510302f666481a7e6747c16e682f37345e569db0d06bdb08b5a8894ec8...
record new: [89] 020000510302f666481a7e6747c16e682f37345e569db0d06bdb08b5a8894ec8...
server: Original packet: [536] 1603020213020000510302f666481a7e6747c16e682f37345e569db0d06bdb08...
server: Filtered packet: [94] 1603020059020000510302f666481a7e6747c16e682f37345e569db0d06bdb08...
Alert: [2] 020a
client: Alert sent: level=2 desc=10
client: Handshake failed with error SSL_ERROR_RX_UNEXPECTED_HELLO_DONE: SSL received an unexpected Server Hello Done handshake message.
client: Changing state from CONNECTING to ERROR
tls_connect.cc:238: Failure
Value of: (client_->state() != TlsAgent::STATE_CONNECTING) && (server_->state() != TlsAgent::STATE_CONNECTING)
Actual: false
Expected: true
tls_connect.cc:374: Failure
Value of: server_->state()
Actual: CONNECTING
Expected: TlsAgent::STATE_ERROR
Which is: ERROR
[ FAILED ] SkipVariants/TlsSkipTest.SkipCertificateRsa/0, where GetParam() = ("TLS", 770) (50449 ms)
This looks very similar to the random connect timeouts that prompted the
"increase-test-timeouts" patch, except this time it took 50s instead of
~20s:
https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00412.html
(search for '[ FAILED' in the build logs)
I am 99% sure the attached patch will do the job. What do you think?
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-nss-Further-increase-test-timeouts-on-armhf.patch --]
[-- Type: text/x-patch, Size: 1476 bytes --]
From a6876365f2ee9a82452c3f364ee1cd94e44423c2 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 22 Apr 2017 09:25:36 +0200
Subject: [PATCH] gnu: nss: Further increase test timeouts on armhf.
* gnu/packages/gnuzilla.scm (nss)[arguments]<#:phases>: Add a substitution
when target platform is armhf.
---
gnu/packages/gnuzilla.scm | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index efe63adb4..37c2eb006 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -241,6 +241,16 @@ in the Mozilla clients.")
`((setenv "USE_64" "1")))
(_
'()))
+ ;; The timeout values in "increase-test-timeouts" are still
+ ;; too low, so apply this workaround on armhf for now to avoid
+ ;; rebuilding on all platforms. This should be incorporated in
+ ;; the patch for the next update.
+ ;; https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00472.html
+ ,@(if (string-prefix? "armhf" (or (%current-target-system)
+ (%current-system)))
+ `((substitute* "nss/gtests/ssl_gtest/tls_connect.cc"
+ (("25000\\);") "60000);")))
+ '())
#t))
(replace 'check
(lambda _
--
2.12.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
2017-04-22 7:40 ` Marius Bakke
@ 2017-04-22 19:51 ` Mark H Weaver
2017-04-23 9:40 ` Marius Bakke
0 siblings, 1 reply; 5+ messages in thread
From: Mark H Weaver @ 2017-04-22 19:51 UTC (permalink / raw)
To: Marius Bakke; +Cc: guix-devel
Hi Marius,
Marius Bakke <mbakke@fastmail.com> writes:
> Mark H Weaver <mhw@netris.org> writes:
>
>> Unfortunately, even with "nss-increase-test-timeout.patch" and
>> "nss-disable-long-b64-tests.patch", the build still failed on armhf:
>>
>> https://hydra.gnu.org/build/2010324
>
> This looks very similar to the random connect timeouts that prompted the
> "increase-test-timeouts" patch, except this time it took 50s instead of
> ~20s:
Thanks very much for looking into it.
50 seconds to make a local connection? Bah, that's ridiculous! I'm
beginning to wonder if the kernels running on these build slaves have
buggy schedulers resulting in starvation, or perhaps we're overloading
them too much.
> I am 99% sure the attached patch will do the job. What do you think?
If it sometimes takes 50 seconds to make a local connection, then I
suspect it could occasionally take much longer than a minute.
For now, I've asked Hydra to try building it again, as is.
Maybe in 'core-updates' we should consider increasing the timeout to
something on the order of 5 or 10 minutes.
What do you think?
Mark
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
2017-04-22 19:51 ` Mark H Weaver
@ 2017-04-23 9:40 ` Marius Bakke
0 siblings, 0 replies; 5+ messages in thread
From: Marius Bakke @ 2017-04-23 9:40 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1434 bytes --]
Mark H Weaver <mhw@netris.org> writes:
> Hi Marius,
>
> Marius Bakke <mbakke@fastmail.com> writes:
>> Mark H Weaver <mhw@netris.org> writes:
>>
>>> Unfortunately, even with "nss-increase-test-timeout.patch" and
>>> "nss-disable-long-b64-tests.patch", the build still failed on armhf:
>>>
>>> https://hydra.gnu.org/build/2010324
>>
>> This looks very similar to the random connect timeouts that prompted the
>> "increase-test-timeouts" patch, except this time it took 50s instead of
>> ~20s:
>
> Thanks very much for looking into it.
>
> 50 seconds to make a local connection? Bah, that's ridiculous! I'm
> beginning to wonder if the kernels running on these build slaves have
> buggy schedulers resulting in starvation, or perhaps we're overloading
> them too much.
I've wondered about this too. Even x86_64 exceeded the default 5s
timeout once. Maybe they are swapping to a busy I/O device?
>> I am 99% sure the attached patch will do the job. What do you think?
>
> If it sometimes takes 50 seconds to make a local connection, then I
> suspect it could occasionally take much longer than a minute.
>
> For now, I've asked Hydra to try building it again, as is.
>
> Maybe in 'core-updates' we should consider increasing the timeout to
> something on the order of 5 or 10 minutes.
This time a different test timed out at 34s. For now, I pushed the
change for armhf only with timeout set to 5 minutes. Let's see how that
goes.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-04-23 9:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-20 22:29 [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461] Mark H Weaver
2017-04-21 17:59 ` Mark H Weaver
2017-04-22 7:40 ` Marius Bakke
2017-04-22 19:51 ` Mark H Weaver
2017-04-23 9:40 ` Marius Bakke
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).