From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: NSS test failure on armhf Date: Fri, 21 Apr 2017 00:18:07 +0200 Message-ID: <87zifasoyo.fsf@fastmail.com> References: <874lxmlodc.fsf@fastmail.com> <20170417215234.GA32573@jasmine> <87k26e7wkq.fsf@netris.org> <87bmrqubed.fsf@fastmail.com> <878tmuuaox.fsf@fastmail.com> <8760hyu6gd.fsf@fastmail.com> <87bmrq7nn9.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44281) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d1KP0-0003ZA-H4 for guix-devel@gnu.org; Thu, 20 Apr 2017 18:18:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d1KOw-0002CQ-Ik for guix-devel@gnu.org; Thu, 20 Apr 2017 18:18:14 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:41337) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d1KOw-0002By-67 for guix-devel@gnu.org; Thu, 20 Apr 2017 18:18:10 -0400 In-Reply-To: <87bmrq7nn9.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Mark H Weaver writes: > Marius Bakke writes: > >> Marius Bakke writes: >> >>>>> It turns out that the bug fix in 3.30.1 is critical: it fixes >>>>> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 >>>>> has since been released, so I'm currently testing it and will push an >>>>> update to it soon. Any issues on armhf will need to be dealt with in >>>>> another way. >>>> >>>> Mark, >>>> >>>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was >>>> not picked to the 3.30.2 release which only contains certificate >>>> changes[1]. >>>> >>>> Squashing these two commits into one should fix the problem (the first >>>> fix was incomplete[2]): >>>> >>>> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 >>>> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 > > Good find, thank you! Since seeing the above post, I prepared my own > patches to update NSS to 3.30.2 and disable the long b64 tests. > > And now I see you've prepared your own patch that only updates to > 3.30.1. I'm not sure why we would consider rebuilding everything with > 3.30.1 when 3.30.2 already exists, even if the only changes are to > certs. > > I'll push this batch of patches soon, including fixes to graphite2 and > the icecat update, after a bit more testing. Great, thanks! I could not find any compelling reason to use the 3.30.2 tarball (other than disk space on builders), and found the version "mismatch" with between 'nss-certs' and 'nss' more distinctive. However, after diffing 3.30.1 and 3.30.2, it seems certificate changes also bump the library version: https://hg.mozilla.org/projects/nss/diff/dc97a4930479/lib/ckfw/builtins/nssckbi.h So I guess we should keep updating these together to the extent possible. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlj5M58ACgkQoqBt8qM6 VPoaMgf/T3ovzm9EnBPrrBZhk2MXIX4GFXZXkwsOSdBC4xPHD10p9YBSE9MZmjs2 7QbIh5CXGToqOXDqBn0163xDkfayoe6zeBhRxJ5y2HZusEyGV/bRdLHKLBcnQtZf s6wSVUV5PTkWMpe0gIjbGsyeIA4kW/jmTTyh6M4uR92k7Tj1wUQ0CLjtTWx1G2OA dp8b0tKsBXb2uScyv0hazIwkgRPXqYGTnOc28lqgInhHy3UMb7zEiaptwWna/hK6 hBeyvidacLXpeHxlrlyVfMspRDznnNb5pnBUMStNrL8rD+TWsJ1SyDjYa3COXrZY nFw/PVjg+tggcNwaFxLMjqlGXX/7EA== =LKwN -----END PGP SIGNATURE----- --=-=-=--