Marius Bakke writes: >>> It turns out that the bug fix in 3.30.1 is critical: it fixes >>> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 >>> has since been released, so I'm currently testing it and will push an >>> update to it soon. Any issues on armhf will need to be dealt with in >>> another way. >> >> Mark, >> >> I checked this. The upstream 3.30 branch[0] contains a fix, but it was >> not picked to the 3.30.2 release which only contains certificate >> changes[1]. >> >> Squashing these two commits into one should fix the problem (the first >> fix was incomplete[2]): >> >> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 >> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 > > Here is a patch that updates to 3.30.1 and disables the b64 test. > > I'm building it on x86_64 now, but think it should be safe to push. > > What do you think? > > From 7f1a8eda567edb851e0f2cd1f08c6ac07e8a45cd Mon Sep 17 00:00:00 2001 > From: Marius Bakke > Date: Thu, 20 Apr 2017 21:36:21 +0200 > Subject: [PATCH] gnu: nss: Update to 3.30.1 [fixes CVE-2017-5461]. > > * gnu/packages/patches/nss-disable-b64_unittest.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/gnuzilla.scm (nss): Update to 3.30.1. > [source]: Use it. This built successfully on x86_64. Here's an excerpt from the log: 'B64EncodeDecodeTest: DISABLED_LongFakeDecTest1' SKIPPED 'B64EncodeDecodeTest: DISABLED_LongFakeEncDecTest1' SKIPPED 'B64EncodeDecodeTest: DISABLED_LongFakeEncDecTest2' SKIPPED Are you currently building a version of this patch on armhf? If not I'd like to push it.