From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: NSS test failure on armhf Date: Thu, 20 Apr 2017 23:14:58 +0200 Message-ID: <8760hyu6gd.fsf@fastmail.com> References: <874lxmlodc.fsf@fastmail.com> <20170417215234.GA32573@jasmine> <87k26e7wkq.fsf@netris.org> <87bmrqubed.fsf@fastmail.com> <878tmuuaox.fsf@fastmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57302) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d1JPx-0008PB-Ag for guix-devel@gnu.org; Thu, 20 Apr 2017 17:15:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d1JPp-0001JE-AP for guix-devel@gnu.org; Thu, 20 Apr 2017 17:15:04 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:37657) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d1JPo-0001Iv-Vv for guix-devel@gnu.org; Thu, 20 Apr 2017 17:15:01 -0400 In-Reply-To: <878tmuuaox.fsf@fastmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver , Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Marius Bakke writes: >>> It turns out that the bug fix in 3.30.1 is critical: it fixes >>> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 >>> has since been released, so I'm currently testing it and will push an >>> update to it soon. Any issues on armhf will need to be dealt with in >>> another way. >> >> Mark, >> >> I checked this. The upstream 3.30 branch[0] contains a fix, but it was >> not picked to the 3.30.2 release which only contains certificate >> changes[1]. >> >> Squashing these two commits into one should fix the problem (the first >> fix was incomplete[2]): >> >> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 >> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 > > Here is a patch that updates to 3.30.1 and disables the b64 test. > > I'm building it on x86_64 now, but think it should be safe to push. > > What do you think? > > From 7f1a8eda567edb851e0f2cd1f08c6ac07e8a45cd Mon Sep 17 00:00:00 2001 > From: Marius Bakke > Date: Thu, 20 Apr 2017 21:36:21 +0200 > Subject: [PATCH] gnu: nss: Update to 3.30.1 [fixes CVE-2017-5461]. > > * gnu/packages/patches/nss-disable-b64_unittest.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/gnuzilla.scm (nss): Update to 3.30.1. > [source]: Use it. This built successfully on x86_64. Here's an excerpt from the log: 'B64EncodeDecodeTest: DISABLED_LongFakeDecTest1' SKIPPED 'B64EncodeDecodeTest: DISABLED_LongFakeEncDecTest1' SKIPPED 'B64EncodeDecodeTest: DISABLED_LongFakeEncDecTest2' SKIPPED Are you currently building a version of this patch on armhf? If not I'd like to push it. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlj5JNIACgkQoqBt8qM6 VPoN3wf/cttxaPeMjt/XNzcOTHe73CQsABKKfG2bMER13/rwEBaugcQMcij1PDB+ Df5QT476xsXrBFjXLtH/QzHyjG0w5YRgVHq2owSkawXlJf1FQ8Us273SCNfr7Xtj XQwiRFbEaMQpiVzQKT5t1AwLaKmeLC/xh468aGVwo4G504+nuorOHKLOECdkdoJA b1V0JxEWgXYaIy/B5XrHAyeDfIM1ZGhZmdcsN6n11tL4Rzvj+8WVt8cQgJeZL9En crFMLoS8TA1RVNs+zhNR15waLLxPCDcJjNFDEZfQosLOSI0syWDdbNL7N7kAvmI1 Y652a32mfNdHV97KBIVb/cBx3oToFA== =fzFd -----END PGP SIGNATURE----- --=-=-=--