From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: NSS test failure on armhf Date: Thu, 20 Apr 2017 21:43:26 +0200 Message-ID: <878tmuuaox.fsf@fastmail.com> References: <874lxmlodc.fsf@fastmail.com> <20170417215234.GA32573@jasmine> <87k26e7wkq.fsf@netris.org> <87bmrqubed.fsf@fastmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33859) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d1HzK-0004qH-QG for guix-devel@gnu.org; Thu, 20 Apr 2017 15:43:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d1HzG-0007bX-Ez for guix-devel@gnu.org; Thu, 20 Apr 2017 15:43:34 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:39073) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d1HzG-0007bA-63 for guix-devel@gnu.org; Thu, 20 Apr 2017 15:43:30 -0400 In-Reply-To: <87bmrqubed.fsf@fastmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver , Leo Famulari Cc: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Marius Bakke writes: > Mark H Weaver writes: > >> Leo Famulari writes: >> >>> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote: >>>> Hello! >>>>=20 >>>> Since version 3.30.1, one test consistently fails on armhf. It is the >>>> same as in this bug report, although we don't see the exception: >>>>=20 >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=3D1351459 >>>>=20 >>>> I initially thought this was due to stalls in the build process as we'= ve >>>> seen before and tried increasing the timeouts in a790f2620, but that >>>> should probably be reverted. >>>>=20 >>>> What should we do? We can either patch out this test, or go back to >>>> 3.30. Here are the release notes for 3.30.1: >>>>=20 >>>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30= .1_release_notes >>>>=20 >>>> It fixes a non-public bug in the base64 implementation, but introduced= a >>>> test failure on at least two arches. >>>>=20 >>>> Any preference? >>> >>> Since there were no changes to the set of certificates between 3.30 and >>> 3.30.1 [0], I would revert it for now. >> >> It turns out that the bug fix in 3.30.1 is critical: it fixes >> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 >> has since been released, so I'm currently testing it and will push an >> update to it soon. Any issues on armhf will need to be dealt with in >> another way. > > Mark, > > I checked this. The upstream 3.30 branch[0] contains a fix, but it was > not picked to the 3.30.2 release which only contains certificate > changes[1]. > > Squashing these two commits into one should fix the problem (the first > fix was incomplete[2]): > > https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 > https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 Here is a patch that updates to 3.30.1 and disables the b64 test. I'm building it on x86_64 now, but think it should be safe to push. What do you think? --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-gnu-nss-Update-to-3.30.1-and-disable-failing-test-fi.patch Content-Transfer-Encoding: quoted-printable From=207f1a8eda567edb851e0f2cd1f08c6ac07e8a45cd Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 20 Apr 2017 21:36:21 +0200 Subject: [PATCH] gnu: nss: Update to 3.30.1 and disable failing test [fixes CVE-2017-5461]. * gnu/packages/patches/nss-disable-b64_unittest.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnuzilla.scm (nss): Update to 3.30.1. [source]: Use it. =2D-- gnu/local.mk | 1 + gnu/packages/gnuzilla.scm | 5 +-- .../patches/nss-disable-b64_unittest.patch | 40 ++++++++++++++++++= ++++ 3 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/nss-disable-b64_unittest.patch diff --git a/gnu/local.mk b/gnu/local.mk index f38126251..d17f139a5 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -803,6 +803,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/ngircd-handle-zombies.patch \ %D%/packages/patches/ninja-zero-mtime.patch \ %D%/packages/patches/node-9077.patch \ + %D%/packages/patches/nss-disable-b64_unittest.patch \ %D%/packages/patches/nss-increase-test-timeout.patch \ %D%/packages/patches/nss-pkgconfig.patch \ %D%/packages/patches/ntfs-3g-CVE-2017-0358.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 87695329c..21902b427 100644 =2D-- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -194,7 +194,7 @@ in the Mozilla clients.") (define-public nss (package (name "nss") =2D (version "3.30") + (version "3.30.1") (source (origin (method url-fetch) (uri (let ((version-with-underscores @@ -205,9 +205,10 @@ in the Mozilla clients.") "nss-" version ".tar.gz"))) (sha256 (base32 =2D "1agkkwb51si4raw46p44vl3d0l7wzvdjcblpcdjjz6aymq6h1h58")) + "1djypq081m22iw0wg0q7gnpndam5f8qjhqfd5v9by4c6l6lp78hz")) ;; Create nss.pc and nss-config. (patches (search-patches "nss-pkgconfig.patch" + "nss-disable-b64_unittest.patch" "nss-increase-test-timeout.patch"))= )) (build-system gnu-build-system) (outputs '("out" "bin")) diff --git a/gnu/packages/patches/nss-disable-b64_unittest.patch b/gnu/pack= ages/patches/nss-disable-b64_unittest.patch new file mode 100644 index 000000000..8d2f1deb7 =2D-- /dev/null +++ b/gnu/packages/patches/nss-disable-b64_unittest.patch @@ -0,0 +1,40 @@ +This disables a test that fails on armhf and ppc32. + +Upstream bug URL: + +https://bugzilla.mozilla.org/show_bug.cgi?id=3D1351459 + +Patch copied from upstream source repository: + +https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 + +diff --git a/nss/gtests/util_gtest/util_b64_unittest.cc b/nss/gtests/util_= gtest/util_b64_unittest.cc +--- a/nss/gtests/util_gtest/util_b64_unittest.cc ++++ b/nss/gtests/util_gtest/util_b64_unittest.cc +@@ -63,17 +63,19 @@ TEST_F(B64EncodeDecodeTest, EncDecTest)=20 +=20 + TEST_F(B64EncodeDecodeTest, FakeDecTest) { EXPECT_TRUE(TestFakeDecode(100= )); } +=20 + TEST_F(B64EncodeDecodeTest, FakeEncDecTest) { + EXPECT_TRUE(TestFakeEncode(100)); + } +=20 + // These takes a while ... +-TEST_F(B64EncodeDecodeTest, LongFakeDecTest1) { ++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeDecTest1) { + EXPECT_TRUE(TestFakeDecode(0x66666666)); + } +-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest1) { TestFakeEncode(0x3ffff= fff); } +-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest2) { ++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest1) { ++ TestFakeEncode(0x3fffffff); ++} ++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest2) { + EXPECT_FALSE(TestFakeEncode(0x40000000)); + } +=20 + } // namespace nss_test + + + + =2D-=20 2.12.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlj5D14ACgkQoqBt8qM6 VPojJwf9ErA9GREGFCA5yMLIByD2Gf/mqUFn9fjiqMpRjRdfmS1AR08YEwZJYuoQ SBRoVc5K0ucpRzPUl/QSabS98NMSNZgqpI07eeXWk1zbnWot7btlEH1PHRV5YAzr wAHBpRnjBTVWFxzAgpE/NQ04JTPYdx6eRdGm6J/tJB53F52geF6LaQbRfmV4A7pf nsOxxk/Ht0rTfinBGOjwAWRY6gyNo5sVz9o76Wxy92cFqf2MJIgTClrqNJ69w784 CkEwu54r9XDBq/WQX6696M8BRqDyLrySIb9O7bf5A7fiuYwS+zcqa7W4Ge4NW3Q9 NdgkBla5CX7AAPTrW1S7guRelhjOWg== =QEct -----END PGP SIGNATURE----- --==-=-=--