From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: NSS test failure on armhf
Date: Thu, 20 Apr 2017 17:52:10 -0400
Message-ID: <87bmrq7nn9.fsf@netris.org>
References: <874lxmlodc.fsf@fastmail.com> <20170417215234.GA32573@jasmine>
	<87k26e7wkq.fsf@netris.org> <87bmrqubed.fsf@fastmail.com>
	<878tmuuaox.fsf@fastmail.com> <8760hyu6gd.fsf@fastmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39336)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1d1K05-0008AF-Ro
	for guix-devel@gnu.org; Thu, 20 Apr 2017 17:52:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1d1K01-0004vx-0a
	for guix-devel@gnu.org; Thu, 20 Apr 2017 17:52:29 -0400
Received: from world.peace.net ([50.252.239.5]:50896)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <mhw@netris.org>) id 1d1K00-0004v9-SX
	for guix-devel@gnu.org; Thu, 20 Apr 2017 17:52:24 -0400
In-Reply-To: <8760hyu6gd.fsf@fastmail.com> (Marius Bakke's message of "Thu, 20
	Apr 2017 23:14:58 +0200")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org

Marius Bakke <mbakke@fastmail.com> writes:

> Marius Bakke <mbakke@fastmail.com> writes:
>
>>>> It turns out that the bug fix in 3.30.1 is critical: it fixes
>>>> CVE-2017-5461, a potential remote code execution vulnerability.  3.30.2
>>>> has since been released, so I'm currently testing it and will push an
>>>> update to it soon.  Any issues on armhf will need to be dealt with in
>>>> another way.
>>>
>>> Mark,
>>>
>>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was
>>> not picked to the 3.30.2 release which only contains certificate
>>> changes[1].
>>>
>>> Squashing these two commits into one should fix the problem (the first
>>> fix was incomplete[2]):
>>>
>>> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1
>>> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7

Good find, thank you!  Since seeing the above post, I prepared my own
patches to update NSS to 3.30.2 and disable the long b64 tests.

And now I see you've prepared your own patch that only updates to
3.30.1.  I'm not sure why we would consider rebuilding everything with
3.30.1 when 3.30.2 already exists, even if the only changes are to
certs.

I'll push this batch of patches soon, including fixes to graphite2 and
the icecat update, after a bit more testing.

     Thanks!
       Mark