[PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].

[PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].

[Mark H Weaver]

[-- Attachment #1.1: Type: text/plain, Size: 166 bytes --]

These patches update nss to 3.30.2 and disable long b64 tests which fail
on some systems including armhf.  I'll push them soon after some light
testing.

     Mark



[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: [PATCH 1/2] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461] --]
[-- Type: text/x-patch, Size: 1302 bytes --]

From c1ba9c385a23ede10cb5e79c24f66dbb86c1f6fe Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Thu, 20 Apr 2017 14:55:31 -0400
Subject: [PATCH 1/2] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].

* gnu/packages/gnuzilla.scm (nss): Update to 3.30.2.
---
 gnu/packages/gnuzilla.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 87695329c..59f790a6e 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -194,7 +194,7 @@ in the Mozilla clients.")
 (define-public nss
   (package
     (name "nss")
-    (version "3.30")
+    (version "3.30.2")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -205,7 +205,7 @@ in the Mozilla clients.")
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "1agkkwb51si4raw46p44vl3d0l7wzvdjcblpcdjjz6aymq6h1h58"))
+                "096frzvyp3z257x84rxknscfgsbavzh2a0gyibx7kvmw4vzpfjhd"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-pkgconfig.patch"
                                        "nss-increase-test-timeout.patch"))))
-- 
2.12.2


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.3: [PATCH 2/2] gnu: nss: Disable long b64 tests --]
[-- Type: text/x-patch, Size: 3598 bytes --]

From e07aa7534aa97617ce15fa07c244dc6f901af92f Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Thu, 20 Apr 2017 17:42:52 -0400
Subject: [PATCH 2/2] gnu: nss: Disable long b64 tests.

Suggested by Marius Bakke <mbakke@fastmail.com> in
<https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00440.html>.

* gnu/packages/patches/nss-disable-long-b64-tests.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (nss)[source]: Add patch.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/gnuzilla.scm                          |  1 +
 .../patches/nss-disable-long-b64-tests.patch       | 34 ++++++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 gnu/packages/patches/nss-disable-long-b64-tests.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ec27e8765..ed3683f19 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -814,6 +814,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ngircd-handle-zombies.patch		\
   %D%/packages/patches/ninja-zero-mtime.patch			\
   %D%/packages/patches/node-9077.patch				\
+  %D%/packages/patches/nss-disable-long-b64-tests.patch		\
   %D%/packages/patches/nss-increase-test-timeout.patch		\
   %D%/packages/patches/nss-pkgconfig.patch			\
   %D%/packages/patches/ntfs-3g-CVE-2017-0358.patch		\
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 59f790a6e..fd058d022 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -208,6 +208,7 @@ in the Mozilla clients.")
                 "096frzvyp3z257x84rxknscfgsbavzh2a0gyibx7kvmw4vzpfjhd"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-pkgconfig.patch"
+                                       "nss-disable-long-b64-tests.patch"
                                        "nss-increase-test-timeout.patch"))))
     (build-system gnu-build-system)
     (outputs '("out" "bin"))
diff --git a/gnu/packages/patches/nss-disable-long-b64-tests.patch b/gnu/packages/patches/nss-disable-long-b64-tests.patch
new file mode 100644
index 000000000..612d94128
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-long-b64-tests.patch
@@ -0,0 +1,34 @@
+Disable long b64 tests, which consistently fail on armhf.
+This is based on an excerpt of the following upstream patch:
+
+  https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
+
+(we exclude the part of the upstream patch that reverts
+an earlier failed attempt, and adapt the file names)
+
+diff --git a/gtests/util_gtest/util_b64_unittest.cc b/gtests/util_gtest/util_b64_unittest.cc
+--- a/nss/gtests/util_gtest/util_b64_unittest.cc
++++ b/nss/gtests/util_gtest/util_b64_unittest.cc
+@@ -63,17 +63,19 @@ TEST_F(B64EncodeDecodeTest, EncDecTest) 
+ 
+ TEST_F(B64EncodeDecodeTest, FakeDecTest) { EXPECT_TRUE(TestFakeDecode(100)); }
+ 
+ TEST_F(B64EncodeDecodeTest, FakeEncDecTest) {
+   EXPECT_TRUE(TestFakeEncode(100));
+ }
+ 
+ // These takes a while ...
+-TEST_F(B64EncodeDecodeTest, LongFakeDecTest1) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeDecTest1) {
+   EXPECT_TRUE(TestFakeDecode(0x66666666));
+ }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest1) { TestFakeEncode(0x3fffffff); }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest2) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest1) {
++  TestFakeEncode(0x3fffffff);
++}
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest2) {
+   EXPECT_FALSE(TestFakeEncode(0x40000000));
+ }
+ 
+ }  // namespace nss_test
-- 
2.12.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].

[Mark H Weaver]

Mark H Weaver <mhw@netris.org> writes:

> These patches update nss to 3.30.2 and disable long b64 tests which fail
> on some systems including armhf.  I'll push them soon after some light
> testing.

Unfortunately, even with "nss-increase-test-timeout.patch" and
"nss-disable-long-b64-tests.patch", the build still failed on armhf:

  https://hydra.gnu.org/build/2010324

It would be good to find a way to fix or work around this issue without
forcing rebuilds on other platforms.  Also, I feel it's important to
always run tests on NSS on all platforms.

      Mark

Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].

[Marius Bakke]

[-- Attachment #1.1: Type: text/plain, Size: 2191 bytes --]

Mark H Weaver <mhw@netris.org> writes:

> Mark H Weaver <mhw@netris.org> writes:
>
>> These patches update nss to 3.30.2 and disable long b64 tests which fail
>> on some systems including armhf.  I'll push them soon after some light
>> testing.
>
> Unfortunately, even with "nss-increase-test-timeout.patch" and
> "nss-disable-long-b64-tests.patch", the build still failed on armhf:
>
>   https://hydra.gnu.org/build/2010324
>
> It would be good to find a way to fix or work around this issue without
> forcing rebuilds on other platforms.  Also, I feel it's important to
> always run tests on NSS on all platforms.

Here is the relevant excerpt from the log:

[ RUN      ] SkipVariants/TlsSkipTest.SkipCertificateRsa/0
Version: TLS 1.1
server: Changing state from INIT to CONNECTING
client: Changing state from INIT to CONNECTING
Dropping handshake: 11
record old: [531] 020000510302f666481a7e6747c16e682f37345e569db0d06bdb08b5a8894ec8...
record new: [89] 020000510302f666481a7e6747c16e682f37345e569db0d06bdb08b5a8894ec8...
server: Original packet: [536] 1603020213020000510302f666481a7e6747c16e682f37345e569db0d06bdb08...
server: Filtered packet: [94] 1603020059020000510302f666481a7e6747c16e682f37345e569db0d06bdb08...
Alert: [2] 020a
client: Alert sent: level=2 desc=10
client: Handshake failed with error SSL_ERROR_RX_UNEXPECTED_HELLO_DONE: SSL received an unexpected Server Hello Done handshake message.
client: Changing state from CONNECTING to ERROR
tls_connect.cc:238: Failure
Value of: (client_->state() != TlsAgent::STATE_CONNECTING) && (server_->state() != TlsAgent::STATE_CONNECTING)
  Actual: false
Expected: true
tls_connect.cc:374: Failure
Value of: server_->state()
  Actual: CONNECTING
Expected: TlsAgent::STATE_ERROR
Which is: ERROR
[  FAILED  ] SkipVariants/TlsSkipTest.SkipCertificateRsa/0, where GetParam() = ("TLS", 770) (50449 ms)

This looks very similar to the random connect timeouts that prompted the
"increase-test-timeouts" patch, except this time it took 50s instead of
~20s:

https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00412.html

(search for '[  FAILED' in the build logs)

I am 99% sure the attached patch will do the job. What do you think?


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-nss-Further-increase-test-timeouts-on-armhf.patch --]
[-- Type: text/x-patch, Size: 1476 bytes --]

From a6876365f2ee9a82452c3f364ee1cd94e44423c2 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 22 Apr 2017 09:25:36 +0200
Subject: [PATCH] gnu: nss: Further increase test timeouts on armhf.

* gnu/packages/gnuzilla.scm (nss)[arguments]<#:phases>: Add a substitution
when target platform is armhf.
---
 gnu/packages/gnuzilla.scm | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index efe63adb4..37c2eb006 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -241,6 +241,16 @@ in the Mozilla clients.")
                   `((setenv "USE_64" "1")))
                  (_
                   '()))
+             ;; The timeout values in "increase-test-timeouts" are still
+             ;; too low, so apply this workaround on armhf for now to avoid
+             ;; rebuilding on all platforms. This should be incorporated in
+             ;; the patch for the next update.
+             ;; https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00472.html
+             ,@(if (string-prefix? "armhf" (or (%current-target-system)
+                                               (%current-system)))
+                   `((substitute* "nss/gtests/ssl_gtest/tls_connect.cc"
+                       (("25000\\);") "60000);")))
+                   '())
              #t))
          (replace 'check
            (lambda _
-- 
2.12.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].

[Mark H Weaver]

Hi Marius,

Marius Bakke <mbakke@fastmail.com> writes:
> Mark H Weaver <mhw@netris.org> writes:
>
>> Unfortunately, even with "nss-increase-test-timeout.patch" and
>> "nss-disable-long-b64-tests.patch", the build still failed on armhf:
>>
>>   https://hydra.gnu.org/build/2010324
>
> This looks very similar to the random connect timeouts that prompted the
> "increase-test-timeouts" patch, except this time it took 50s instead of
> ~20s:

Thanks very much for looking into it.

50 seconds to make a local connection?  Bah, that's ridiculous!  I'm
beginning to wonder if the kernels running on these build slaves have
buggy schedulers resulting in starvation, or perhaps we're overloading
them too much.

> I am 99% sure the attached patch will do the job. What do you think?

If it sometimes takes 50 seconds to make a local connection, then I
suspect it could occasionally take much longer than a minute.

For now, I've asked Hydra to try building it again, as is.

Maybe in 'core-updates' we should consider increasing the timeout to
something on the order of 5 or 10 minutes.

What do you think?

      Mark

Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1434 bytes --]

Mark H Weaver <mhw@netris.org> writes:

> Hi Marius,
>
> Marius Bakke <mbakke@fastmail.com> writes:
>> Mark H Weaver <mhw@netris.org> writes:
>>
>>> Unfortunately, even with "nss-increase-test-timeout.patch" and
>>> "nss-disable-long-b64-tests.patch", the build still failed on armhf:
>>>
>>>   https://hydra.gnu.org/build/2010324
>>
>> This looks very similar to the random connect timeouts that prompted the
>> "increase-test-timeouts" patch, except this time it took 50s instead of
>> ~20s:
>
> Thanks very much for looking into it.
>
> 50 seconds to make a local connection?  Bah, that's ridiculous!  I'm
> beginning to wonder if the kernels running on these build slaves have
> buggy schedulers resulting in starvation, or perhaps we're overloading
> them too much.

I've wondered about this too. Even x86_64 exceeded the default 5s
timeout once. Maybe they are swapping to a busy I/O device?

>> I am 99% sure the attached patch will do the job. What do you think?
>
> If it sometimes takes 50 seconds to make a local connection, then I
> suspect it could occasionally take much longer than a minute.
>
> For now, I've asked Hydra to try building it again, as is.
>
> Maybe in 'core-updates' we should consider increasing the timeout to
> something on the order of 5 or 10 minutes.

This time a different test timed out at 34s. For now, I pushed the
change for armhf only with timeout set to 5 minutes. Let's see how that
goes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]