NSS test failure on armhf

NSS test failure on armhf

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 699 bytes --]

Hello!

Since version 3.30.1, one test consistently fails on armhf. It is the
same as in this bug report, although we don't see the exception:

https://bugzilla.mozilla.org/show_bug.cgi?id=1351459

I initially thought this was due to stalls in the build process as we've
seen before and tried increasing the timeouts in a790f2620, but that
should probably be reverted.

What should we do? We can either patch out this test, or go back to
3.30. Here are the release notes for 3.30.1:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes

It fixes a non-public bug in the base64 implementation, but introduced a
test failure on at least two arches.

Any preference?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: NSS test failure on armhf

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 991 bytes --]

On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote:
> Hello!
> 
> Since version 3.30.1, one test consistently fails on armhf. It is the
> same as in this bug report, although we don't see the exception:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459
> 
> I initially thought this was due to stalls in the build process as we've
> seen before and tried increasing the timeouts in a790f2620, but that
> should probably be reverted.
> 
> What should we do? We can either patch out this test, or go back to
> 3.30. Here are the release notes for 3.30.1:
> 
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes
> 
> It fixes a non-public bug in the base64 implementation, but introduced a
> test failure on at least two arches.
> 
> Any preference?

Since there were no changes to the set of certificates between 3.30 and
3.30.1 [0], I would revert it for now.

[0]
https://wiki.mozilla.org/NSS:Release_Versions

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: NSS test failure on armhf

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1074 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote:
>> Hello!
>> 
>> Since version 3.30.1, one test consistently fails on armhf. It is the
>> same as in this bug report, although we don't see the exception:
>> 
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459
>> 
>> I initially thought this was due to stalls in the build process as we've
>> seen before and tried increasing the timeouts in a790f2620, but that
>> should probably be reverted.
>> 
>> What should we do? We can either patch out this test, or go back to
>> 3.30. Here are the release notes for 3.30.1:
>> 
>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes
>> 
>> It fixes a non-public bug in the base64 implementation, but introduced a
>> test failure on at least two arches.
>> 
>> Any preference?
>
> Since there were no changes to the set of certificates between 3.30 and
> 3.30.1 [0], I would revert it for now.

I reverted it. Luckily Hydra still has substitutes for 3.30 :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: NSS test failure on armhf

[Mark H Weaver]

Leo Famulari <leo@famulari.name> writes:

> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote:
>> Hello!
>> 
>> Since version 3.30.1, one test consistently fails on armhf. It is the
>> same as in this bug report, although we don't see the exception:
>> 
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459
>> 
>> I initially thought this was due to stalls in the build process as we've
>> seen before and tried increasing the timeouts in a790f2620, but that
>> should probably be reverted.
>> 
>> What should we do? We can either patch out this test, or go back to
>> 3.30. Here are the release notes for 3.30.1:
>> 
>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes
>> 
>> It fixes a non-public bug in the base64 implementation, but introduced a
>> test failure on at least two arches.
>> 
>> Any preference?
>
> Since there were no changes to the set of certificates between 3.30 and
> 3.30.1 [0], I would revert it for now.

It turns out that the bug fix in 3.30.1 is critical: it fixes
CVE-2017-5461, a potential remote code execution vulnerability.  3.30.2
has since been released, so I'm currently testing it and will push an
update to it soon.  Any issues on armhf will need to be dealt with in
another way.

      Mark

Re: NSS test failure on armhf

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 380 bytes --]

On Thu, Apr 20, 2017 at 02:39:17PM -0400, Mark H Weaver wrote:
> It turns out that the bug fix in 3.30.1 is critical: it fixes
> CVE-2017-5461, a potential remote code execution vulnerability.  3.30.2
> has since been released, so I'm currently testing it and will push an
> update to it soon.  Any issues on armhf will need to be dealt with in
> another way.

Yikes, good catch!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: NSS test failure on armhf

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1974 bytes --]

Mark H Weaver <mhw@netris.org> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote:
>>> Hello!
>>> 
>>> Since version 3.30.1, one test consistently fails on armhf. It is the
>>> same as in this bug report, although we don't see the exception:
>>> 
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459
>>> 
>>> I initially thought this was due to stalls in the build process as we've
>>> seen before and tried increasing the timeouts in a790f2620, but that
>>> should probably be reverted.
>>> 
>>> What should we do? We can either patch out this test, or go back to
>>> 3.30. Here are the release notes for 3.30.1:
>>> 
>>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes
>>> 
>>> It fixes a non-public bug in the base64 implementation, but introduced a
>>> test failure on at least two arches.
>>> 
>>> Any preference?
>>
>> Since there were no changes to the set of certificates between 3.30 and
>> 3.30.1 [0], I would revert it for now.
>
> It turns out that the bug fix in 3.30.1 is critical: it fixes
> CVE-2017-5461, a potential remote code execution vulnerability.  3.30.2
> has since been released, so I'm currently testing it and will push an
> update to it soon.  Any issues on armhf will need to be dealt with in
> another way.

Mark,

I checked this. The upstream 3.30 branch[0] contains a fix, but it was
not picked to the 3.30.2 release which only contains certificate
changes[1].

Squashing these two commits into one should fix the problem (the first
fix was incomplete[2]):

https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1
https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7

[0] https://hg.mozilla.org/projects/nss/shortlog/NSS_3_30_BRANCH
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.2_release_notes
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1351459#c6

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: NSS test failure on armhf

[Marius Bakke]

[-- Attachment #1.1: Type: text/plain, Size: 2018 bytes --]

Marius Bakke <mbakke@fastmail.com> writes:

> Mark H Weaver <mhw@netris.org> writes:
>
>> Leo Famulari <leo@famulari.name> writes:
>>
>>> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote:
>>>> Hello!
>>>> 
>>>> Since version 3.30.1, one test consistently fails on armhf. It is the
>>>> same as in this bug report, although we don't see the exception:
>>>> 
>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459
>>>> 
>>>> I initially thought this was due to stalls in the build process as we've
>>>> seen before and tried increasing the timeouts in a790f2620, but that
>>>> should probably be reverted.
>>>> 
>>>> What should we do? We can either patch out this test, or go back to
>>>> 3.30. Here are the release notes for 3.30.1:
>>>> 
>>>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes
>>>> 
>>>> It fixes a non-public bug in the base64 implementation, but introduced a
>>>> test failure on at least two arches.
>>>> 
>>>> Any preference?
>>>
>>> Since there were no changes to the set of certificates between 3.30 and
>>> 3.30.1 [0], I would revert it for now.
>>
>> It turns out that the bug fix in 3.30.1 is critical: it fixes
>> CVE-2017-5461, a potential remote code execution vulnerability.  3.30.2
>> has since been released, so I'm currently testing it and will push an
>> update to it soon.  Any issues on armhf will need to be dealt with in
>> another way.
>
> Mark,
>
> I checked this. The upstream 3.30 branch[0] contains a fix, but it was
> not picked to the 3.30.2 release which only contains certificate
> changes[1].
>
> Squashing these two commits into one should fix the problem (the first
> fix was incomplete[2]):
>
> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1
> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7

Here is a patch that updates to 3.30.1 and disables the b64 test.

I'm building it on x86_64 now, but think it should be safe to push.

What do you think?


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-nss-Update-to-3.30.1-and-disable-failing-test-fi.patch --]
[-- Type: text/x-patch, Size: 3937 bytes --]

From 7f1a8eda567edb851e0f2cd1f08c6ac07e8a45cd Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Thu, 20 Apr 2017 21:36:21 +0200
Subject: [PATCH] gnu: nss: Update to 3.30.1 and disable failing test [fixes
 CVE-2017-5461].

* gnu/packages/patches/nss-disable-b64_unittest.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (nss): Update to 3.30.1.
[source]: Use it.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/gnuzilla.scm                          |  5 +--
 .../patches/nss-disable-b64_unittest.patch         | 40 ++++++++++++++++++++++
 3 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/nss-disable-b64_unittest.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index f38126251..d17f139a5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -803,6 +803,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ngircd-handle-zombies.patch		\
   %D%/packages/patches/ninja-zero-mtime.patch			\
   %D%/packages/patches/node-9077.patch				\
+  %D%/packages/patches/nss-disable-b64_unittest.patch		\
   %D%/packages/patches/nss-increase-test-timeout.patch		\
   %D%/packages/patches/nss-pkgconfig.patch			\
   %D%/packages/patches/ntfs-3g-CVE-2017-0358.patch		\
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 87695329c..21902b427 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -194,7 +194,7 @@ in the Mozilla clients.")
 (define-public nss
   (package
     (name "nss")
-    (version "3.30")
+    (version "3.30.1")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -205,9 +205,10 @@ in the Mozilla clients.")
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "1agkkwb51si4raw46p44vl3d0l7wzvdjcblpcdjjz6aymq6h1h58"))
+                "1djypq081m22iw0wg0q7gnpndam5f8qjhqfd5v9by4c6l6lp78hz"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-pkgconfig.patch"
+                                       "nss-disable-b64_unittest.patch"
                                        "nss-increase-test-timeout.patch"))))
     (build-system gnu-build-system)
     (outputs '("out" "bin"))
diff --git a/gnu/packages/patches/nss-disable-b64_unittest.patch b/gnu/packages/patches/nss-disable-b64_unittest.patch
new file mode 100644
index 000000000..8d2f1deb7
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-b64_unittest.patch
@@ -0,0 +1,40 @@
+This disables a test that fails on armhf and ppc32.
+
+Upstream bug URL:
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1351459
+
+Patch copied from upstream source repository:
+
+https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
+
+diff --git a/nss/gtests/util_gtest/util_b64_unittest.cc b/nss/gtests/util_gtest/util_b64_unittest.cc
+--- a/nss/gtests/util_gtest/util_b64_unittest.cc
++++ b/nss/gtests/util_gtest/util_b64_unittest.cc
+@@ -63,17 +63,19 @@ TEST_F(B64EncodeDecodeTest, EncDecTest) 
+ 
+ TEST_F(B64EncodeDecodeTest, FakeDecTest) { EXPECT_TRUE(TestFakeDecode(100)); }
+ 
+ TEST_F(B64EncodeDecodeTest, FakeEncDecTest) {
+   EXPECT_TRUE(TestFakeEncode(100));
+ }
+ 
+ // These takes a while ...
+-TEST_F(B64EncodeDecodeTest, LongFakeDecTest1) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeDecTest1) {
+   EXPECT_TRUE(TestFakeDecode(0x66666666));
+ }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest1) { TestFakeEncode(0x3fffffff); }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest2) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest1) {
++  TestFakeEncode(0x3fffffff);
++}
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest2) {
+   EXPECT_FALSE(TestFakeEncode(0x40000000));
+ }
+ 
+ }  // namespace nss_test
+
+
+
+
-- 
2.12.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: NSS test failure on armhf

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1658 bytes --]

Marius Bakke <mbakke@fastmail.com> writes:

>>> It turns out that the bug fix in 3.30.1 is critical: it fixes
>>> CVE-2017-5461, a potential remote code execution vulnerability.  3.30.2
>>> has since been released, so I'm currently testing it and will push an
>>> update to it soon.  Any issues on armhf will need to be dealt with in
>>> another way.
>>
>> Mark,
>>
>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was
>> not picked to the 3.30.2 release which only contains certificate
>> changes[1].
>>
>> Squashing these two commits into one should fix the problem (the first
>> fix was incomplete[2]):
>>
>> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1
>> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
>
> Here is a patch that updates to 3.30.1 and disables the b64 test.
>
> I'm building it on x86_64 now, but think it should be safe to push.
>
> What do you think?
>
> From 7f1a8eda567edb851e0f2cd1f08c6ac07e8a45cd Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Thu, 20 Apr 2017 21:36:21 +0200
> Subject: [PATCH] gnu: nss: Update to 3.30.1 [fixes CVE-2017-5461].
>
> * gnu/packages/patches/nss-disable-b64_unittest.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/gnuzilla.scm (nss): Update to 3.30.1.
> [source]: Use it.

This built successfully on x86_64. Here's an excerpt from the log:

'B64EncodeDecodeTest: DISABLED_LongFakeDecTest1' SKIPPED
'B64EncodeDecodeTest: DISABLED_LongFakeEncDecTest1' SKIPPED
'B64EncodeDecodeTest: DISABLED_LongFakeEncDecTest2' SKIPPED

Are you currently building a version of this patch on armhf? If not I'd
like to push it.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: NSS test failure on armhf

[Mark H Weaver]

Marius Bakke <mbakke@fastmail.com> writes:

> Marius Bakke <mbakke@fastmail.com> writes:
>
>>>> It turns out that the bug fix in 3.30.1 is critical: it fixes
>>>> CVE-2017-5461, a potential remote code execution vulnerability.  3.30.2
>>>> has since been released, so I'm currently testing it and will push an
>>>> update to it soon.  Any issues on armhf will need to be dealt with in
>>>> another way.
>>>
>>> Mark,
>>>
>>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was
>>> not picked to the 3.30.2 release which only contains certificate
>>> changes[1].
>>>
>>> Squashing these two commits into one should fix the problem (the first
>>> fix was incomplete[2]):
>>>
>>> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1
>>> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7

Good find, thank you!  Since seeing the above post, I prepared my own
patches to update NSS to 3.30.2 and disable the long b64 tests.

And now I see you've prepared your own patch that only updates to
3.30.1.  I'm not sure why we would consider rebuilding everything with
3.30.1 when 3.30.2 already exists, even if the only changes are to
certs.

I'll push this batch of patches soon, including fixes to graphite2 and
the icecat update, after a bit more testing.

     Thanks!
       Mark

Re: NSS test failure on armhf

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 1816 bytes --]

Mark H Weaver <mhw@netris.org> writes:

> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Marius Bakke <mbakke@fastmail.com> writes:
>>
>>>>> It turns out that the bug fix in 3.30.1 is critical: it fixes
>>>>> CVE-2017-5461, a potential remote code execution vulnerability.  3.30.2
>>>>> has since been released, so I'm currently testing it and will push an
>>>>> update to it soon.  Any issues on armhf will need to be dealt with in
>>>>> another way.
>>>>
>>>> Mark,
>>>>
>>>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was
>>>> not picked to the 3.30.2 release which only contains certificate
>>>> changes[1].
>>>>
>>>> Squashing these two commits into one should fix the problem (the first
>>>> fix was incomplete[2]):
>>>>
>>>> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1
>>>> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
>
> Good find, thank you!  Since seeing the above post, I prepared my own
> patches to update NSS to 3.30.2 and disable the long b64 tests.
>
> And now I see you've prepared your own patch that only updates to
> 3.30.1.  I'm not sure why we would consider rebuilding everything with
> 3.30.1 when 3.30.2 already exists, even if the only changes are to
> certs.
>
> I'll push this batch of patches soon, including fixes to graphite2 and
> the icecat update, after a bit more testing.

Great, thanks! I could not find any compelling reason to use the 3.30.2
tarball (other than disk space on builders), and found the version
"mismatch" with between 'nss-certs' and 'nss' more distinctive.

However, after diffing 3.30.1 and 3.30.2, it seems certificate changes
also bump the library version:

https://hg.mozilla.org/projects/nss/diff/dc97a4930479/lib/ckfw/builtins/nssckbi.h

So I guess we should keep updating these together to the extent possible.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]