Marius Bakke <mba...@fastmail.com> writes: > Mark H Weaver <m...@netris.org> writes: > >> Leo Famulari <l...@famulari.name> writes: >> >>> On Mon, Apr 17, 2017 at 11:23:43PM +0200, Marius Bakke wrote: >>>> Hello! >>>> >>>> Since version 3.30.1, one test consistently fails on armhf. It is the >>>> same as in this bug report, although we don't see the exception: >>>> >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1351459 >>>> >>>> I initially thought this was due to stalls in the build process as we've >>>> seen before and tried increasing the timeouts in a790f2620, but that >>>> should probably be reverted. >>>> >>>> What should we do? We can either patch out this test, or go back to >>>> 3.30. Here are the release notes for 3.30.1: >>>> >>>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.30.1_release_notes >>>> >>>> It fixes a non-public bug in the base64 implementation, but introduced a >>>> test failure on at least two arches. >>>> >>>> Any preference? >>> >>> Since there were no changes to the set of certificates between 3.30 and >>> 3.30.1 [0], I would revert it for now. >> >> It turns out that the bug fix in 3.30.1 is critical: it fixes >> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 >> has since been released, so I'm currently testing it and will push an >> update to it soon. Any issues on armhf will need to be dealt with in >> another way. > > Mark, > > I checked this. The upstream 3.30 branch[0] contains a fix, but it was > not picked to the 3.30.2 release which only contains certificate > changes[1]. > > Squashing these two commits into one should fix the problem (the first > fix was incomplete[2]): > > https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 > https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
Here is a patch that updates to 3.30.1 and disables the b64 test. I'm building it on x86_64 now, but think it should be safe to push. What do you think?
From 7f1a8eda567edb851e0f2cd1f08c6ac07e8a45cd Mon Sep 17 00:00:00 2001 From: Marius Bakke <mba...@fastmail.com> Date: Thu, 20 Apr 2017 21:36:21 +0200 Subject: [PATCH] gnu: nss: Update to 3.30.1 and disable failing test [fixes CVE-2017-5461]. * gnu/packages/patches/nss-disable-b64_unittest.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnuzilla.scm (nss): Update to 3.30.1. [source]: Use it. --- gnu/local.mk | 1 + gnu/packages/gnuzilla.scm | 5 +-- .../patches/nss-disable-b64_unittest.patch | 40 ++++++++++++++++++++++ 3 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/nss-disable-b64_unittest.patch diff --git a/gnu/local.mk b/gnu/local.mk index f38126251..d17f139a5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -803,6 +803,7 @@ dist_patch_DATA = \ %D%/packages/patches/ngircd-handle-zombies.patch \ %D%/packages/patches/ninja-zero-mtime.patch \ %D%/packages/patches/node-9077.patch \ + %D%/packages/patches/nss-disable-b64_unittest.patch \ %D%/packages/patches/nss-increase-test-timeout.patch \ %D%/packages/patches/nss-pkgconfig.patch \ %D%/packages/patches/ntfs-3g-CVE-2017-0358.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 87695329c..21902b427 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -194,7 +194,7 @@ in the Mozilla clients.") (define-public nss (package (name "nss") - (version "3.30") + (version "3.30.1") (source (origin (method url-fetch) (uri (let ((version-with-underscores @@ -205,9 +205,10 @@ in the Mozilla clients.") "nss-" version ".tar.gz"))) (sha256 (base32 - "1agkkwb51si4raw46p44vl3d0l7wzvdjcblpcdjjz6aymq6h1h58")) + "1djypq081m22iw0wg0q7gnpndam5f8qjhqfd5v9by4c6l6lp78hz")) ;; Create nss.pc and nss-config. (patches (search-patches "nss-pkgconfig.patch" + "nss-disable-b64_unittest.patch" "nss-increase-test-timeout.patch")))) (build-system gnu-build-system) (outputs '("out" "bin")) diff --git a/gnu/packages/patches/nss-disable-b64_unittest.patch b/gnu/packages/patches/nss-disable-b64_unittest.patch new file mode 100644 index 000000000..8d2f1deb7 --- /dev/null +++ b/gnu/packages/patches/nss-disable-b64_unittest.patch @@ -0,0 +1,40 @@ +This disables a test that fails on armhf and ppc32. + +Upstream bug URL: + +https://bugzilla.mozilla.org/show_bug.cgi?id=1351459 + +Patch copied from upstream source repository: + +https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 + +diff --git a/nss/gtests/util_gtest/util_b64_unittest.cc b/nss/gtests/util_gtest/util_b64_unittest.cc +--- a/nss/gtests/util_gtest/util_b64_unittest.cc ++++ b/nss/gtests/util_gtest/util_b64_unittest.cc +@@ -63,17 +63,19 @@ TEST_F(B64EncodeDecodeTest, EncDecTest) + + TEST_F(B64EncodeDecodeTest, FakeDecTest) { EXPECT_TRUE(TestFakeDecode(100)); } + + TEST_F(B64EncodeDecodeTest, FakeEncDecTest) { + EXPECT_TRUE(TestFakeEncode(100)); + } + + // These takes a while ... +-TEST_F(B64EncodeDecodeTest, LongFakeDecTest1) { ++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeDecTest1) { + EXPECT_TRUE(TestFakeDecode(0x66666666)); + } +-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest1) { TestFakeEncode(0x3fffffff); } +-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest2) { ++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest1) { ++ TestFakeEncode(0x3fffffff); ++} ++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest2) { + EXPECT_FALSE(TestFakeEncode(0x40000000)); + } + + } // namespace nss_test + + + + -- 2.12.2
signature.asc
Description: PGP signature