** Description changed:

  [IMPACT]
- nss is not a FIPS certified library. On a machine running FIPS enabled 
kernel, the library by default goes into FIPS mode if 
/proc/sys/crypto/fips_enabled=1. This is an untested configuration and since 
libnss3 is not a certified library we propose disabling reading the 
'fips_enabled' flag and therefore switching the library automatically into FIPS 
mode. A FIPS customer reported firefox crash on a FIPS enabled system and 
strace showed it was repeatedly trying to read the fips_enabled flag from 
libnss3 before crashing.
+ nss is not a FIPS certified library. On a machine running FIPS enabled 
kernel, the library by default goes into FIPS mode if 
/proc/sys/crypto/fips_enabled=1. This is an untested configuration and since 
libnss3 is not a certified library we propose disabling reading the 
'fips_enabled' flag and therefore switching the library automatically into FIPS 
mode. 
  
  The proposed patch disables reading the /proc/sys/crypto/fips_enabled
  flag. The users of the library however can force nss into FIPS mode via
  an environment variable. We plan to leave it as is so as not to regress
  existing users who may be using it.
  
  The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
  
  lsb_release -rd
  Description:  Ubuntu Eoan Ermine (development branch)
  Release: 19.10
  
  Version: 2:3.45-1ubuntu1
  
  lsb_release -rd
  Description: Ubuntu Disco Dingo
  Release: 19.04
  
  Version: 2:3.42-1ubuntu2
  
  lsb_release -rd
  Description:  Ubuntu Bionic Beaver
  Release:      18.04
  
  Version: 2:3.35-2ubuntu2.3
  
  lsb_release -rd
  Description:  Ubuntu 16.04.3 LTS
  Release:      16.04
  
  Version: 2:3.28.4-0ubuntu0.16.04
  
  [FIX]
  This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We 
only want fips certified modules reading this file and running in fips mode. 
libnss3 is not one of our fips certified modules, so should not be reading this 
along with our fips certified modules to determine whether to run in fips mode.
  
  Users who do want to run the library in FIPS mode can do so by using the
  environment variable "NSS_FIPS". We propose to leave it as is so as not
  to regress anyone using this. The user who is using this option should
  be doing so with the awareness.
  
  [TEST]
  Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in 
FIPS mode. With the patch fix no crashes were observed when launching firefox 
browser.
  Without the patch fix, firefox crashes.
  
  Tested on a xenial and bionic desktop ISO running non-FIPS generic
  kernel. With the patch fix, firefox worked as expected and no changes
  were observed.
  
  [REGRESSION POTENTIAL]
  The regression potential for this is small. A FIPS kernel is required to
  create /proc/sys/crypto/fips_enabled and it is not available in standard 
ubuntu archive. For users forcing FIPS through environment variable, nothing 
has changed.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1837734

Title:
  libnss3 reads fips_enabled flag and automatically switches to FIPS
  mode

Status in nss package in Ubuntu:
  Fix Released
Status in nss source package in Xenial:
  Fix Committed
Status in nss source package in Bionic:
  Fix Committed
Status in nss source package in Disco:
  Fix Committed
Status in nss source package in Eoan:
  Fix Released

Bug description:
  [IMPACT]
  nss is not a FIPS certified library. On a machine running FIPS enabled 
kernel, the library by default goes into FIPS mode if 
/proc/sys/crypto/fips_enabled=1. This is an untested configuration and since 
libnss3 is not a certified library we propose disabling reading the 
'fips_enabled' flag and therefore switching the library automatically into FIPS 
mode. 

  The proposed patch disables reading the /proc/sys/crypto/fips_enabled
  flag. The users of the library however can force nss into FIPS mode
  via an environment variable. We plan to leave it as is so as not to
  regress existing users who may be using it.

  The issue impacts libnss3 versions in eoan, disco, bionic and xenial.

  lsb_release -rd
  Description:  Ubuntu Eoan Ermine (development branch)
  Release: 19.10

  Version: 2:3.45-1ubuntu1

  lsb_release -rd
  Description: Ubuntu Disco Dingo
  Release: 19.04

  Version: 2:3.42-1ubuntu2

  lsb_release -rd
  Description:  Ubuntu Bionic Beaver
  Release:      18.04

  Version: 2:3.35-2ubuntu2.3

  lsb_release -rd
  Description:  Ubuntu 16.04.3 LTS
  Release:      16.04

  Version: 2:3.28.4-0ubuntu0.16.04

  [FIX]
  This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We 
only want fips certified modules reading this file and running in fips mode. 
libnss3 is not one of our fips certified modules, so should not be reading this 
along with our fips certified modules to determine whether to run in fips mode.

  Users who do want to run the library in FIPS mode can do so by using
  the environment variable "NSS_FIPS". We propose to leave it as is so
  as not to regress anyone using this. The user who is using this option
  should be doing so with the awareness.

  [TEST]
  Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in 
FIPS mode. With the patch fix no crashes were observed when launching firefox 
browser.
  Without the patch fix, firefox crashes.

  Tested on a xenial and bionic desktop ISO running non-FIPS generic
  kernel. With the patch fix, firefox worked as expected and no changes
  were observed.

  [REGRESSION POTENTIAL]
  The regression potential for this is small. A FIPS kernel is required to
  create /proc/sys/crypto/fips_enabled and it is not available in standard 
ubuntu archive. For users forcing FIPS through environment variable, nothing 
has changed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to