Debian Bug report logs - #990058
libnss3: increase symbol version for SSL_GetChannelInfo when SSLChannelInfo size changes

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kevin Locke <kevin@kevinlocke.name>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libnss3: increase symbol version for SSL_GetChannelInfo when SSLChannelInfo size changes

Date: Fri, 18 Jun 2021 15:09:36 -0600

[Message part 1 (text/plain, inline)]

Package: libnss3
Version: 2:3.67-1
Severity: serious
Tags: patch
Justification: Policy 8.6.3.3
X-Debbugs-Cc: Sebastian Ramacher <sramacher@debian.org>, Carsten Schoenert <c.schoenert@t-online.de>

Dear Maintainer,

Thunderbird 1:78.11.0-1 in testing is unable to establish some (all?)
TLS connections when run with libnss3 2:3.61-1, because it was built
with libnss3-dev 2:3.66-1.  The issue occurs because the size of
SSLChannelInfo increased between NSS 3.61 and 3.66 (due to the addition
of PRBool isFIPS).  SSL_GetChannelInfo takes both a pointer to and size
of SSLChannelInfo as arguments.  If the size is greater than the size it
expects, it returns SECFailure, causing the connection to fail.  See
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989839#48 for details.

The issue is being discussed on debian-release, where Sebastian Ramacher
pointed out that the libnss3 symbol file should bump the minimum version
requirement for all symbols that works with SSLChannelInfo.[1]  I agree.
As far as I can tell, SSL_GetChannelInfo is the only such symbol.  I
believe it should be bumped to 2:3.66 for package 2:3.67 and bumped in
future versions whenever the size of SSLChannelInfo changes.  I've
attached a patch to do so.

Thanks for considering,
Kevin

[1]: https://lists.debian.org/debian-release/2021/06/msg00597.html

-- System Information:
Debian Release: 11.0
  APT prefers testing-debug
  APT policy: (990, 'testing-debug'), (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-security'), (500, 'stable-debug'), (500, 'unstable'), (500, 'oldstable'), (101, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.13.0-rc6 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libnss3 depends on:
ii  libc6         2.31-12
ii  libnspr4      2:4.29-1
ii  libsqlite3-0  3.34.1-3

libnss3 recommends no packages.

libnss3 suggests no packages.

-- no debconf information

[0001-libnss3.symbols-bump-SSL_GetChannelInfo-to-2-3.66.patch (text/plain, attachment)]

Message #10 received at 990058@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>

To: Kevin Locke <kevin@kevinlocke.name>, 990058@bugs.debian.org

Subject: Re: Bug#990058: libnss3: increase symbol version for SSL_GetChannelInfo when SSLChannelInfo size changes

Date: Mon, 5 Jul 2021 08:19:38 +0900

severity 990058 normal
thanks

With #990059 addressed in 2:3.67-2, this can be downgraded to normal.
The problem also exists with other functions, which is why I'll keep
this open for a more complete and long-term solution.

Mike

On Fri, Jun 18, 2021 at 03:09:36PM -0600, Kevin Locke wrote:
> Package: libnss3
> Version: 2:3.67-1
> Severity: serious
> Tags: patch
> Justification: Policy 8.6.3.3
> X-Debbugs-Cc: Sebastian Ramacher <sramacher@debian.org>, Carsten Schoenert <c.schoenert@t-online.de>
> 
> Dear Maintainer,
> 
> Thunderbird 1:78.11.0-1 in testing is unable to establish some (all?)
> TLS connections when run with libnss3 2:3.61-1, because it was built
> with libnss3-dev 2:3.66-1.  The issue occurs because the size of
> SSLChannelInfo increased between NSS 3.61 and 3.66 (due to the addition
> of PRBool isFIPS).  SSL_GetChannelInfo takes both a pointer to and size
> of SSLChannelInfo as arguments.  If the size is greater than the size it
> expects, it returns SECFailure, causing the connection to fail.  See
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989839#48 for details.
> 
> The issue is being discussed on debian-release, where Sebastian Ramacher
> pointed out that the libnss3 symbol file should bump the minimum version
> requirement for all symbols that works with SSLChannelInfo.[1]  I agree.
> As far as I can tell, SSL_GetChannelInfo is the only such symbol.  I
> believe it should be bumped to 2:3.66 for package 2:3.67 and bumped in
> future versions whenever the size of SSLChannelInfo changes.  I've
> attached a patch to do so.
> 
> Thanks for considering,
> Kevin
> 
> [1]: https://lists.debian.org/debian-release/2021/06/msg00597.html
> 
> -- System Information:
> Debian Release: 11.0
>   APT prefers testing-debug
>   APT policy: (990, 'testing-debug'), (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-security'), (500, 'stable-debug'), (500, 'unstable'), (500, 'oldstable'), (101, 'experimental'), (1, 'experimental-debug')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 5.13.0-rc6 (SMP w/4 CPU threads)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages libnss3 depends on:
> ii  libc6         2.31-12
> ii  libnspr4      2:4.29-1
> ii  libsqlite3-0  3.34.1-3
> 
> libnss3 recommends no packages.
> 
> libnss3 suggests no packages.
> 
> -- no debconf information

> >From eaffc616b99dd2be285ade5df072cfa1e30924fe Mon Sep 17 00:00:00 2001
> Message-Id: <eaffc616b99dd2be285ade5df072cfa1e30924fe.1624049387.git.kevin@kevinlocke.name>
> From: Kevin Locke <kevin@kevinlocke.name>
> Date: Fri, 18 Jun 2021 14:41:27 -0600
> Subject: [PATCH] libnss3.symbols: bump SSL_GetChannelInfo to 2:3.66
> 
> PRBool isFIPS was added to SSLChannelInfo in NSS 3.66, causing its size
> to increase.  Since SSL_GetChannelInfo is called with
> sizeof(SSLChannelInfo) and returns SECFailure when called with a larger
> size than it expects, it creates a version incompatibility where
> programs compiled with NSS >= 3.66 do not function correction when
> loaded with NSS < 3.66, as in #989839 for thunderbird.
> 
> To avoid breakage, bump the version of SSL_GetChannelInfo, as suggested
> by Sebastian Ramacher in
> https://lists.debian.org/debian-release/2021/06/msg00597.html
> 
> Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
> ---
>  debian/libnss3.symbols | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/debian/libnss3.symbols b/debian/libnss3.symbols
> index 5213379c..2bb7294a 100644
> --- a/debian/libnss3.symbols
> +++ b/debian/libnss3.symbols
> @@ -154,5 +154,5 @@ libssl3.so libnss3 #MINVER#
>   (symver)NSS_3.4 2:3.13.4-2~
>   (symver)NSS_3.7.4 2:3.13.4-2~
>   SSL_GetCipherSuiteInfo@NSS_3.4 2:3.44.0
> - SSL_GetChannelInfo@NSS_3.4 2:3.34
> + SSL_GetChannelInfo@NSS_3.4 2:3.66
>   SSL_GetPreliminaryChannelInfo@NSS_3.21 2:3.44.0
> -- 
> 2.30.2
> 

Message #17 received at 990058-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 990058-close@bugs.debian.org

Subject: Bug#990058: fixed in nss 2:3.72-1

Date: Tue, 02 Nov 2021 04:04:24 +0000

Source: nss
Source-Version: 2:3.72-1
Done: Mike Hommey <glandium@debian.org>

We believe that the bug you reported is fixed in the latest version of
nss, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <glandium@debian.org> (supplier of updated nss package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 02 Nov 2021 06:57:06 +0900
Source: nss
Architecture: source
Version: 2:3.72-1
Distribution: unstable
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
Changed-By: Mike Hommey <glandium@debian.org>
Closes: 737855 846012 963136 979159 990058
Changes:
 nss (2:3.72-1) unstable; urgency=medium
 .
   * New upstream release.
   * debian/libnss3.symbols, nss/lib/ssl/sslinfo.c, nss/lib/ssl/sslt.h,
     nss/cmd/selfserv/selfserv.c, nss/cmd/strsclnt/strsclnt.c,
     nss/cmd/tstclnt/tstclnt.c: Bump dependency version for SSL_GetChannelInfo
     symbol and remove the previous workaround. Closes: #990058.
   * debian/libnss3.lintian-overrides.in, debian/rules,
     nss/cmd/shlibsign/shlibsign.c, nss/lib/pk11wrap/pk11load.c,
     nss/lib/util/secload.c, nss/cmd/shlibsign/Makefile,
     nss/cmd/shlibsign/manifest.mn: Stop putting freebl, softokn, etc. in a
     subdirectory. It's a deviation from upstream that is causing more problems
     than it's worth keeping. Closes: #737855, #846012, #979159.
   * debian/libnss3-dev.links.in: Remove xulrunner-nss.pc.
   * debian/rules: Stop forcing xz compression.
   * debian/copyright: Add dot for continuation.
   * debian/watch: Upgrade to version 4.
   * debian/control: Upgrade Standard-Version to 4.6.0:
     - debian/rules: Build with `make -s` when DEB_BUILD_OPTIONS contains
       terse.
     - debian/control: Add Rules-Requires-Root: no.
   * debian/control: Remove conflict with libnss3-1d. The last Debian version
     with libnss3-1d was jessie, and it had a newer version anyways.
   * debian/rules: Enable all hardening options.
   * debian/libnss3-symbols: Add Build-Depends-Package in symbols file.
   * debian/*.lintian-overrides*: Remove
     copyright-refers-to-versionless-license-file lintian overrides.
   * debian/libnss3.lintian-overrides.in:
     - s/shlib-without-versioned-soname/shared-library-lacks-version/.
     - Add lacks-unversioned-link-to-shared-library overrides.
   * debian/nss-config.in, debian/rules: Ship upstream nss-config instead of
     ours. Closes: #737855, #963136.
   * debian/rules, debian/control: Always set Multi-Arch: same.
   * debian/copyright:
     - Remove commas in `Files`.
     - Add missing license name for ifparser.
     - Add missing `Copyright`.
     - Remove copyright for mkdepend, which is not in the source tree anymore.
   * debian/upstream/metadata: Add upstream bug tracking metadata.
 .
   [ Daniel Kahn Gillmor ]
   * debian/control: correct Homepage (old URL redirects to 404)
 .
   [ Janitor ]
   * debian/changelog: Trim trailing whitespace.
   * debian/copyright: Use secure copyright file specification URI.
   * debian/compat, debian/control:
     - Bump debhelper from deprecated 9 to 13.
     - Set debhelper-compat version in Build-Depends.
   * debian/upstream/metadata: Set upstream metadata fields: Repository.
   * debian/rules: Drop transition for old debug package migration.
Checksums-Sha1:
 26c57383d70b455b9dc8a8f8b09527b39a1ff904 2156 nss_3.72-1.dsc
 798e3b3a19a101a10bb0dd2fc70e440d6d5f6760 83928300 nss_3.72.orig.tar.gz
 0b0ac22c97ef6950a2d7f7e1537854f5afe7aaba 18756 nss_3.72-1.debian.tar.xz
 634ba1a2d0793243c7502c1d133ab4fc70991fba 5583 nss_3.72-1_source.buildinfo
Checksums-Sha256:
 20ca7525e673266986f83db70b7167a24ab0f43402965d76cb4d6fc431d7b622 2156 nss_3.72-1.dsc
 6ea60a9ff113e493ea2ab25f41ea75a9fbd10af7903f26f703dac8680732d02e 83928300 nss_3.72.orig.tar.gz
 14cd49c7821022c1141d3e9bae91048fa182e0676c776eefcc4dfa804888ac9e 18756 nss_3.72-1.debian.tar.xz
 957c504b6c498e261c62a3d6d2e1cbe442a0dc6f7c33195899b8c4f8f76b6bd3 5583 nss_3.72-1_source.buildinfo
Files:
 1fbd76f73fedf58e1aa866aef83262fa 2156 libs optional nss_3.72-1.dsc
 dd2aedeb71abd2b7c8fa7ef32bfb3668 83928300 libs optional nss_3.72.orig.tar.gz
 b30d01e899f20dea32aa2cd86d6f0231 18756 libs optional nss_3.72-1.debian.tar.xz
 34fa1ba6c594d2b877913cd857de71e7 5583 libs optional nss_3.72-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEGC4WHREwufzNfbFn5CqgT6aqjHIFAmGAsC8ACgkQ5CqgT6aq
jHKMAw/+LR3Y0Z/EzOPFdhUeqwOrdLQ4qwekv3A/lW8U2MglmPKnEH6Q0LgtT00O
Dk73550SCjYbi3xk4CNuAMqk6KsduUU4cd5Hg4jrcT/HFGu8kQRZ1LEEPXSIkOee
vk66Q9A8liYsUFcKCOBpyF7JFYCcKKAKuOEshL9VYLz29H8xg21MKcNbu8xsB7oH
/okiqI3ERQ6hdeSTorzo1rPyBLnLHKRFboXB+zUQceSVS8lRbnI4saUQ+PwJFMdc
ZHSdzGEHrHL3KiOAGDyCrukGKi783R7XfY3/HNk1E0cM89dENvIQ3W8Ql8Ph7/kG
cxazWp0H8R9N+8t3O05A+6XkPgU82zFkzjarm0C6+XCEGsyToVkcLBFoJtN3AuDv
bQb7nQmAsOGAGkARJI+umkm4qjcyeDH6z7QlA0C7FnLdPptgEnky7l0yO4mNnKri
uHD/PFy2Zfps3SOhyXlrPgRjT7VicJ2aWyvn16JlpaPx8vyO09Q31nKuOeBcukQF
mAjcxaVX1M+4l3MNrcAOe6NLchLRoDqisx1NFL5APnO66304FKzUhkkFWf0vX/En
idHs8PztEatqUTorLthHfK4CQJiuWZYYf0hT9lHpI7dddbKC0vxP1U7jNw5NRI0g
fBlbN8zYPP9Df6L7BsQhB1vgudgM1PeBQNdefBvIMrGRGQW38wk=
=2+P/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.