firefox sets LD_LIBRARY_PATH which breaks the icedtea6-plugin

Bug #561124 reported by Matthias Klose on 2010-04-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenJDK
Won't Fix
Medium
firefox (Ubuntu)
Low
Unassigned
Lucid
Low
Unassigned
openjdk-6 (Ubuntu)
High
Unassigned
Lucid
High
Unassigned

Bug Description

Binary package hint: firefox

starting with openjdk/icedtea-1.7, a NSS based security provider is supported by icedtea.

The firefox start script in MOZILLA_FIVE_HOME sets LD_LIBRARY_PATH to include MOZILLA_FIVE_HOME and a number of subdirectories of MOZILLA_FIVE_HOME. The current NSS provider code seems to honor LD_LIBRARY_PATH, and loads the libnss3.so provided by the browser.

Caused by: java.io.IOException: An incompatible version of NSS is already loaded, 3.7 or later required
        at sun.security.pkcs11.Secmod.isInitialized(Secmod.java:130)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:168)

(wondering why the nss version shipped with firefox 3.6.3 identifies itself as 3.7).

However the openjdk build is configured for the nss version configured at build time, and you can run it with more than one browser, so it makes sense to use the libnss version which was detected at openjdk build time.

My current solution/workaround is to pass a modified LD_LIBRARY_PATH to the subprocess such that the libnss3.so which was configured at build time is always used.

The setting of LD_LIBRARY_PATH in the run-mozilla.sh start script may be convenient, but it does break plugins which are built to be independent of the browser used.

Things to do on the browser side:

 - why does firefox use it's own outdated libnss copy, and doesn't use the system nss3?
 - why does the nss shipped with firefox identifies itself with 3.7?
 - the firefox startup script should not set LD_LIBRARY_PATH, but search itself for libs
   in known places.

for a proposed workaround for the icedtea6-plugin to work with this broken plugin, see http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=461

Icedtea dont load/runs/works with applets. One example are geogebra applet.
Trying to load any applets from this page would fail. http://www.slu.edu/classes/maymk/GeoGebra/

One applet that fail:
http://www.slu.edu/classes/maymk/GeoGebra/SecantToTangent.html

Created attachment 317
error log

Created attachment 318
plugin debug log

Download full text (5.6 KiB)

with a build from 20100411 head/1.8-branch I only see these hangs if security.provider.9 in java.security is uncommented.

a simpler applet showing the same behaviour:
http://www.gurusheaven.de/security/anonymitaets_test.shtml

visiting the page with security.provider.9 commented:

Looking for 0xb5f9a90c 0xb3f3cfb0 0xb5fb6bdc (document)
java version "1.6.0_18"
OpenJDK Runtime Environment (IcedTea6 1.8) (6b18~pre4-1ubuntu4~ppa1)
OpenJDK Server VM (build 16.0-b13, mixed mode)
java.lang.InterruptedException: sleep interrupted
        at java.lang.Thread.sleep(Native Method)
        at sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:674)
        at sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:649)
        at sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270)
        at sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
java.lang.InterruptedException: sleep interrupted
        at java.lang.Thread.sleep(Native Method)
        at sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:629)
        at sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270)
        at sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
java.lang.InterruptedException: sleep interrupted
        at java.lang.Thread.sleep(Native Method)
        at sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:735)
        at sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:649)
        at sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270)
        at sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)

visiting the page with security.provider.9 uncommented:
Looking for 0xb4178f4c 0xb3a58b20 0xb59fdbcc (document)
java version "1.6.0_18"
OpenJDK Runtime Environment (IcedTea6 1.8) (6b18~pre4-1ubuntu4~ppa1)
OpenJDK Server VM (build 16.0-b13, mixed mode)
java.security.ProviderException: Could not initialize NSS
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
        at sun.security.jca.ProviderList.getService(ProviderList.java:330)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
        at java.security.Security.getImpl(Security.jav...

Read more...

Matthias Klose (doko) wrote :

this may affect other browsers too. would like to get some feedback for chromium.

Changed in firefox (Ubuntu):
importance: Undecided → High
milestone: none → ubuntu-10.04
status: New → Triaged
Changed in openjdk-6 (Ubuntu):
importance: Undecided → High
milestone: none → ubuntu-10.04
status: New → In Progress
Micah Gersten (micahg) wrote :

I think Firefox shipping its own NSS is a bug as it is compiled against system NSS. As for LD_LIBRARY_PATH, is NSS the only issue?

Matthias Klose (doko) wrote :

> As for LD_LIBRARY_PATH, is NSS the only issue

It looks like it's the only issue, however there are a lot of environment variables set for other platforms. Firefox can't know which extension/plugin is loaded, so any difference between the build environment of the extension/plugin and the runtime environment of the extension/plugin may cause issues.

Micah Gersten (micahg) wrote :

Actually, for some reason, Firefox is no longer building against system NSS and NSPR.

Micah Gersten (micahg) wrote :

Filed Bug #561216 about Firefox system lib issue.

Changed in openjdk:
status: Unknown → Confirmed
Chris Coulson (chrisccoulson) wrote :

How is this meant to work on upstream Firefox builds? Upstream builds ship their own NSS. The current FF3.6 in-source NSS version is 3.12.6, which is the same as the system version in Lucid

The firefox start script in MOZILLA_FIVE_HOME sets LD_LIBRARY_PATH to include
MOZILLA_FIVE_HOME and a number of subdirectories of MOZILLA_FIVE_HOME. The
current NSS provider does open libnss3.so in the path which is configured in nss.cfg, but the dlopen call doesn't the depending libraries of libnss3.so in the same directory.

$ LD_LIBRARY_PATH=/usr/lib/firefox-3.6.3 ldd /usr/lib/libnss3.so
 linux-gate.so.1 => (0x0068d000)
 libnssutil3.so => /usr/lib/firefox-3.6.3/libnssutil3.so (0x006a8000)
 libplc4.so => /usr/lib/firefox-3.6.3/libplc4.so (0x00f93000)
 libplds4.so => /usr/lib/firefox-3.6.3/libplds4.so (0x003bb000)
 libnspr4.so => /usr/lib/firefox-3.6.3/libnspr4.so (0x00f40000)
 libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x00252000)
 libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x0062d000)
 libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x0090b000)
 /lib/ld-linux.so.2 (0x002af000)

This happens as well with the firefox binaries which are downloadable from mozilla.org.

The security provider should prepend nssLibraryDirectory to the LD_LIBRARY_PATH before dlopening libnss3, and after that restore the path.

The workaround looks ok, just ignoring the libs provided by firefox, and using the libs detected at build time.

fixed in 1.8

Changed in openjdk:
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-6 - 6b18-1.8-0ubuntu1

---------------
openjdk-6 (6b18-1.8-0ubuntu1) lucid; urgency=low

  * Update IcedTea6 to the icedtea6-1.8 release.
  * Fix builds on Ubuntu/dapper and Debian/lenny.
  * On hppa, configure --without-rhino --disable-plugin.
  * Fix Hitachi SH configury. Closes: #575346.
  * Start a window manager when running the tests. Prefer metacity,
    as more tests pass with it.
  * Let XToolkit.isTraySupported() return true, if Compiz is running.
    Works around sun#6438179. LP: #300948.
  * Make <java_home>/jre/lib/security/nss.cfg a config file.
  * Fail in the configuration of the packages, if /proc is not mounted.
    java currently uses tricks to find its own shared libraries depending
    on the path of the binary. Will be changed in OpenJDK7. Closes: #576453.
  * Fix PR icedtea/469, testsuite failures with the NSS based security
    provider. LP: #556549.
  * Do not pass LD_LIBRARY_PATH from the plugin to the java process.
    While libnss3.so gets loaded from /usr/lib, the dependent libraries
    are loaded from MOZILLA_FIVE_HOME (See #561216 for the wrong firefox
    config). LP: #561124.
    Closes as well: LP: #551328, #554909, #560829, #549010, #553452.
  * Always build shark with hs14.
 -- Matthias Klose <email address hidden> Wed, 14 Apr 2010 01:53:33 +0200

Changed in openjdk-6 (Ubuntu Lucid):
status: In Progress → Fix Released
Sebastien Bacher (seb128) wrote :

The bug has been worked around in openjdk, still would be nice to look at it but not a firefox blocked for lucid

Changed in firefox (Ubuntu Lucid):
importance: High → Low
milestone: ubuntu-10.04 → none
jordg (gbj) wrote :

This also affects sun-java-plugin when starting JNLP applications

Caused by: java.io.IOException: An incompatible version of NSS is already loaded, 3.7 or later required
        at sun.security.pkcs11.Secmod.isInitialized(Secmod.java:130)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:168)
        ... 35 more
netx: Unexpected net.sourceforge.jnlp.ParseException: Invalid XML document syntax. at net.sourceforge.jnlp.Parser.getRootNode(Parser.java:1196)

Try any JNLP application
For example: http://java.sun.com/docs/books/tutorialJWS/uiswing/components/ex6/TreeIconDemo.jnlp

Changed in openjdk:
importance: Unknown → Medium
Download full text (4.6 KiB)

hello
I have this problem with the openjdk plugin (icedtea-web 1.0.2).
thanks

$ firefox --version
Mozilla Firefox 4.0.1
$ firefox
java version "1.6.0_22"
OpenJDK Runtime Environment (IcedTea6 1.10) (mageia-14.b22.5.mga1-i386)
OpenJDK Server VM (build 20.0-b10, mixed mode)
OFS Webchat Applet Running bld 2096 - (C) Icona spa http://www.icona.it
Java version 1.6.0_22
Trying connecting to 195.210.93.109:4800
**OFSCmdLogon :: encodeItems() :: getCli() = NULL !!
Exception in thread "AWT-EventQueue-2" java.lang.NullPointerException
        at javax.swing.text.PlainView.updateMetrics(PlainView.java:205)
        at javax.swing.text.PlainView.getPreferredSpan(PlainView.java:228)
        at javax.swing.text.FieldView.getPreferredSpan(FieldView.java:235)
        at javax.swing.text.PasswordView.getPreferredSpan(PasswordView.java:232)
        at javax.swing.text.FieldView.adjustAllocation(FieldView.java:82)
        at javax.swing.text.FieldView.adjustPaintRegion(FieldView.java:195)
        at javax.swing.text.PlainView.paint(PlainView.java:251)
        at javax.swing.text.FieldView.paint(FieldView.java:188)
        at javax.swing.plaf.basic.BasicTextUI$RootView.paint(BasicTextUI.java:1439)
        at javax.swing.plaf.basic.BasicTextUI.paintSafely(BasicTextUI.java:739)
        at javax.swing.plaf.basic.BasicTextUI.paint(BasicTextUI.java:886)
        at javax.swing.plaf.basic.BasicTextUI.update(BasicTextUI.java:865)
        at javax.swing.JComponent.paintComponent(JComponent.java:765)
        at javax.swing.JComponent.paint(JComponent.java:1029)
        at javax.swing.JComponent.paintToOffscreen(JComponent.java:5138)
        at javax.swing.RepaintManager$PaintManager.paintDoubleBuffered(RepaintManager.java:1454)
        at javax.swing.RepaintManager$PaintManager.paint(RepaintManager.java:1385)
        at javax.swing.BufferStrategyPaintManager.paint(BufferStrategyPaintManager.java:318)
        at javax.swing.RepaintManager.paint(RepaintManager.java:1188)
        at javax.swing.JComponent._paintImmediately(JComponent.java:5086)
        at javax.swing.JComponent.paintImmediately(JComponent.java:4896)
        at javax.swing.RepaintManager.paintDirtyRegions(RepaintManager.java:783)
        at javax.swing.RepaintManager.paintDirtyRegions(RepaintManager.java:735)
        at javax.swing.RepaintManager.prePaintDirtyRegions(RepaintManager.java:677)
        at javax.swing.RepaintManager.access$700(RepaintManager.java:58)
        at javax.swing.RepaintManager$ProcessingRunnable.run(RepaintManager.java:1593)
        at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:226)
        at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:647)
        at java.awt.EventQueue.access$000(EventQueue.java:96)
        at java.awt.EventQueue$1.run(EventQueue.java:608)
        at java.awt.EventQueue$1.run(EventQueue.java:606)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:105)
        at java.awt.EventQueue.dispatchEvent(EventQueue.java:617)
        at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:275)
        at java...

Read more...

Changed in openjdk:
status: Fix Released → Won't Fix
Launchpad Janitor (janitor) wrote :
Download full text (3.3 KiB)

This bug was fixed in the package firefox - 7.0~b1+build1+nobinonly-0ubuntu1

---------------
firefox (7.0~b1+build1+nobinonly-0ubuntu1) oneiric; urgency=low

  * New upstream release from the beta channel (FIREFOX_7_0b1_BUILD1)

  * Rewrite the apport hook to be more useful
    - update debian/apport/firefox.py.in
  * Update the apport blacklist file now that the binary name has changed
    - update debian/apport/firefox.in
  * Dropped patches which are obsolete/fixed upstream
    - remove debian/patches/cairo-lcd-filter.patch
    - remove debian/patches/fix-sdk-bin-install.patch
    - update debian/patches/series
  * Refresh patches
    - update debian/patches/firefox-kde.patch
    - update debian/patches/mozilla-kde.patch
    - update debian/patches/reload-new-plugins.patch
  * Look in the correct location for the staged langpack xpi's. They moved
    from dist/install to dist/linux-$(DEB_HOST_GNU_CPU)
    - update debian/rules
  * Ensure we use DEB_BUILD_* and DEB_HOST_* consistently so that cross-
    compiling works
    - update debian/rules
    - update debian/mozconfig.in
    - update debian/firefox-dev.install.in
  * Improve the description for unavailable language packs
    - update debian/control.langpacks.unavail
  * Simplify firefox-dev.install a bit by installing everything in
    /usr/include
    - update debian/firefox-dev.install.in
  * Use $(MOZ_DISTDIR) rather than $(MOZ_OBJDIR)/dist in debian/rules.
    - update debian/rules
  * Handle video/webm mimetypes
    - update debian/firefox.desktop.in
  * Fix check-sync-dirs.py test failure - ensure config/system-headers and
    js/src/config/system-headers are kept in sync
    - update debian/patches/unity-globalmenu-build-support-patch
  * Fix browserGlue_distribution.js and browserGlue_smartBookmarks.js xpcshell
    test failures. Update DEFAULT_BOOKMARKS_ON_MENU with the correct number of
    default bookmarks
    - update debian/patches/ubuntu-bookmarks.patch
  * Fix jsreftest failures by setting the correct timezone and locale
    - update debian/testsuite.mk
  * Switch off debian/patches/fix-selection-drag-autoscroll.patch for now. It
    doesn't apply and needs a rethink
    - update debian/patches/series
  * Fix "format not a string literal and no format arguments" error
   - add debian/patches/printf-fix.patch
   - update debian/patches/series
  * Update for the binary name change
    - update debian/firefox.install.in
    - update debian/firefox.sh.in
  * Ensure we install dependentlibs.list so that Firefox knows which libs
    to dlopen before libxul
    - update debian/firefox.install.in
  * Get rid of some more hanging IPC xpcshell tests
    - update debian/testsuite.mk
  * Now Firefox lazy loads libxul, drop the LD_LIBRARY_PATH hack from the
    shell wrapper (LP: #561124)
    - update debian/firefox.sh.in
  * Refresh shipped locales for beta
    - refresh debian/locales.shipped
    - refresh debian/locales.unavailable
    - refresh debian/control
  * Ship a file in /etc/apport/native-origins.d to enable bug reporting
    on PPA branches
    - add debian/apport/native-origins.in
    - rename debian/apport/firefox.in => debian/apport/blacklist.in
    - update debian...

Read more...

Changed in firefox (Ubuntu):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (18.2 KiB)

This bug was fixed in the package firefox - 9.0.1+build1-0ubuntu0.10.04.2

---------------
firefox (9.0.1+build1-0ubuntu0.10.04.2) lucid-proposed; urgency=low

  [ Chris Coulson <email address hidden> ]
  * Fix LP: #907666 - readd missing kubuntu-firefox-installer Replaces
    - update debian/control

  [ Micah Gersten <email address hidden> ]
  * Fix LP: #917529 - Make sure new transitional packages have a versioned
    dependency on Firefox so as to not break Firefox during partial upgrades
    - update debian/control{,.in}

firefox (9.0.1+build1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * New upstream stable release (FIREFOX_9_0_1_BUILD1) (LP: #904594)

firefox (9.0+build1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * New upstream stable release (FIREFOX_9_0_BUILD1)

  [ Chris Coulson <email address hidden> ]
  * Install the Apport hook as a source package hook
    - rename debian/apport/firefox.py.in => debian/apport/source_firefox.py.in
    - update debian/firefox.install.in
    - update debian/rules
  * Don't unconditionally overwrite SourcePackage when reporting bugs with
    the nightly apport hook
    - update debian/apport/source_firefox.py.in
  * Set "Channel = Unavailable" if channel-prefs.js doesn't contain a
    channel name
    - update debian/apport/source_firefox.py.in
  * Ensure that create-tarball can handle there not being a locale blacklist
    - update debian/build/create-tarball.py
  * Drop xpt.py and xpidl from $LIBDIR. xpidl is gone, and xpt.py isn't included
    there in the upstream SDK
    - update debian/firefox-dev.links.in
  * Fix LP: #901838 - Ugly busy pointer, due to libxcursor no longer matching
    the cursor bitmap to a nice themed pointer
    - add debian/patches/fix-cursor-handling.patch
    - update debian/patches/series
  * Don't disable our bundled addons on upgrade
    - update debian/vendor.js
  * Modify the UA string to add "Ubuntu" to the platform component
    - add debian/patches/ubuntu-ua-string-changes.patch
    - update debian/patches/series
    - update debian/rules
  * Move custom scripts to debian/build
    - move debian/get-xpi-id.py to debian/build/get-xpi-id.py
    - move debian/refresh-supported-locales.pl to
       debian/build/refresh-supported-locales.pl
    - move debian/extract-file.py to debian/build/extract-file.py
    - update debian/rules
    - move debian/testsuite.mk to debian/build/testsuite.mk
  * Dropped patches that are obsolete or fixed upstream:
    - remove debian/patches/lp512615_cairo_lcd_filter.patch
    - remove debian/patches/lp185622_system_path_default_browser.patch
    - remove debian/patches/bz386904_config_rules_install_dist_files.patch
    - remove debian/patches/bz532198_lp488354_ns_invokebyindex_not_thumb2_safe.patch
    - remove debian/patches/bzXXX_libxul_sdk_nspr.patch
    - remove debian/patches/drop_bz418016.patch
    - remove debian/patches/firefox-fsh
    - remove debian/patches/firefox-profilename
    - remove debian/patches/ubuntu_no_app_updates.patch
    - update debian/patches/series
  * Refresh patches:
    - update debian/patches/firefox-kde.patch
    - update debian/patches/mozilla-kde.patch
    - update debian/patches...

Changed in firefox (Ubuntu Lucid):
status: Triaged → Fix Released

details: http://icedtea.classpath.org//people/andrew/icedtea8?cmd=changeset;node=23684054d4dc
author: Matthias Klose <email address hidden>
date: Mon Apr 12 22:37:35 2010 +0200

 Fix PR icedtea/461, plugin working for NSS enabled builds working together with firefox including a private NSS copy

 2010-04-12 Matthias Klose <email address hidden>

         PR icedtea/461
         * plugin/icedteanp/IcedTeaNPPlugin.cc (plugin_filter_ld_library_path):
         New, filter out paths in LD_LIBRARY_PATH which start with
         MOZILLA_FIVE_HOME.
         (plugin_filter_environment): New, build environment to pass to the
         appletviewer process.
         (plugin_test_appletviewer, plugin_start_appletviewer): Start the new
         process with the filtered environment.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.