Ubuntu
nss package

  1. Bug #1837734
  2. Comment #0

Comment 0 for bug 1837734

Revision history for this message
Vineetha Kamath (vineetha) wrote : firefox crash on a FIPS enabled machine due to libnss3

[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.

The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.

The issue impacts libnss3 versions in eoan, disco, bionic and xenial.

lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10