libnss3-1d 3.12.6-0ubuntu0.9.10.1 breaks ssl/fips support in firefox

Bug #559881 reported by PhobosK on 2010-04-10
64
This bug affects 13 people
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Medium
Chris Coulson
Jaunty
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Medium
Chris Coulson
firefox-3.5 (Ubuntu)
Undecided
Unassigned
Jaunty
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
nss (Ubuntu)
Medium
Chris Coulson
Jaunty
Undecided
Unassigned
Karmic
High
Chris Coulson
Lucid
Medium
Chris Coulson
xulrunner-1.9.1 (Ubuntu)
Undecided
Unassigned
Jaunty
High
Chris Coulson
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned

Bug Description

Binary package hint: libnss3-1d

The new update of libnss3-1d (3.12.6-0ubuntu0.9.10.1) that is in karmic-updates totally breaks the FIPS and SSL support in firefox!
All packages up-to-date using the default repos + a brand new install of Ubuntu Karmic amd64 here.

After upgrading these:
firefox (3.5.8+build1+nobinonly-0ubuntu0.9.10.1) to 3.5.9+nobinonly-0ubuntu0.9.10.1
firefox-3.5 (3.5.8+build1+nobinonly-0ubuntu0.9.10.1) to 3.5.9+nobinonly-0ubuntu0.9.10.1
firefox-3.5-branding (3.5.8+build1+nobinonly-0ubuntu0.9.10.1) to 3.5.9+nobinonly-0ubuntu0.9.10.1
firefox-3.5-gnome-support (3.5.8+build1+nobinonly-0ubuntu0.9.10.1) to 3.5.9+nobinonly-0ubuntu0.9.10.1
firefox-gnome-support (3.5.8+build1+nobinonly-0ubuntu0.9.10.1) to 3.5.9+nobinonly-0ubuntu0.9.10.1
libnss3-1d (3.12.3.1-0ubuntu2) to 3.12.6-0ubuntu0.9.10.1
xulrunner-1.9.1 (1.9.1.8+build1+nobinonly-0ubuntu0.9.10.1) to 1.9.1.9+nobinonly-0ubuntu0.9.10.1
xulrunner-1.9.1-gnome-support (1.9.1.8+build1+nobinonly-0ubuntu0.9.10.1) to 1.9.1.9+nobinonly-0ubuntu0.9.10.1

Starting firefox with an existent profile (using FIPS) gives the error:
"Could not initialize the application's security component. The most likely cause is problems with files in your application's profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended that you exit the application and fix the problem. If you continue to use this session, you might see incorrect application behaviour when accessing security features."
Creating a new profile and trying to enable FIPS fails with no error.

Downgrading libnss3-1d to 3.12.3.1-0ubuntu2 (the only lower version available right now in official repos) and downgrading:
xulrunner-1.9.1-gnome-support from 1.9.1.9+nobinonly-0ubuntu0.9.10.1 to 1.9.1.3+build1+nobinonly-0ubuntu6.
xulrunner-1.9.1 from 1.9.1.9+nobinonly-0ubuntu0.9.10.1 to 1.9.1.3+build1+nobinonly-0ubuntu6.

Fixes the errors.

There are no problems with the read/write permissions in the profile directory.

PhobosK (phobosk) on 2010-04-10
description: updated
PhobosK (phobosk) on 2010-04-10
description: updated

I had the same problem with thunderbird (and the solution fixed the problem). This problem did not cause difficulties with firefox for me. See the duplicate bug #559918.

PhobosK (phobosk) on 2010-04-10
tags: added: amd64
Changed in nss (Ubuntu):
importance: Undecided → Critical
Alexander Sack (asac) wrote :

Hi, so sometimes firefox/thunderbirds go crazy when not properly restarted after an upgrade. Can you still reproduce with all upgraded and maybe logging out of X and logging in again?

PhobosK (phobosk) wrote :

#2
Does a reboot count? :D

This bug has been around from NSS' version 3.12.5 and i have been tracking it on Gentoo too with no luck.
No workarounds using env variables help.
Anyway I wonder why the 3.12.6 version has been committed as an update without testing it works in the first place...

Kay (noiq) wrote :

Uninstalling libnss3-0d worked for me too (I had no libnss3-dev installed).

affects: nss (Ubuntu) → ubuntu
affects: Ubuntu Karmic → nss (Ubuntu Karmic)
Changed in nss (Ubuntu Lucid):
importance: Critical → Medium
status: New → Triaged
Changed in nss (Ubuntu Karmic):
importance: Undecided → Critical
status: New → Triaged
Chris Coulson (chrisccoulson) wrote :

Ok, it seems we need to generate and ship a checksum for libnssdbm3.so now. I will get that fixed ASAP, sorry for the inconvenience

Changed in nss (Ubuntu Lucid):
assignee: nobody → Chris Coulson (chrisccoulson)
Changed in nss (Ubuntu Karmic):
assignee: nobody → Chris Coulson (chrisccoulson)
Changed in nss (Ubuntu Lucid):
milestone: none → ubuntu-10.04
Chris Coulson (chrisccoulson) wrote :

This is also broken in Firefox in Lucid, as it's using bundled NSS and there aren't any checksums installed for that

Changed in firefox (Ubuntu Karmic):
status: New → Invalid
Changed in firefox (Ubuntu Lucid):
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → Chris Coulson (chrisccoulson)
milestone: none → ubuntu-10.04
Chris Coulson (chrisccoulson) wrote :

I've just uploaded nss 3.12.6-0ubuntu0.9.10.2 to the Mozilla Security Team PPA. It's currently building and will be available in an hour or so. Could people experiencing this regression in karmic please test the package once it becomes available. To add the u-m-s team PPA to your sources.list, you can run:

sudo add-apt-repository ppa:ubuntu-mozilla-security/ppa
sudo apt-get update

...and then update the nss version to 3.12.6-0ubuntu0.9.10.2

Thanks!

PhobosK (phobosk) wrote :

@Chris Coulson,
I have not tested your built of nss 3.12.6-0ubuntu0.9.10.2 (#7) because i do not like adding any other repos except the official ubuntu ones on the laptop i had the error on.

But as far as the only real change is in signing the libnssdbm3.so using shlibsign I upgraded back the:
libnss3-1d to 3.12.6-0ubuntu0.9.10.1
xulrunner-1.9.1-gnome-support to 1.9.1.9+nobinonly-0ubuntu0.9.10.1
xulrunner-1.9.1 to 1.9.1.9+nobinonly-0ubuntu0.9.10.1
And signed the library, so the bug is gone now.

For those of you who do not want to add the Mozilla Security Team PPA and would like to wait untill official fix is released do the following:
1. Upgrade back your libnss3-1d, xulrunner-1.9.1-gnome-support, xulrunner-1.9.1 to the versions i mention above.
2. apt-get install libnss3-tools
3. sudo shlibsign -v -i /usr/lib/nss/libnssdbm3.so

And the bug should be gone.

Jamie Strandboge (jdstrand) wrote :

For i386, people can also go to:
https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa/+build/1685696

or for amd64:
https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa/+build/1685694

Those are the official builds (from the ubuntu-mozilla-security ppa). If people affected by this could please test these packages, we will be able to release an official update sooner.

Builds are currently available for i386, amd64, lpia, and armel with powerpc, sparc and ia64 expected to finish soon.

Thanks!

Changed in firefox-3.5 (Ubuntu Lucid):
status: New → Invalid
Changed in firefox-3.5 (Ubuntu Jaunty):
status: New → Invalid
Changed in firefox-3.5 (Ubuntu Karmic):
status: New → Invalid
Changed in xulrunner-1.9.1 (Ubuntu Lucid):
status: New → Invalid
Changed in xulrunner-1.9.1 (Ubuntu Karmic):
status: New → Invalid
Changed in firefox (Ubuntu Jaunty):
status: New → Invalid
Changed in nss (Ubuntu Jaunty):
status: New → Invalid
Changed in xulrunner-1.9.1 (Ubuntu Jaunty):
assignee: nobody → Chris Coulson (chrisccoulson)
Changed in xulrunner-1.9.1 (Ubuntu Jaunty):
status: New → Triaged
importance: Undecided → Critical
importance: Critical → High
Changed in nss (Ubuntu Karmic):
status: Triaged → Fix Committed
importance: Critical → High
Changed in nss (Ubuntu Lucid):
status: Triaged → In Progress
Changed in nss (Ubuntu Lucid):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.6-0ubuntu3

---------------
nss (3.12.6-0ubuntu3) lucid; urgency=low

  * Generate missing checksum for libnssdbm3.so to make FIPS mode
    work again (LP: #559881)
    - update debian/rules
 -- Chris Coulson <email address hidden> Sat, 10 Apr 2010 21:23:03 +0100

Changed in nss (Ubuntu Lucid):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Please note that while Lucid nss is now fixed, only packages using the system nss will work correctly now (eg, thunderbird). Firefox in Lucid uses an embedded nss and needs to be fixed in a new firefox upload.

Karmic users only need the system nss updated for firefox, thunderbird, etc to be fixed.

SegundoBob (bhossley) wrote :

This bug prevents me from using Thunderbird. This bug does not affect my use of Firefox.

I tried to follow Chris Coulson's instructions for testing the fix. If I succeeded in obtaining the "fix", it does not work for me.

My problems with Chris Coulson's instructions:

My "sudo apt-get update" seemed to work, but it ended with a warning:

Fetched 80.9kB in 2min 0s (671B/s)
Reading package lists... Done
W: GPG error: http://ppa.launchpad.net karmic Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A6DCF7707EBC211F
bob@Back2:~$

I do not know what Coulson meant by "...and then update the nss version to 3.12.6-0ubuntu0.9.10.2"
But after the "sudo apt-get update", Synaptic showed three libnss modules as "upgradable" and the available versions of these
modules were all 3.12.6-0ubuntu0.9.10.2, so I used Synaptic to "upgrade them.

But Thunderbird still did not work. Logging out and back in did not help. Rebooting did not help.

Synaptic shows that my libnss modules are now all at 3.12.6-0ubuntu0.9.10.2.

Jamie Strandboge (jdstrand) wrote :

SegundoBob,

Do you use FIPS with Thunderbird? Does removing libnss3-0d and libnss3-dev help (as mentioned in bug #559918)? What is it that isn't working (eg, POP with SSL, sending mail, etc)?

SegundoBob (bhossley) wrote :

Jamie,

At your suggestion, I just used Synaptic to remove libnss3-0d (libcamel1.2-10 will be removed, libnss3-0d will be removed).
This eliminated all my bug symptoms.

So far as I know, I do not use FIPS. I did not ever and I do not have libnss3-dev installed.

These were my bug symptoms, "alert" messages that were displayed after I invoked Thunderbird and before Thunderbird displayed anything:

Alert
Could not initialize the browser's security component. The most likely cause is problems with files in your browser's profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended hat you exit the browser and fix the problem. If you continue to use this browser session, you might see incorrect browser behavior when accessing security features.

Alert
Thunderbird can't connect securely to pop.gmail.com because the SSL protocol has been disabled.

Jamie Strandboge (jdstrand) wrote :

I have unduped bug #559918 since it is a different bug. SegundoBob, please subscribe to that bug to keep up with its progress.

I downloaded libnss3-1d_3.12.6-0ubuntu0.9.10.2_i386.deb from https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa/+build/1685696 and now Thunderbird will launch without the security error. I was not having the problem with Firefox, only Thunderbird.

Note: I did not have libnss3-0d installed, only 1d.

Jamie Strandboge (jdstrand) wrote :

Russell, the thunderbird bug is bug #559918, please comment there.

Jamie Strandboge (jdstrand) wrote :

FYI-- the build in the ubuntu-mozilla-security PPA will be the official one. If the packages in that PPA work for people, they will be pocket copied to the Ubuntu archive from there.

Jamie Strandboge (jdstrand) wrote :

I can confirm the packages in the PPA fix the problem for firefox. Testing was performed like so:

1. start a virtual machine with old nss and firefox
2. enable master password
3. enable NSS Internal FIPS PKCS #11 in Edit/Preferences/Advaned/Encryption/Security Devices
4. close firefox
5. start firefox -- will be prompted for master password at some point
6. close firefox
7. upgrade nss, firefox-3.5 and xulrunner-1.9.1
8. start firefox -- get "Could not initialize the application's security component...." message
9. install nss from PPA
10. start firefox -- no error; will be prompted for master password at some point

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.6-0ubuntu0.9.10.2

---------------
nss (3.12.6-0ubuntu0.9.10.2) karmic-security; urgency=low

  * Generate missing checksum for libnssdbm3.so to make FIPS mode
    work again (LP: #559881)
    - see USN-927-2
    - update debian/rules
 -- Chris Coulson <email address hidden> Sat, 10 Apr 2010 19:14:52 +0100

Changed in nss (Ubuntu Karmic):
status: Fix Committed → Fix Released
Martin Olsson (mnemo) wrote :

Huge kudos for fixing this so fast. This is the most serious Ubuntu bug I ever ran into on my stable machine. I ran "sudo apt-get remove libnss3-0d" as a workaround and I got my mail back up again now. Scary stuff.

Lars J. Nielsen (ebidk) wrote :

The fix in #20 fixes it for me on karmic, thanks :)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 3.6.3+nobinonly-0ubuntu3

---------------
firefox (3.6.3+nobinonly-0ubuntu3) lucid; urgency=low

  [ Jamie Strandboge <email address hidden> ]
  * AppArmor: add read access to /etc/xul-ext/**, now needed by adblock

  [ Chris Coulson <email address hidden> ]
  * Create checksums for NSS libraries to make FIPS mode work (LP: #559881)
    - update debian/rules
 -- Chris Coulson <email address hidden> Tue, 13 Apr 2010 22:20:28 +0100

Changed in firefox (Ubuntu Lucid):
status: Triaged → Fix Released
Changed in xulrunner-1.9.1 (Ubuntu Jaunty):
status: Triaged → Fix Committed
Changed in firefox (Ubuntu):
assignee: Chris Coulson (chrisccoulson) → Kristi Rice (kristifarrarrice)
Micah Gersten (micahg) wrote :

Please don't change assignees unless you are working on an issue.

Changed in firefox (Ubuntu):
assignee: Kristi Rice (kristifarrarrice) → Chris Coulson (chrisccoulson)
milestone: ubuntu-10.04 → none
Jamie Strandboge (jdstrand) wrote :

Jaunty is EOL.

Changed in xulrunner-1.9.1 (Ubuntu Jaunty):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers