libnss3-1d 3.12.6-0ubuntu0.9.10.1 breaks ssl/fips support in firefox
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| firefox (Ubuntu) |
Medium
|
Chris Coulson | |||
| Jaunty |
Undecided
|
Unassigned | |||
| Karmic |
Undecided
|
Unassigned | |||
| Lucid |
Medium
|
Chris Coulson | |||
| firefox-3.5 (Ubuntu) |
Undecided
|
Unassigned | |||
| Jaunty |
Undecided
|
Unassigned | |||
| Karmic |
Undecided
|
Unassigned | |||
| Lucid |
Undecided
|
Unassigned | |||
| nss (Ubuntu) |
Medium
|
Chris Coulson | |||
| Jaunty |
Undecided
|
Unassigned | |||
| Karmic |
High
|
Chris Coulson | |||
| Lucid |
Medium
|
Chris Coulson | |||
| xulrunner-1.9.1 (Ubuntu) |
Undecided
|
Unassigned | |||
| Jaunty |
High
|
Chris Coulson | |||
| Karmic |
Undecided
|
Unassigned | |||
| Lucid |
Undecided
|
Unassigned | |||
Bug Description
Binary package hint: libnss3-1d
The new update of libnss3-1d (3.12.6-
All packages up-to-date using the default repos + a brand new install of Ubuntu Karmic amd64 here.
After upgrading these:
firefox (3.5.8+
firefox-3.5 (3.5.8+
firefox-
firefox-
firefox-
libnss3-1d (3.12.3.1-0ubuntu2) to 3.12.6-
xulrunner-1.9.1 (1.9.1.
xulrunner-
Starting firefox with an existent profile (using FIPS) gives the error:
"Could not initialize the application's security component. The most likely cause is problems with files in your application's profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended that you exit the application and fix the problem. If you continue to use this session, you might see incorrect application behaviour when accessing security features."
Creating a new profile and trying to enable FIPS fails with no error.
Downgrading libnss3-1d to 3.12.3.1-0ubuntu2 (the only lower version available right now in official repos) and downgrading:
xulrunner-
xulrunner-1.9.1 from 1.9.1.9+
Fixes the errors.
There are no problems with the read/write permissions in the profile directory.
| description: | updated |
| description: | updated |
| tags: | added: amd64 |
| Changed in nss (Ubuntu): | |
| importance: | Undecided → Critical |
| Alexander Sack (asac) wrote : | #2 |
Hi, so sometimes firefox/
| PhobosK (phobosk) wrote : | #3 |
#2
Does a reboot count? :D
This bug has been around from NSS' version 3.12.5 and i have been tracking it on Gentoo too with no luck.
No workarounds using env variables help.
Anyway I wonder why the 3.12.6 version has been committed as an update without testing it works in the first place...
| Kay (noiq) wrote : | #4 |
Uninstalling libnss3-0d worked for me too (I had no libnss3-dev installed).
| affects: | nss (Ubuntu) → ubuntu |
| affects: | Ubuntu Karmic → nss (Ubuntu Karmic) |
| Changed in nss (Ubuntu Lucid): | |
| importance: | Critical → Medium |
| status: | New → Triaged |
| Changed in nss (Ubuntu Karmic): | |
| importance: | Undecided → Critical |
| status: | New → Triaged |
| Chris Coulson (chrisccoulson) wrote : | #5 |
Ok, it seems we need to generate and ship a checksum for libnssdbm3.so now. I will get that fixed ASAP, sorry for the inconvenience
| Changed in nss (Ubuntu Lucid): | |
| assignee: | nobody → Chris Coulson (chrisccoulson) |
| Changed in nss (Ubuntu Karmic): | |
| assignee: | nobody → Chris Coulson (chrisccoulson) |
| Changed in nss (Ubuntu Lucid): | |
| milestone: | none → ubuntu-10.04 |
| Chris Coulson (chrisccoulson) wrote : | #6 |
This is also broken in Firefox in Lucid, as it's using bundled NSS and there aren't any checksums installed for that
| Changed in firefox (Ubuntu Karmic): | |
| status: | New → Invalid |
| Changed in firefox (Ubuntu Lucid): | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| assignee: | nobody → Chris Coulson (chrisccoulson) |
| milestone: | none → ubuntu-10.04 |
| Chris Coulson (chrisccoulson) wrote : | #7 |
I've just uploaded nss 3.12.6-
sudo add-apt-repository ppa:ubuntu-
sudo apt-get update
...and then update the nss version to 3.12.6-
Thanks!
| PhobosK (phobosk) wrote : | #8 |
@Chris Coulson,
I have not tested your built of nss 3.12.6-
But as far as the only real change is in signing the libnssdbm3.so using shlibsign I upgraded back the:
libnss3-1d to 3.12.6-
xulrunner-
xulrunner-1.9.1 to 1.9.1.9+
And signed the library, so the bug is gone now.
For those of you who do not want to add the Mozilla Security Team PPA and would like to wait untill official fix is released do the following:
1. Upgrade back your libnss3-1d, xulrunner-
2. apt-get install libnss3-tools
3. sudo shlibsign -v -i /usr/lib/
And the bug should be gone.
| Jamie Strandboge (jdstrand) wrote : | #9 |
For i386, people can also go to:
https:/
or for amd64:
https:/
Those are the official builds (from the ubuntu-
Builds are currently available for i386, amd64, lpia, and armel with powerpc, sparc and ia64 expected to finish soon.
Thanks!
| Changed in firefox-3.5 (Ubuntu Lucid): | |
| status: | New → Invalid |
| Changed in firefox-3.5 (Ubuntu Jaunty): | |
| status: | New → Invalid |
| Changed in firefox-3.5 (Ubuntu Karmic): | |
| status: | New → Invalid |
| Changed in xulrunner-1.9.1 (Ubuntu Lucid): | |
| status: | New → Invalid |
| Changed in xulrunner-1.9.1 (Ubuntu Karmic): | |
| status: | New → Invalid |
| Changed in firefox (Ubuntu Jaunty): | |
| status: | New → Invalid |
| Changed in nss (Ubuntu Jaunty): | |
| status: | New → Invalid |
| Changed in xulrunner-1.9.1 (Ubuntu Jaunty): | |
| assignee: | nobody → Chris Coulson (chrisccoulson) |
| Changed in xulrunner-1.9.1 (Ubuntu Jaunty): | |
| status: | New → Triaged |
| importance: | Undecided → Critical |
| importance: | Critical → High |
| Changed in nss (Ubuntu Karmic): | |
| status: | Triaged → Fix Committed |
| importance: | Critical → High |
| Changed in nss (Ubuntu Lucid): | |
| status: | Triaged → In Progress |
| Changed in nss (Ubuntu Lucid): | |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package nss - 3.12.6-0ubuntu3
---------------
nss (3.12.6-0ubuntu3) lucid; urgency=low
* Generate missing checksum for libnssdbm3.so to make FIPS mode
work again (LP: #559881)
- update debian/rules
-- Chris Coulson <email address hidden> Sat, 10 Apr 2010 21:23:03 +0100
| Changed in nss (Ubuntu Lucid): | |
| status: | Fix Committed → Fix Released |
| Jamie Strandboge (jdstrand) wrote : | #11 |
Please note that while Lucid nss is now fixed, only packages using the system nss will work correctly now (eg, thunderbird). Firefox in Lucid uses an embedded nss and needs to be fixed in a new firefox upload.
Karmic users only need the system nss updated for firefox, thunderbird, etc to be fixed.
| SegundoBob (bhossley) wrote : | #12 |
This bug prevents me from using Thunderbird. This bug does not affect my use of Firefox.
I tried to follow Chris Coulson's instructions for testing the fix. If I succeeded in obtaining the "fix", it does not work for me.
My problems with Chris Coulson's instructions:
My "sudo apt-get update" seemed to work, but it ended with a warning:
Fetched 80.9kB in 2min 0s (671B/s)
Reading package lists... Done
W: GPG error: http://
bob@Back2:~$
I do not know what Coulson meant by "...and then update the nss version to 3.12.6-
But after the "sudo apt-get update", Synaptic showed three libnss modules as "upgradable" and the available versions of these
modules were all 3.12.6-
But Thunderbird still did not work. Logging out and back in did not help. Rebooting did not help.
Synaptic shows that my libnss modules are now all at 3.12.6-
| Jamie Strandboge (jdstrand) wrote : | #13 |
SegundoBob,
Do you use FIPS with Thunderbird? Does removing libnss3-0d and libnss3-dev help (as mentioned in bug #559918)? What is it that isn't working (eg, POP with SSL, sending mail, etc)?
| SegundoBob (bhossley) wrote : | #14 |
Jamie,
At your suggestion, I just used Synaptic to remove libnss3-0d (libcamel1.2-10 will be removed, libnss3-0d will be removed).
This eliminated all my bug symptoms.
So far as I know, I do not use FIPS. I did not ever and I do not have libnss3-dev installed.
These were my bug symptoms, "alert" messages that were displayed after I invoked Thunderbird and before Thunderbird displayed anything:
Alert
Could not initialize the browser's security component. The most likely cause is problems with files in your browser's profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended hat you exit the browser and fix the problem. If you continue to use this browser session, you might see incorrect browser behavior when accessing security features.
Alert
Thunderbird can't connect securely to pop.gmail.com because the SSL protocol has been disabled.
| Jamie Strandboge (jdstrand) wrote : | #15 |
I have unduped bug #559918 since it is a different bug. SegundoBob, please subscribe to that bug to keep up with its progress.
| Russell McOrmond (russell-flora) wrote : | #16 |
I downloaded libnss3-
Note: I did not have libnss3-0d installed, only 1d.
| Jamie Strandboge (jdstrand) wrote : | #17 |
Russell, the thunderbird bug is bug #559918, please comment there.
| Jamie Strandboge (jdstrand) wrote : | #18 |
FYI-- the build in the ubuntu-
| Jamie Strandboge (jdstrand) wrote : | #19 |
I can confirm the packages in the PPA fix the problem for firefox. Testing was performed like so:
1. start a virtual machine with old nss and firefox
2. enable master password
3. enable NSS Internal FIPS PKCS #11 in Edit/Preference
4. close firefox
5. start firefox -- will be prompted for master password at some point
6. close firefox
7. upgrade nss, firefox-3.5 and xulrunner-1.9.1
8. start firefox -- get "Could not initialize the application's security component...." message
9. install nss from PPA
10. start firefox -- no error; will be prompted for master password at some point
| Launchpad Janitor (janitor) wrote : | #20 |
This bug was fixed in the package nss - 3.12.6-
---------------
nss (3.12.6-
* Generate missing checksum for libnssdbm3.so to make FIPS mode
work again (LP: #559881)
- see USN-927-2
- update debian/rules
-- Chris Coulson <email address hidden> Sat, 10 Apr 2010 19:14:52 +0100
| Changed in nss (Ubuntu Karmic): | |
| status: | Fix Committed → Fix Released |
| Martin Olsson (mnemo) wrote : | #21 |
Huge kudos for fixing this so fast. This is the most serious Ubuntu bug I ever ran into on my stable machine. I ran "sudo apt-get remove libnss3-0d" as a workaround and I got my mail back up again now. Scary stuff.
| Lars J. Nielsen (ebidk) wrote : | #22 |
The fix in #20 fixes it for me on karmic, thanks :)
| Launchpad Janitor (janitor) wrote : | #23 |
This bug was fixed in the package firefox - 3.6.3+nobinonly
---------------
firefox (3.6.3+
[ Jamie Strandboge <email address hidden> ]
* AppArmor: add read access to /etc/xul-ext/**, now needed by adblock
[ Chris Coulson <email address hidden> ]
* Create checksums for NSS libraries to make FIPS mode work (LP: #559881)
- update debian/rules
-- Chris Coulson <email address hidden> Tue, 13 Apr 2010 22:20:28 +0100
| Changed in firefox (Ubuntu Lucid): | |
| status: | Triaged → Fix Released |
| Changed in xulrunner-1.9.1 (Ubuntu Jaunty): | |
| status: | Triaged → Fix Committed |
| Changed in firefox (Ubuntu): | |
| assignee: | Chris Coulson (chrisccoulson) → Kristi Rice (kristifarrarrice) |
| Micah Gersten (micahg) wrote : | #24 |
Please don't change assignees unless you are working on an issue.
| Changed in firefox (Ubuntu): | |
| assignee: | Kristi Rice (kristifarrarrice) → Chris Coulson (chrisccoulson) |
| milestone: | ubuntu-10.04 → none |
| Jamie Strandboge (jdstrand) wrote : | #25 |
Jaunty is EOL.
| Changed in xulrunner-1.9.1 (Ubuntu Jaunty): | |
| status: | Fix Committed → Won't Fix |
I had the same problem with thunderbird (and the solution fixed the problem). This problem did not cause difficulties with firefox for me. See the duplicate bug #559918.