Thunderbird fails to connect to server in FIPS mode

Bug #1878155 reported by Dariusz Gadomski on 2020-05-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
thunderbird (Ubuntu)
Status tracked in Groovy
Xenial
High
Olivier Tilloy
Bionic
High
Olivier Tilloy
Eoan
Medium
Olivier Tilloy
Focal
Medium
Olivier Tilloy
Groovy
Medium
Olivier Tilloy

Bug Description

[Impact]

 * Thunderbird may become useless after booting into FIPS mode - it refuses to connect to server displaying the following message:

Unexpected response from the server

This document cannot be displayed unless you install the Personal Security Manager (PSM). Download and install PSM and try again, or contact your system administrator.

This seems to be a result of the fact that despite Thunderbird for Ubuntu being with FIPS support disabled there's a piece of code that ignores the build flag and checks for `/proc/sys/crypto/fips_enabled` status anyway.

Looks like upstream fix [1] needs to be applied to Thunderbird source under security/nss.

[Test Case]

 * Configure an email account in Thunderbird. I was able to reproduce it with a gmail account.
 * Install FIPS modules as described in [2].
 * Boot into FIPS mode.
 * Open Thunderbird.

[Regression Potential]

 * I can't identify regression potential - this is clearly a bug fixed upstream by a simple fix.

[Other Info]

 * Related Firefox bug: https://bugs.launchpad.net/bugs/1843044
 * I was able to backport this fix and test it - the problem was gone. Xenial build is available in ppa:dgadomski/thunderbird.

[1] https://hg.mozilla.org/projects/nss/raw-rev/55ba54adfcaea2f984a999a511eec5047462eb57
[2] https://docs.ubuntu.com/security-certs/en/fips

Dariusz Gadomski (dgadomski) wrote :

It is already included upstream starting from release 75.0b1.

Dariusz Gadomski (dgadomski) wrote :

importance for Xenial and Bionic marked as high as this prevents Thunderbird from being used in FIPS mode on those releases.

Changed in thunderbird (Ubuntu Groovy):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in thunderbird (Ubuntu Focal):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in thunderbird (Ubuntu Eoan):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in thunderbird (Ubuntu Bionic):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in thunderbird (Ubuntu Xenial):
assignee: nobody → Dariusz Gadomski (dgadomski)
importance: Undecided → Medium
Changed in thunderbird (Ubuntu Bionic):
importance: Undecided → Medium
Changed in thunderbird (Ubuntu Eoan):
importance: Undecided → Medium
Changed in thunderbird (Ubuntu Focal):
importance: Undecided → Medium
Changed in thunderbird (Ubuntu Groovy):
importance: Undecided → Medium
Changed in thunderbird (Ubuntu Xenial):
importance: Medium → High
Changed in thunderbird (Ubuntu Bionic):
importance: Medium → High
tags: added: sts
Dariusz Gadomski (dgadomski) wrote :

Groovy fix.

Olivier Tilloy (osomon) wrote :

For thunderbird we are tracking ESR releases in Ubuntu, so the fix will become available as part of the 78 series.

@Dariusz: I see that you assigned the bug to yourself. I'll handle it if you don't mind, given that I prepare all thunderbird updates and they have to go through validation by the security team anyway.

Dariusz Gadomski (dgadomski) wrote :

Sure, thanks Olivier. Can you give me an estimate on when this can be fixed for Xenial and Bionic? For users using FIPS mode currently Thunderbird is currently unusable.

Changed in thunderbird (Ubuntu Xenial):
assignee: Dariusz Gadomski (dgadomski) → nobody
Changed in thunderbird (Ubuntu Bionic):
assignee: Dariusz Gadomski (dgadomski) → nobody
Changed in thunderbird (Ubuntu Eoan):
assignee: Dariusz Gadomski (dgadomski) → nobody
Changed in thunderbird (Ubuntu Groovy):
assignee: Dariusz Gadomski (dgadomski) → nobody
Changed in thunderbird (Ubuntu Focal):
assignee: Dariusz Gadomski (dgadomski) → nobody
Olivier Tilloy (osomon) on 2020-05-12
Changed in thunderbird (Ubuntu Xenial):
assignee: nobody → Olivier Tilloy (osomon)
Changed in thunderbird (Ubuntu Bionic):
assignee: nobody → Olivier Tilloy (osomon)
Changed in thunderbird (Ubuntu Focal):
assignee: nobody → Olivier Tilloy (osomon)
Changed in thunderbird (Ubuntu Groovy):
assignee: nobody → Olivier Tilloy (osomon)
Changed in thunderbird (Ubuntu Eoan):
assignee: nobody → Olivier Tilloy (osomon)
tags: added: patch
Olivier Tilloy (osomon) on 2020-05-13
Changed in thunderbird (Ubuntu Groovy):
status: New → In Progress
Olivier Tilloy (osomon) wrote :
Changed in thunderbird (Ubuntu Groovy):
status: In Progress → Fix Committed
Olivier Tilloy (osomon) on 2020-05-13
Changed in thunderbird (Ubuntu Focal):
status: New → Fix Committed
Changed in thunderbird (Ubuntu Eoan):
status: New → Fix Committed
Changed in thunderbird (Ubuntu Bionic):
status: New → Fix Committed
Changed in thunderbird (Ubuntu Xenial):
status: New → Fix Committed
Dariusz Gadomski (dgadomski) wrote :

With latest builds from ppa:ubuntu-mozilla-security/ppa:

Xenial - 1:68.8.0+build2-0ubuntu0.16.04.2
Bionic - 1:68.8.0+build2-0ubuntu0.18.04.2

this issue is gone.

Thank you!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 1:68.8.0+build2-0ubuntu2

---------------
thunderbird (1:68.8.0+build2-0ubuntu2) groovy; urgency=medium

  [ Dariusz Gadomski ]
  * Disable reading /proc/sys/crypto/fips_enabled if FIPS is not enabled on
    build (LP: #1878155)

 -- Olivier Tilloy <email address hidden> Wed, 13 May 2020 14:10:56 +0200

Changed in thunderbird (Ubuntu Groovy):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 1:68.8.0+build2-0ubuntu0.20.04.2

---------------
thunderbird (1:68.8.0+build2-0ubuntu0.20.04.2) focal; urgency=medium

  [ Dariusz Gadomski ]
  * Disable reading /proc/sys/crypto/fips_enabled if FIPS is not enabled on
    build (LP: #1878155)

 -- Olivier Tilloy <email address hidden> Wed, 13 May 2020 15:17:37 +0200

Changed in thunderbird (Ubuntu Focal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 1:68.8.0+build2-0ubuntu0.19.10.2

---------------
thunderbird (1:68.8.0+build2-0ubuntu0.19.10.2) eoan; urgency=medium

  [ Dariusz Gadomski ]
  * Disable reading /proc/sys/crypto/fips_enabled if FIPS is not enabled on
    build (LP: #1878155)

 -- Olivier Tilloy <email address hidden> Wed, 13 May 2020 15:10:20 +0200

Changed in thunderbird (Ubuntu Eoan):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 1:68.8.0+build2-0ubuntu0.16.04.2

---------------
thunderbird (1:68.8.0+build2-0ubuntu0.16.04.2) xenial; urgency=medium

  [ Dariusz Gadomski ]
  * Disable reading /proc/sys/crypto/fips_enabled if FIPS is not enabled on
    build (LP: #1878155)

 -- Olivier Tilloy <email address hidden> Wed, 13 May 2020 14:52:11 +0200

Changed in thunderbird (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 1:68.8.0+build2-0ubuntu0.18.04.2

---------------
thunderbird (1:68.8.0+build2-0ubuntu0.18.04.2) bionic; urgency=medium

  [ Dariusz Gadomski ]
  * Disable reading /proc/sys/crypto/fips_enabled if FIPS is not enabled on
    build (LP: #1878155)

 -- Olivier Tilloy <email address hidden> Wed, 13 May 2020 15:05:10 +0200

Changed in thunderbird (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers