Re: Call for advice and testing of nss (and nspr) and intention to upload correction

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>, Mike Hommey <glandium@debian.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Call for advice and testing of nss (and nspr) and intention to upload correction
From: Guido Günther <agx@sigxcpu.org>
Date: Thu, 20 Oct 2016 23:48:28 +0200
Message-id: <[🔎] 20161020214828.xqwqwl2nsjxqfcy5@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>, Mike Hommey <glandium@debian.org>, Florian Weimer <fw@deneb.enyo.de>
In-reply-to: <[🔎] CABY6=0kMG63yg90zkQoBObbzEuessRjJGHEFEKr8nY3u0_DbFQ@mail.gmail.com>
References: <[🔎] CABY6=0kMG63yg90zkQoBObbzEuessRjJGHEFEKr8nY3u0_DbFQ@mail.gmail.com>

Hi Ola,
On Thu, Oct 20, 2016 at 11:15:29PM +0200, Ola Lundqvist wrote:
> Hi LTS team, Mozilla maintainers, Mike and Florian
> 
> I have been working on the security problem reported in nss (and nspr).
> https://security-tracker.debian.org/tracker/TEMP-0000000-583651
> It is about unprotected environment variables.
> 
> I did a check on what Florian Weimer had done for jessie-security and
> the solution there was simply to package the new upstream release. So
> I decided to do that approach as well. The advantage with this is that
> we will not only have this problem solved, but also a few more.
> 
> TEMP-0000000-583651 (nspr and nss)
> CVE-2014-3566
> CVE-2014-1490
> CVE-2013-1740
> 
> The disadvantage is that we are not playing safe. However it looks
> backwards compatible, but you never know.
> 
> So all in all I have produced the following:
> 
> nspr:
> http://apt.inguza.net/wheezy-security/nspr
> This is essentially a mimic of the jessie-security package changes.
> 
> nss:
> http://apt.inguza.net/wheezy-security/nss
> This is essentially a re-build of the jessie-security package with
> changes file kept and only updated with one new entry.
> 
> Call for advice:
> 1) Do you have an opinion about the fact that I backport new upstream release?

See my discussion with the release team abot this:

      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824872

> 2) Will we have a build problem as nss depends on the latest nspr? I
> guess I shall upload nspr first.

See my runs of the abi compliance checker in the above URL.

> 3) Shall I create one DLA covering both packages or shall I just
> produce one DLA covering both nspr and nss?

The rule is one DLA per package AFAIK.

>  I think one DLA is the best as both are needed to solve the problem
> reported. But maybe that is against some practice. If you think I
> shall write two, then please advice me what to write in the DLA for
> nspr.
> 
> Call for testing:
> 4) As this package can have a rather big impact on lot of other
> packages it would be good if all of you install the new version (nss
> is the important one) to see if it works for you.

See

   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806207
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809723

that enable the internal test suites and add some autopkgtests. This
should help to gain some confidence.
Cheers,
 -- Guido
 
> 
> I did not produce a debdiff as that diff was way too large to be useful.
> 
> I have installed it myself but I have not been able to verify that the
> tools using it is really working. Most are GUI tools and I do not have
> a GUI environment to test wheezy in. The libnss3-tools package seems
> to work fine to the limit I was able to check.
> 
> I have not tried to reproduce the problem as the report was too vague
> to give any good advice on what environment variable that could
> actually cause a problem.
> 
> If I do not hear any objections in four days I will upload anyway.
> 
> Thanks in advance
> 
> // Ola
> 
> -- 
>  --- Inguza Technology AB --- MSc in Information Technology ----
> |  ola@inguza.com                  Folkebogatan 26
> |  opal@debian.org                  654 68 KARLSTAD
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551
> |  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9
>

Reply to:

Follow-Ups:
- Re: Call for advice and testing of nss (and nspr) and intention to upload correction
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Call for advice and testing of nss (and nspr) and intention to upload correction
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: fixing in oldstable before unstable (was Re: Wheezy update of tre?)
Next by Date: Re: fixing in oldstable before unstable (was Re: Wheezy update of tre?)
Previous by thread: Call for advice and testing of nss (and nspr) and intention to upload correction
Next by thread: Re: Call for advice and testing of nss (and nspr) and intention to upload correction
Index(es):
- Date
- Thread