Launchpad has imported 2 comments from the remote bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1582169.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2019-09-18T15:42:54+00:00 Vineetha Kamath wrote: Created attachment 9093608 firefox_nss_disable_fips_enabled_flag.patch User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 Steps to reproduce: On a FIPS enabled system, i.e. a system running a FIPS enabled kernel, /proc/sys/crypto/fips_enabled is set to 1. The libraries that are FIPS certified reads this flag to decide if they have to operate in FIPS mode. Firefox's nss bundled code by default reads this flag. Firefox is not one of FIPS certified libraries and should not be reading this flag. A bug has been filed against Ubuntu firefox package here - https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1843044 Actual results: On a FIPS enabled system. firefox crashes while starting up. An strace showed that it was repeatedly reading the flag before the crash. Expected results: Firefox and its associated nss bundled code are not FIPS certified and hence should not be reading the /proc/sys/crypto/fips_enabled flag. I propose to disable reading that flag. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1843044/comments/8 ------------------------------------------------------------------------ On 2019-09-18T15:44:48+00:00 Vineetha Kamath wrote: After applying the patch, no crash was observed on a FIPS enabled system. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1843044/comments/9 ** Changed in: firefox Status: Unknown => New ** Changed in: firefox Importance: Unknown => Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1843044 Title: firefox crashes on a FIPS enabled machine Status in Mozilla Firefox: New Status in firefox package in Ubuntu: New Bug description: [IMPACT] firefox is not a FIPS certified library. firefox uses bundled nss and on a machine running FIPS enabled kernel, nss by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since firefox with bundled nss is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from the bundled nss before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts firefox versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable bundled nss in firefox reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. firefox is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. [TEST] Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. Without the patch fix, firefox crashes. Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. With the patch fix, firefox worked as expected and no changes were observed. [REGRESSION POTENTIAL] The regression potential for this is small. A FIPS kernel is required to create /proc/sys/crypto/fips_enabled and it is not available in the standard Ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1843044/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
