Hello Dariusz, or anyone else affected, Accepted nss into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss/2:3.49.1-1ubuntu1.3 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: nss (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode Status in nss package in Ubuntu: Fix Released Status in nss source package in Bionic: Fix Committed Status in nss source package in Focal: Fix Committed Status in nss source package in Groovy: Fix Released Bug description: [Impact] * Prevents using some parts of nss in FIPS mode - e.g. libfreeblpriv3.so (failed asserts). The library during initialization tries to verify it's own binaries against signatures in chk files shipped along with it (created at build time). They are installed at /usr/lib/$(DEB_HOST_MULTIARCH)/nss while it tries to look for them at /usr/lib/$(DEB_HOST_MULTIARCH). [Test Case] * Setup Ubuntu 18.04 in FIPS mode. * sudo apt install chrony * sudo chronyd -d * chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed. [Regression Potential] * Fix introduces 2 new artifacts to the filesystem (symlinks to the chk files). It may cause alerts in e.g. CI systems. [Other Info] Original bug description: In FIPS mode there are some additional checks performed. They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so). Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH): ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk. Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. [Test case] sudo apt install chrony sudo chronyd -d chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed. Potential solutions: Solution A: Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH). Solution B: Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is done for *.so). Solution C: Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
