Public bug reported:

[IMPACT]
firefox is not a FIPS certified library. firefox uses bundled nss and on a 
machine running FIPS enabled kernel, nss by default goes into FIPS mode if 
/proc/sys/crypto/fips_enabled=1. This is an untested configuration and since 
libnss3 is not a certified library we propose disabling reading the 
'fips_enabled' flag and therefore switching the library automatically into FIPS 
mode. A FIPS customer reported firefox crash on a FIPS enabled system and 
strace showed it was repeatedly trying to read the fips_enabled flag from the 
bundled nss before crashing.

The proposed patch disables reading the /proc/sys/crypto/fips_enabled
flag. The users of the library however can force nss into FIPS mode via
an environment variable. We plan to leave it as is so as not to regress
existing users who may be using it.

The issue impacts firefox versions in eoan, disco, bionic and xenial.

lsb_release -rd
Description:    Ubuntu Eoan Ermine (development branch)
Release: 19.10

Version: 2:3.45-1ubuntu1

lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04

Version: 2:3.42-1ubuntu2

lsb_release -rd
Description:    Ubuntu Bionic Beaver
Release:        18.04

Version: 2:3.35-2ubuntu2.3

lsb_release -rd
Description:    Ubuntu 16.04.3 LTS
Release:        16.04

Version: 2:3.28.4-0ubuntu0.16.04

[FIX]
This fix proposes to disable bundled nss in firefox reading 
proc/sys/crypto/fips_enabled. We only want fips certified modules reading this 
file and running in fips mode. firefox nss is not one of our fips certified 
modules, so should not be reading this along with our fips certified modules to 
determine whether to run in fips mode.

Users who do want to run the library in FIPS mode can do so by using the
environment variable "NSS_FIPS". We propose to leave it as is so as not
to regress anyone using this. The user who is using this option should
be doing so with the awareness.

[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in 
FIPS mode. With the patch fix no crashes were observed when launching firefox 
browser.
Without the patch fix, firefox crashes.

Tested on a xenial and bionic desktop ISO running non-FIPS generic
kernel. With the patch fix, firefox worked as expected and no changes
were observed.

[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in the standard 
Ubuntu archive. For users forcing FIPS through environment variable, nothing 
has changed.

** Affects: firefox (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1843044

Title:
  firefox crash on a FIPS enabled machine

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1843044/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to