Continuation of https://bugs.gentoo.org/925027#c7 & https://forums.gentoo.org/viewtopic-t-1168203.html I created a new bug since https://bugs.gentoo.org/925027 is a security bug not linked to the initial issue: crash of Firefox. After bisected the nss' hg, I found the first commit that solved the issue: changeset: 16579:653f4c1b5842 user: Natalia Kulatova <nkulatova@mozilla.com> date: Fri Jun 23 11:23:52 2023 +0000 summary: Bug 1836925 - Removing the support of Curve25519 r=bbeurdouche,nss-reviewers To summarise: * nss-3.90 is broken with various CPUs (like i5 2310 / i7-4720HQ / AMD 64 X2 Windsor) * issue is known and already solved on 3.91 (https://bugs.gentoo.org/907932 / Sam James who upstreamed it https://bugzilla.mozilla.org/show_bug.cgi?id=1836925) * patch was applied to nss-3.91 but not 3.90 ESR I created a new bug to ask the backport on 3.90: https://bugzilla.mozilla.org/show_bug.cgi?id=1890199 Meanwhile, I have tested nss-3.90.2 with the attached patch. It seems to work on my Gentoo. It could be used in the future depending of upstream answer/release of new 3.90.x with security bugs like https://bugs.gentoo.org/925027. Reproducible: Always
Please assign this bug to juippis
Created attachment 889768 [details, diff] Commit that solve the issue in nss-3.91 and works in nss-3.90.2 too
Isn't this a dupe of bug 928401? *** This bug has been marked as a duplicate of bug 928401 ***
Yes, you are right. I did not see it since it was never quote in 925027/forum. We talked a lot about that issue on 925027. Sadly 928401/925027 were not linked and I did not check keyword dev-libs/nss. I would argue that I added a lot of information (upstream/patch), but let's copy that.
Thanks! I'm not sure how to advance from here though. Would be great to get 3.90.3 rolling as stable, but it might cause a lot of confusion for people downgrading from 3.99 to 3.90.3. Then again I don't want to stabilize nss "rapid" releases monthly either. Maybe, just maybe, now'd be a great time to push 3.90.2-r1 instead with the fix and stabilize that. What a mess in any case.
Hi, Yes, it is a mess. And I add it a bit because I did not see https://bugs.gentoo.org/show_bug.cgi?id=928401 before creating this one^^. We may probably continue on 928401 to avoid more mess. I do not know what is the best. Downgrade is mandatory since it is better to stabilise ESR. Wait 3.90.3 (could be fixed by upstream or with this patch)? => in that case, just to keep in mind this bug/928401 and close it before. Do it right now on 3.90.2-r1? => in that case, better to avoid this bug/928401 in the future but we (you) may remove this patch in 3.90.3 ebuild. In case of a new CVE like CVE-2023-5388, it may be better better to stabilise version with the patch first (3.90.2-r1) so it should be easier to upgrade to 3.90.3+patch. As you want, if you create a stablereq, please put me in the CC list so I can check with my CPU.
