Bug 928901

Summary:	www-client/firefox crashes with dev-libs/nss-3.90.x
Product:	Gentoo Linux	Reporter:	Sébastien P. <sebastien.picavet>
Component:	Current packages	Assignee:	Mozilla Gentoo Team <mozilla>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	sebastien.picavet
Priority:	Normal	Keywords:	PATCH, UPSTREAM
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.mozilla.org/show_bug.cgi?id=1890199
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=925027 https://bugs.gentoo.org/show_bug.cgi?id=907932 https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Commit that solve the issue in nss-3.91 and works in nss-3.90.2 too

Description Sébastien P. 2024-04-07 19:23:46 UTC

Continuation of https://bugs.gentoo.org/925027#c7 & https://forums.gentoo.org/viewtopic-t-1168203.html
I created a new bug since https://bugs.gentoo.org/925027 is a security bug not linked to the initial issue: crash of Firefox.

After bisected the nss' hg, I found the first commit that solved the issue:
changeset:   16579:653f4c1b5842
user:        Natalia Kulatova <nkulatova@mozilla.com>
date:        Fri Jun 23 11:23:52 2023 +0000
summary:     Bug 1836925 - Removing the support of Curve25519 r=bbeurdouche,nss-reviewers


To summarise:
* nss-3.90 is broken with various CPUs (like i5 2310 / i7-4720HQ / AMD 64 X2 Windsor)
* issue is known and already solved on 3.91 (https://bugs.gentoo.org/907932 / Sam James who upstreamed it https://bugzilla.mozilla.org/show_bug.cgi?id=1836925)
* patch was applied to nss-3.91 but not 3.90 ESR

I created a new bug to ask the backport on 3.90: https://bugzilla.mozilla.org/show_bug.cgi?id=1890199

Meanwhile, I have tested nss-3.90.2 with the attached patch. It seems to work on my Gentoo. It could be used in the future depending of upstream answer/release of new 3.90.x with security bugs like https://bugs.gentoo.org/925027.

Reproducible: Always

Comment 1 Sébastien P. 2024-04-07 19:25:45 UTC

Please assign this bug to juippis

Comment 2 Sébastien P. 2024-04-07 19:27:48 UTC

Created attachment 889768 [details, diff]
Commit that solve the issue in nss-3.91 and works in nss-3.90.2 too

Comment 3 Sam James archtester

2024-04-07 20:24:54 UTC

Isn't this a dupe of bug 928401?

*** This bug has been marked as a duplicate of bug 928401 ***

Comment 4 Sébastien P. 2024-04-07 20:55:52 UTC

Yes, you are right. I did not see it since it was never quote in 925027/forum.
We talked a lot about that issue on 925027. Sadly 928401/925027 were not linked and I did not check keyword dev-libs/nss.

I would argue that I added a lot of information (upstream/patch), but let's copy that.

Comment 5 Joonas Niilola gentoo-dev

2024-04-08 04:28:31 UTC

Thanks!

I'm not sure how to advance from here though. Would be great to get 3.90.3 rolling as stable, but it might cause a lot of confusion for people downgrading from 3.99 to 3.90.3. Then again I don't want to stabilize nss "rapid" releases monthly either.

Maybe, just maybe, now'd be a great time to push 3.90.2-r1 instead with the fix and stabilize that.

What a mess in any case.

Comment 6 Sébastien P. 2024-04-08 05:30:43 UTC

Hi,

Yes, it is a mess. And I add it a bit because I did not see https://bugs.gentoo.org/show_bug.cgi?id=928401 before creating this one^^. We may probably continue on 928401 to avoid more mess.

I do not know what is the best. Downgrade is mandatory since it is better to stabilise ESR.
Wait 3.90.3 (could be fixed by upstream or with this patch)? => in that case, just to keep in mind this bug/928401 and close it before.
Do it right now on 3.90.2-r1? => in that case, better to avoid this bug/928401 in the future but we (you) may remove this patch in 3.90.3 ebuild.

In case of a new CVE like CVE-2023-5388, it may be better better to stabilise version with the patch first (3.90.2-r1) so it should be easier to upgrade to 3.90.3+patch.
As you want, if you create a stablereq, please put me in the CC list so I can check with my CPU.