Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 928901

Summary: www-client/firefox crashes with dev-libs/nss-3.90.x
Product: Gentoo Linux Reporter: Sébastien P. <sebastien.picavet>
Component: Current packagesAssignee: Mozilla Gentoo Team <mozilla>
Severity: normal CC: sebastien.picavet
Priority: Normal Keywords: PATCH, UPSTREAM
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Package list:
Runtime testing required: ---
Attachments: Commit that solve the issue in nss-3.91 and works in nss-3.90.2 too

Description Sébastien P. 2024-04-07 19:23:46 UTC
Continuation of &
I created a new bug since is a security bug not linked to the initial issue: crash of Firefox.

After bisected the nss' hg, I found the first commit that solved the issue:
changeset:   16579:653f4c1b5842
user:        Natalia Kulatova <>
date:        Fri Jun 23 11:23:52 2023 +0000
summary:     Bug 1836925 - Removing the support of Curve25519 r=bbeurdouche,nss-reviewers

To summarise:
* nss-3.90 is broken with various CPUs (like i5 2310 / i7-4720HQ / AMD 64 X2 Windsor)
* issue is known and already solved on 3.91 ( / Sam James who upstreamed it
* patch was applied to nss-3.91 but not 3.90 ESR

I created a new bug to ask the backport on 3.90:

Meanwhile, I have tested nss-3.90.2 with the attached patch. It seems to work on my Gentoo. It could be used in the future depending of upstream answer/release of new 3.90.x with security bugs like

Reproducible: Always
Comment 1 Sébastien P. 2024-04-07 19:25:45 UTC
Please assign this bug to juippis
Comment 2 Sébastien P. 2024-04-07 19:27:48 UTC
Created attachment 889768 [details, diff]
Commit that solve the issue in nss-3.91 and works in nss-3.90.2 too
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-07 20:24:54 UTC
Isn't this a dupe of bug 928401?

*** This bug has been marked as a duplicate of bug 928401 ***
Comment 4 Sébastien P. 2024-04-07 20:55:52 UTC
Yes, you are right. I did not see it since it was never quote in 925027/forum.
We talked a lot about that issue on 925027. Sadly 928401/925027 were not linked and I did not check keyword dev-libs/nss.

I would argue that I added a lot of information (upstream/patch), but let's copy that.
Comment 5 Joonas Niilola gentoo-dev 2024-04-08 04:28:31 UTC

I'm not sure how to advance from here though. Would be great to get 3.90.3 rolling as stable, but it might cause a lot of confusion for people downgrading from 3.99 to 3.90.3. Then again I don't want to stabilize nss "rapid" releases monthly either.

Maybe, just maybe, now'd be a great time to push 3.90.2-r1 instead with the fix and stabilize that.

What a mess in any case.
Comment 6 Sébastien P. 2024-04-08 05:30:43 UTC

Yes, it is a mess. And I add it a bit because I did not see before creating this one^^. We may probably continue on 928401 to avoid more mess.

I do not know what is the best. Downgrade is mandatory since it is better to stabilise ESR.
Wait 3.90.3 (could be fixed by upstream or with this patch)? => in that case, just to keep in mind this bug/928401 and close it before.
Do it right now on 3.90.2-r1? => in that case, better to avoid this bug/928401 in the future but we (you) may remove this patch in 3.90.3 ebuild.

In case of a new CVE like CVE-2023-5388, it may be better better to stabilise version with the patch first (3.90.2-r1) so it should be easier to upgrade to 3.90.3+patch.
As you want, if you create a stablereq, please put me in the CC list so I can check with my CPU.