Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 928401 - dev-libs/nss-3.90.2 causes Pidgin, Firefox to crash with SIGILL on non-ADX-capable CPUs
Summary: dev-libs/nss-3.90.2 causes Pidgin, Firefox to crash with SIGILL on non-ADX-ca...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Mozilla Gentoo Team
: 928901 (view as bug list)
Depends on: 928403
  Show dependency tree
Reported: 2024-04-02 03:36 UTC by Christopher Head
Modified: 2024-05-28 18:45 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Commit of 3.91 that needs to be backport or include in Gentoo as a patch (925027.patch,2.68 KB, patch)
2024-04-07 21:01 UTC, Sébastien P.
Details | Diff
nss-3.90.2-r1.ebuild (nss-3.90.2-r1.ebuild,11.43 KB, text/plain)
2024-04-13 14:19 UTC, Sébastien P.

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Head 2024-04-02 03:36:16 UTC
This is really just bug 907932 coming back from the dead (should I have reopened that instead of creating a new bug?). The problem is that dev-libs/nss-3.91 was removed from the tree in commit 5b1a888864fa17c7be604b8b4a2f28f68d134c5f, causing 3.90.2 to become the latest stable, in which that bug still exists.

Reproducible: Always

Steps to Reproduce:
1. Install the latest stable dev-libs/nss, 3.90.2.
2. Install net-im/pidgin or www-client/firefox.
3. Run the resulting binary+library on a non-ADX-capable CPU.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-02 03:39:35 UTC
Note that I think the downgrade was intentional in that we didn't know if 3.90.x was LTS/ESR for ages but it turns out now it will be, I think.

But of course the fact this didn't get backported upstream is not intentional.
Comment 2 Christopher Head 2024-04-02 04:27:46 UTC
Yes, subsequent to filing this I found that discussion about which version would be LTS. I can also confirm that 3.99 is working OK for me, so I can use that for the time being (which both doesn’t crash, and shouldn’t have the RSA timing attack that originally caused 3.91 to be removed). Still, that’s not stable so the bug does exist.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-07 20:24:54 UTC
*** Bug 928901 has been marked as a duplicate of this bug. ***
Comment 4 Sébastien P. 2024-04-07 20:59:45 UTC
Copy from

Continuation of &
I created a new bug since is a security bug not linked to the initial issue: crash of Firefox.

After bisected the nss' hg, I found the first commit that solved the issue:
changeset:   16579:653f4c1b5842
user:        Natalia Kulatova <>
date:        Fri Jun 23 11:23:52 2023 +0000
summary:     Bug 1836925 - Removing the support of Curve25519 r=bbeurdouche,nss-reviewers

To summarise:
* nss-3.90 is broken with various CPUs (like i5 2310 / i7-4720HQ / AMD 64 X2 Windsor)
* issue is known and already solved on 3.91 ( / Sam James who upstreamed it
* patch was applied to nss-3.91 but not 3.90 ESR

I created a new bug to ask the backport on 3.90:

Meanwhile, I have tested nss-3.90.2 with the attached patch. It seems to work on my Gentoo. It could be used in the future depending of upstream answer/release of new 3.90.x with security bugs like
Comment 5 Sébastien P. 2024-04-07 21:01:29 UTC
Created attachment 889782 [details, diff]
Commit of 3.91 that needs to be backport or include in Gentoo as a patch
Comment 6 Sébastien P. 2024-04-13 14:19:50 UTC
Created attachment 890727 [details]

With the above patch rename “nss-3.90-firefox-thunderbird-crash-fix.patch” this ebuild is working fine for Firefox ESR.

(I have just added “+	"${FILESDIR}"/nss-3.90-firefox-thunderbird-crash-fix.patch” in PATCHES.)

I am agree with comment of Joonas (, it would be a great time to push 3.90.2-r1 with the fix now if Mozilla Gentoo Team prefers nss ESR :).

I pushed that version in my local portage and masked nss-3.99 to use it.
Comment 7 Larry the Git Cow gentoo-dev 2024-04-15 06:40:55 UTC
The bug has been referenced in the following commit(s):

commit 53f7db69d823842e9ab24aae0107928ae794fb33
Author:     Joonas Niilola <>
AuthorDate: 2024-04-15 06:40:00 +0000
Commit:     Joonas Niilola <>
CommitDate: 2024-04-15 06:40:53 +0000

    dev-libs/nss: revbump 3.90.2 ESR with a patch from upstream
    Signed-off-by: Joonas Niilola <>

 .../nss-3.90-remove-support-of-curve25519.patch    |  78 ++++
 dev-libs/nss/nss-3.90.2-r1.ebuild                  | 420 +++++++++++++++++++++
 2 files changed, 498 insertions(+)
Comment 8 Larry the Git Cow gentoo-dev 2024-05-28 18:45:14 UTC
The bug has been referenced in the following commit(s):

commit 915e17c7b92995d2cc16b0f67a251b7b2c63fc3b
Author:     Joonas Niilola <>
AuthorDate: 2024-05-28 18:43:07 +0000
Commit:     Joonas Niilola <>
CommitDate: 2024-05-28 18:45:12 +0000

    dev-libs/nss: destabilize 3.99
     - 3.90 is the real ESR line that we generally keep stabilized, but 3.90 used
       to be so broken before 3.90.2-r1 that we had to jump to >3.90 for a bit.
       NSS should be ABI-combatible even with this downgrade, and we're back at
       designated NSS-ESR usage.
    Signed-off-by: Joonas Niilola <>

 dev-libs/nss/nss-3.99.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)