This is really just bug 907932 coming back from the dead (should I have reopened that instead of creating a new bug?). The problem is that dev-libs/nss-3.91 was removed from the tree in commit 5b1a888864fa17c7be604b8b4a2f28f68d134c5f, causing 3.90.2 to become the latest stable, in which that bug still exists. Reproducible: Always Steps to Reproduce: 1. Install the latest stable dev-libs/nss, 3.90.2. 2. Install net-im/pidgin or www-client/firefox. 3. Run the resulting binary+library on a non-ADX-capable CPU.
Note that I think the downgrade was intentional in that we didn't know if 3.90.x was LTS/ESR for ages but it turns out now it will be, I think. But of course the fact this didn't get backported upstream is not intentional.
Yes, subsequent to filing this I found that discussion about which version would be LTS. I can also confirm that 3.99 is working OK for me, so I can use that for the time being (which both doesn’t crash, and shouldn’t have the RSA timing attack that originally caused 3.91 to be removed). Still, that’s not stable so the bug does exist.
*** Bug 928901 has been marked as a duplicate of this bug. ***
Copy from https://bugs.gentoo.org/928901 Continuation of https://bugs.gentoo.org/925027#c7 & https://forums.gentoo.org/viewtopic-t-1168203.html I created a new bug since https://bugs.gentoo.org/925027 is a security bug not linked to the initial issue: crash of Firefox. After bisected the nss' hg, I found the first commit that solved the issue: changeset: 16579:653f4c1b5842 user: Natalia Kulatova <nkulatova@mozilla.com> date: Fri Jun 23 11:23:52 2023 +0000 summary: Bug 1836925 - Removing the support of Curve25519 r=bbeurdouche,nss-reviewers To summarise: * nss-3.90 is broken with various CPUs (like i5 2310 / i7-4720HQ / AMD 64 X2 Windsor) * issue is known and already solved on 3.91 (https://bugs.gentoo.org/907932 / Sam James who upstreamed it https://bugzilla.mozilla.org/show_bug.cgi?id=1836925) * patch was applied to nss-3.91 but not 3.90 ESR I created a new bug to ask the backport on 3.90: https://bugzilla.mozilla.org/show_bug.cgi?id=1890199 Meanwhile, I have tested nss-3.90.2 with the attached patch. It seems to work on my Gentoo. It could be used in the future depending of upstream answer/release of new 3.90.x with security bugs like https://bugs.gentoo.org/925027.
Created attachment 889782 [details, diff] Commit of 3.91 that needs to be backport or include in Gentoo as a patch
Created attachment 890727 [details] nss-3.90.2-r1.ebuild With the above patch rename “nss-3.90-firefox-thunderbird-crash-fix.patch” this ebuild is working fine for Firefox ESR. (I have just added “+ "${FILESDIR}"/nss-3.90-firefox-thunderbird-crash-fix.patch” in PATCHES.) I am agree with comment of Joonas (https://bugs.gentoo.org/928901#c5), it would be a great time to push 3.90.2-r1 with the fix now if Mozilla Gentoo Team prefers nss ESR :). I pushed that version in my local portage and masked nss-3.99 to use it.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53f7db69d823842e9ab24aae0107928ae794fb33 commit 53f7db69d823842e9ab24aae0107928ae794fb33 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2024-04-15 06:40:00 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-04-15 06:40:53 +0000 dev-libs/nss: revbump 3.90.2 ESR with a patch from upstream Bug: https://bugs.gentoo.org/928401 Bug: https://bugs.gentoo.org/928403 Signed-off-by: Joonas Niilola <juippis@gentoo.org> .../nss-3.90-remove-support-of-curve25519.patch | 78 ++++ dev-libs/nss/nss-3.90.2-r1.ebuild | 420 +++++++++++++++++++++ 2 files changed, 498 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=915e17c7b92995d2cc16b0f67a251b7b2c63fc3b commit 915e17c7b92995d2cc16b0f67a251b7b2c63fc3b Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2024-05-28 18:43:07 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-05-28 18:45:12 +0000 dev-libs/nss: destabilize 3.99 - 3.90 is the real ESR line that we generally keep stabilized, but 3.90 used to be so broken before 3.90.2-r1 that we had to jump to >3.90 for a bit. NSS should be ABI-combatible even with this downgrade, and we're back at designated NSS-ESR usage. Bug: https://bugs.gentoo.org/928401 Bug: https://bugs.gentoo.org/928403 Bug: https://bugs.gentoo.org/925211 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/nss-3.99.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)