All autopkgtests for the newly accepted nss (2:3.49.1-1ubuntu1.3) for focal have finished running. The following regressions have been reported in tests triggered by the package:
libreoffice/1:6.4.4-0ubuntu0.20.04.1 (arm64, armhf) Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1]. https://people.canonical.com/~ubuntu-archive/proposed- migration/focal/update_excuses.html#nss [1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions Thank you! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode Status in nss package in Ubuntu: Fix Released Status in nss source package in Bionic: Fix Committed Status in nss source package in Focal: Fix Committed Status in nss source package in Groovy: Fix Released Bug description: [Impact] * Prevents using some parts of nss in FIPS mode - e.g. libfreeblpriv3.so (failed asserts). The library during initialization tries to verify it's own binaries against signatures in chk files shipped along with it (created at build time). They are installed at /usr/lib/$(DEB_HOST_MULTIARCH)/nss while it tries to look for them at /usr/lib/$(DEB_HOST_MULTIARCH). [Test Case] * Setup Ubuntu 18.04 in FIPS mode. * sudo apt install chrony * sudo chronyd -d * chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed. [Regression Potential] * Fix introduces 2 new artifacts to the filesystem (symlinks to the chk files). It may cause alerts in e.g. CI systems. [Other Info] Original bug description: In FIPS mode there are some additional checks performed. They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so). Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH): ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk. Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. [Test case] sudo apt install chrony sudo chronyd -d chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed. Potential solutions: Solution A: Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH). Solution B: Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is done for *.so). Solution C: Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
