Call for advice and testing of nss (and nspr) and intention to upload correction

Ola Lundqvist ola at inguza.com
Thu Oct 20 21:15:29 UTC 2016 

Hi LTS team, Mozilla maintainers, Mike and Florian

I have been working on the security problem reported in nss (and nspr).
https://security-tracker.debian.org/tracker/TEMP-0000000-583651
It is about unprotected environment variables.

I did a check on what Florian Weimer had done for jessie-security and
the solution there was simply to package the new upstream release. So
I decided to do that approach as well. The advantage with this is that
we will not only have this problem solved, but also a few more.

TEMP-0000000-583651 (nspr and nss)
CVE-2014-3566
CVE-2014-1490
CVE-2013-1740

The disadvantage is that we are not playing safe. However it looks
backwards compatible, but you never know.

So all in all I have produced the following:

nspr:
http://apt.inguza.net/wheezy-security/nspr
This is essentially a mimic of the jessie-security package changes.

nss:
http://apt.inguza.net/wheezy-security/nss
This is essentially a re-build of the jessie-security package with
changes file kept and only updated with one new entry.

Call for advice:
1) Do you have an opinion about the fact that I backport new upstream release?
2) Will we have a build problem as nss depends on the latest nspr? I
guess I shall upload nspr first.
3) Shall I create one DLA covering both packages or shall I just
produce one DLA covering both nspr and nss?
 I think one DLA is the best as both are needed to solve the problem
reported. But maybe that is against some practice. If you think I
shall write two, then please advice me what to write in the DLA for
nspr.

Call for testing:
4) As this package can have a rather big impact on lot of other
packages it would be good if all of you install the new version (nss
is the important one) to see if it works for you.

I did not produce a debdiff as that diff was way too large to be useful.

I have installed it myself but I have not been able to verify that the
tools using it is really working. Most are GUI tools and I do not have
a GUI environment to test wheezy in. The libnss3-tools package seems
to work fine to the limit I was able to check.

I have not tried to reproduce the problem as the report was too vague
to give any good advice on what environment variable that could
actually cause a problem.

If I do not hear any objections in four days I will upload anyway.

Thanks in advance

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola at inguza.com                  Folkebogatan 26
|  opal at debian.org                  654 68 KARLSTAD
|  http://inguza.com/                Mobile: +46 (0)70-332 1551
|  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9

More information about the pkg-mozilla-maintainers mailing list