libnss3-1d 3.12.6-0ubuntu0.9.10.1 breaks ssl/fips support in firefox

I had the same problem with thunderbird (and the solution fixed the problem). This problem did not cause difficulties with firefox for me. See the duplicate bug #559918.

Hi, so sometimes firefox/thunderbirds go crazy when not properly restarted after an upgrade. Can you still reproduce with all upgraded and maybe logging out of X and logging in again?

#2
Does a reboot count? :D

This bug has been around from NSS' version 3.12.5 and i have been tracking it on Gentoo too with no luck.
No workarounds using env variables help.
Anyway I wonder why the 3.12.6 version has been committed as an update without testing it works in the first place...

Uninstalling libnss3-0d worked for me too (I had no libnss3-dev installed).

Ok, it seems we need to generate and ship a checksum for libnssdbm3.so now. I will get that fixed ASAP, sorry for the inconvenience

This is also broken in Firefox in Lucid, as it's using bundled NSS and there aren't any checksums installed for that

I've just uploaded nss 3.12.6-0ubuntu0.9.10.2 to the Mozilla Security Team PPA. It's currently building and will be available in an hour or so. Could people experiencing this regression in karmic please test the package once it becomes available. To add the u-m-s team PPA to your sources.list, you can run:

sudo add-apt-repository ppa:ubuntu-mozilla-security/ppa
sudo apt-get update

...and then update the nss version to 3.12.6-0ubuntu0.9.10.2

Thanks!

@Chris Coulson,
I have not tested your built of nss 3.12.6-0ubuntu0.9.10.2 (#7) because i do not like adding any other repos except the official ubuntu ones on the laptop i had the error on.

But as far as the only real change is in signing the libnssdbm3.so using shlibsign I upgraded back the:
libnss3-1d to 3.12.6-0ubuntu0.9.10.1
xulrunner-1.9.1-gnome-support to 1.9.1.9+nobinonly-0ubuntu0.9.10.1
xulrunner-1.9.1 to 1.9.1.9+nobinonly-0ubuntu0.9.10.1
And signed the library, so the bug is gone now.

For those of you who do not want to add the Mozilla Security Team PPA and would like to wait untill official fix is released do the following:
1. Upgrade back your libnss3-1d, xulrunner-1.9.1-gnome-support, xulrunner-1.9.1 to the versions i mention above.
2. apt-get install libnss3-tools
3. sudo shlibsign -v -i /usr/lib/nss/libnssdbm3.so

And the bug should be gone.

For i386, people can also go to:
https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa/+build/1685696

or for amd64:
https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa/+build/1685694

Those are the official builds (from the ubuntu-mozilla-security ppa). If people affected by this could please test these packages, we will be able to release an official update sooner.

Builds are currently available for i386, amd64, lpia, and armel with powerpc, sparc and ia64 expected to finish soon.

Thanks!

This bug was fixed in the package nss - 3.12.6-0ubuntu3

---------------
nss (3.12.6-0ubuntu3) lucid; urgency=low

  * Generate missing checksum for libnssdbm3.so to make FIPS mode
    work again (LP: #559881)
    - update debian/rules
 -- Chris Coulson <email address hidden> Sat, 10 Apr 2010 21:23:03 +0100

Please note that while Lucid nss is now fixed, only packages using the system nss will work correctly now (eg, thunderbird). Firefox in Lucid uses an embedded nss and needs to be fixed in a new firefox upload.

Karmic users only need the system nss updated for firefox, thunderbird, etc to be fixed.

This bug prevents me from using Thunderbird. This bug does not affect my use of Firefox.

I tried to follow Chris Coulson's instructions for testing the fix. If I succeeded in obtaining the "fix", it does not work for me.

My problems with Chris Coulson's instructions:

My "sudo apt-get update" seemed to work, but it ended with a warning:

Fetched 80.9kB in 2min 0s (671B/s)
Reading package lists... Done
W: GPG error: http://ppa.launchpad.net karmic Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A6DCF7707EBC211F
bob@Back2:~$

I do not know what Coulson meant by "...and then update the nss version to 3.12.6-0ubuntu0.9.10.2"
But after the "sudo apt-get update", Synaptic showed three libnss modules as "upgradable" and the available versions of these
modules were all 3.12.6-0ubuntu0.9.10.2, so I used Synaptic to "upgrade them.

But Thunderbird still did not work. Logging out and back in did not help. Rebooting did not help.

Synaptic shows that my libnss modules are now all at 3.12.6-0ubuntu0.9.10.2.

SegundoBob,

Do you use FIPS with Thunderbird? Does removing libnss3-0d and libnss3-dev help (as mentioned in bug #559918)? What is it that isn't working (eg, POP with SSL, sending mail, etc)?

Jamie,

At your suggestion, I just used Synaptic to remove libnss3-0d (libcamel1.2-10 will be removed, libnss3-0d will be removed).
This eliminated all my bug symptoms.

So far as I know, I do not use FIPS. I did not ever and I do not have libnss3-dev installed.

These were my bug symptoms, "alert" messages that were displayed after I invoked Thunderbird and before Thunderbird displayed anything:

Alert
Could not initialize the browser's security component. The most likely cause is problems with files in your browser's profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended hat you exit the browser and fix the problem. If you continue to use this browser session, you might see incorrect browser behavior when accessing security features.

Alert
Thunderbird can't connect securely to pop.gmail.com because the SSL protocol has been disabled.

I have unduped bug #559918 since it is a different bug. SegundoBob, please subscribe to that bug to keep up with its progress.

I downloaded libnss3-1d_3.12.6-0ubuntu0.9.10.2_i386.deb from https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa/+build/1685696 and now Thunderbird will launch without the security error. I was not having the problem with Firefox, only Thunderbird.

Note: I did not have libnss3-0d installed, only 1d.

Russell, the thunderbird bug is bug #559918, please comment there.

FYI-- the build in the ubuntu-mozilla-security PPA will be the official one. If the packages in that PPA work for people, they will be pocket copied to the Ubuntu archive from there.

I can confirm the packages in the PPA fix the problem for firefox. Testing was performed like so:

1. start a virtual machine with old nss and firefox
2. enable master password
3. enable NSS Internal FIPS PKCS #11 in Edit/Preferences/Advaned/Encryption/Security Devices
4. close firefox
5. start firefox -- will be prompted for master password at some point
6. close firefox
7. upgrade nss, firefox-3.5 and xulrunner-1.9.1
8. start firefox -- get "Could not initialize the application's security component...." message
9. install nss from PPA
10. start firefox -- no error; will be prompted for master password at some point

This bug was fixed in the package nss - 3.12.6-0ubuntu0.9.10.2

---------------
nss (3.12.6-0ubuntu0.9.10.2) karmic-security; urgency=low

  * Generate missing checksum for libnssdbm3.so to make FIPS mode
    work again (LP: #559881)
    - see USN-927-2
    - update debian/rules
 -- Chris Coulson <email address hidden> Sat, 10 Apr 2010 19:14:52 +0100

Huge kudos for fixing this so fast. This is the most serious Ubuntu bug I ever ran into on my stable machine. I ran "sudo apt-get remove libnss3-0d" as a workaround and I got my mail back up again now. Scary stuff.

The fix in #20 fixes it for me on karmic, thanks :)

This bug was fixed in the package firefox - 3.6.3+nobinonly-0ubuntu3

---------------
firefox (3.6.3+nobinonly-0ubuntu3) lucid; urgency=low

  [ Jamie Strandboge <email address hidden> ]
  * AppArmor: add read access to /etc/xul-ext/**, now needed by adblock

  [ Chris Coulson <email address hidden> ]
  * Create checksums for NSS libraries to make FIPS mode work (LP: #559881)
    - update debian/rules
 -- Chris Coulson <email address hidden> Tue, 13 Apr 2010 22:20:28 +0100

Please don't change assignees unless you are working on an issue.

Jaunty is EOL.