group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #36332
[Bug 1837734] Re: libnss3 reads fips_enabled flag and automatically switches to FIPS mode
I'm setting this to Won't Fix as it seems unnecessary based off a later
comment about Firefox. Additionally, the the version of nss with the fix
for this bug was superseded by a security upload.
** Changed in: nss (Ubuntu Bionic)
Status: Fix Committed => Won't Fix
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1837734
Title:
libnss3 reads fips_enabled flag and automatically switches to FIPS
mode
Status in nss package in Ubuntu:
Fix Released
Status in nss source package in Xenial:
Won't Fix
Status in nss source package in Bionic:
Won't Fix
Status in nss source package in Disco:
Won't Fix
Status in nss source package in Eoan:
Fix Released
Bug description:
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled
flag. The users of the library however can force nss into FIPS mode
via an environment variable. We plan to leave it as is so as not to
regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.4-0ubuntu0.16.04
[FIX]
This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.
Users who do want to run the library in FIPS mode can do so by using
the environment variable "NSS_FIPS". We propose to leave it as is so
as not to regress anyone using this. The user who is using this option
should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
Tested on a xenial and bionic desktop ISO running non-FIPS generic
kernel. With the patch fix, firefox worked as expected and no changes
were observed.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions