Bug 1022053 - mozilla/mozilla-nss: libfreebl3 3.28.1 and libsoftokn3 3.28.1 cause the JVM to crash when using sun.security.ec.ECKeyPairGenerator
mozilla/mozilla-nss: libfreebl3 3.28.1 and libsoftokn3 3.28.1 cause the JVM t...
Status: RESOLVED FIXED
: 1022512 1022638 1023243 (view as bug list)
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Other
Leap 42.2
x86-64 openSUSE 42.2
: P2 - High : Major (vote)
: Leap 42.2
Assigned To: E-mail List
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-26 10:56 UTC by Tom Warnke
Modified: 2019-11-04 13:50 UTC (History)
11 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
JVM crash log (40.32 KB, text/x-log)
2017-01-26 10:56 UTC, Tom Warnke
Details
Main.java (236 bytes, text/x-java)
2017-01-29 08:40 UTC, Andreas Stieger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Warnke 2017-01-26 10:56:54 UTC
Created attachment 711741 [details]
JVM crash log

After updating libfreebl3 and libsoftokn3 from 3.26.2 to 3.28.1 from the OBS mozilla project, Maven can not download artifacts anymore. The java process crashes with a SIGSEGV. From the crash log, I assembled a minimal example. The following Java program can be executed with libfreebl3 and libsoftokn3 3.26.2, but crashes the JVM with 3.28.1:

import sun.security.ec.ECKeyPairGenerator;

public class Main {

    public static void main(String[] args) {

        ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator();
        keyPairGenerator.generateKeyPair();

    }
}

I also attached the crash log from the minimal example.

If this is not the right place to report this bug, please direct me to a better one. In any case, these two packages should not enter the 42.2 main repositories yet.
Comment 1 Tom Warnke 2017-01-27 15:00:24 UTC
I found the upstream bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1333504

Also related:
https://bugzilla.redhat.com/show_bug.cgi?id=1415137
Comment 2 Wolfgang Rosenauer 2017-01-27 16:03:49 UTC
This will soon hit Leap and Tumbleweed with the progressing update of Firefox which requires NSS 3.28.1. Therefore moving accordingly.

https://bugzilla.redhat.com/show_bug.cgi?id=1415137
this one has a lot of information pointing out that OpenJDK needs a change.
We have the same issue as RH/Fedora downgrading

So I think that Java maintainers have to look into fixing it there.
Comment 3 Wolfgang Rosenauer 2017-01-27 16:04:41 UTC
Also making security-team aware of the outfall of the NSS upgrade.
Comment 4 Andreas Stieger 2017-01-27 17:27:41 UTC
(In reply to Wolfgang Rosenauer from comment #3)
> Also making security-team aware of the outfall of the NSS upgrade.

Good to know. Should we hold it a bit?
Comment 6 Andreas Stieger 2017-01-29 08:40:24 UTC
Created attachment 711997 [details]
Main.java

Confirmed on 42.2

$ javac Main.java
$ java Main
Exception in thread "main" java.security.ProviderException: java.lang.NegativeArraySizeException
        at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:147)
        at Main.main(Main.java:8)
Caused by: java.lang.NegativeArraySizeException
        at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(Native Method)
        at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:128)
        ... 1 more
Comment 7 Tom Warnke 2017-01-30 18:14:53 UTC
Firefox 51 and the new NSS library versions arrived in Tumbleweed a few days ago. The Java example does not run in an up-to-date Tumbleweed anymore.

So as far as I understand it, this will be resolved with updates for the OpenJDK packages? Java:Factory already has 1.8.0.121 [1] for 42.2 with this in the change log:

> Require the exact version of mozilla-nss that the package was built against (bsc#1022053)

[1] https://build.opensuse.org/package/show?project=Java%3AFactory&package=java-1_8_0-openjdk
Comment 8 Wolfgang Rosenauer 2017-01-31 18:30:28 UTC
*** Bug 1022638 has been marked as a duplicate of this bug. ***
Comment 9 Swamp Workflow Management 2017-01-31 20:12:17 UTC
SUSE-SU-2017:0346-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1020905,1022053
CVE References: CVE-2016-2183,CVE-2016-5546,CVE-2016-5547,CVE-2016-5548,CVE-2016-5549,CVE-2016-5552,CVE-2017-3231,CVE-2017-3241,CVE-2017-3252,CVE-2017-3253,CVE-2017-3260,CVE-2017-3261,CVE-2017-3272,CVE-2017-3289
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    java-1_8_0-openjdk-1.8.0.121-20.1
SUSE Linux Enterprise Server 12-SP2 (src):    java-1_8_0-openjdk-1.8.0.121-20.1
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_8_0-openjdk-1.8.0.121-20.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    java-1_8_0-openjdk-1.8.0.121-20.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    java-1_8_0-openjdk-1.8.0.121-20.1
Comment 10 Jean Delvare 2017-02-01 14:30:57 UTC
*** Bug 1022512 has been marked as a duplicate of this bug. ***
Comment 11 Andreas Stieger 2017-02-02 17:54:13 UTC
*** Bug 1023243 has been marked as a duplicate of this bug. ***
Comment 12 Swamp Workflow Management 2017-02-03 11:07:42 UTC
openSUSE-SU-2017:0374-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1020905,1022053
CVE References: CVE-2016-2183,CVE-2016-5546,CVE-2016-5547,CVE-2016-5548,CVE-2016-5549,CVE-2016-5552,CVE-2017-3231,CVE-2017-3241,CVE-2017-3252,CVE-2017-3253,CVE-2017-3260,CVE-2017-3261,CVE-2017-3272,CVE-2017-3289
Sources used:
openSUSE Leap 42.2 (src):    java-1_8_0-openjdk-1.8.0.121-6.4
openSUSE Leap 42.1 (src):    java-1_8_0-openjdk-1.8.0.121-21.4
Comment 13 Tom Warnke 2017-02-03 17:30:21 UTC
Fixed with the Java update to 1.8.0.121