Bug 1022053

Summary: mozilla/mozilla-nss: libfreebl3 3.28.1 and libsoftokn3 3.28.1 cause the JVM to crash when using sun.security.ec.ECKeyPairGenerator
Product: [openSUSE] openSUSE Distribution Reporter: Tom Warnke <tom+opensuse>
Component: OtherAssignee: E-mail List <bnc-team-java>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P2 - High CC: abergmann, asn, astieger, jdelvare, jsegitz, jweberhofer, mischa.salle, pcerny, robby.engelmann, security-team, wolfgang
Version: Leap 42.2   
Target Milestone: Leap 42.2   
Hardware: x86-64   
OS: openSUSE 42.2   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1415137
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: JVM crash log
Main.java

Description Tom Warnke 2017-01-26 10:56:54 UTC 
Created attachment 711741 [details]
JVM crash log

After updating libfreebl3 and libsoftokn3 from 3.26.2 to 3.28.1 from the OBS mozilla project, Maven can not download artifacts anymore. The java process crashes with a SIGSEGV. From the crash log, I assembled a minimal example. The following Java program can be executed with libfreebl3 and libsoftokn3 3.26.2, but crashes the JVM with 3.28.1:

import sun.security.ec.ECKeyPairGenerator;

public class Main {

    public static void main(String[] args) {

        ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator();
        keyPairGenerator.generateKeyPair();

    }
}

I also attached the crash log from the minimal example.

If this is not the right place to report this bug, please direct me to a better one. In any case, these two packages should not enter the 42.2 main repositories yet.
Comment 1 Tom Warnke 2017-01-27 15:00:24 UTC 
I found the upstream bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1333504

Also related:
https://bugzilla.redhat.com/show_bug.cgi?id=1415137
Comment 2 Wolfgang Rosenauer 2017-01-27 16:03:49 UTC 
This will soon hit Leap and Tumbleweed with the progressing update of Firefox which requires NSS 3.28.1. Therefore moving accordingly.

https://bugzilla.redhat.com/show_bug.cgi?id=1415137
this one has a lot of information pointing out that OpenJDK needs a change.
We have the same issue as RH/Fedora downgrading

So I think that Java maintainers have to look into fixing it there.
Comment 3 Wolfgang Rosenauer 2017-01-27 16:04:41 UTC 
Also making security-team aware of the outfall of the NSS upgrade.
Comment 4 Andreas Stieger 2017-01-27 17:27:41 UTC 
(In reply to Wolfgang Rosenauer from comment #3)
> Also making security-team aware of the outfall of the NSS upgrade.

Good to know. Should we hold it a bit?
Comment 6 Andreas Stieger 2017-01-29 08:40:24 UTC 
Created attachment 711997 [details]
Main.java

Confirmed on 42.2

$ javac Main.java
$ java Main
Exception in thread "main" java.security.ProviderException: java.lang.NegativeArraySizeException
        at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:147)
        at Main.main(Main.java:8)
Caused by: java.lang.NegativeArraySizeException
        at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(Native Method)
        at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:128)
        ... 1 more
Comment 7 Tom Warnke 2017-01-30 18:14:53 UTC 
Firefox 51 and the new NSS library versions arrived in Tumbleweed a few days ago. The Java example does not run in an up-to-date Tumbleweed anymore.

So as far as I understand it, this will be resolved with updates for the OpenJDK packages? Java:Factory already has 1.8.0.121 [1] for 42.2 with this in the change log:

> Require the exact version of mozilla-nss that the package was built against (bsc#1022053)

[1] https://build.opensuse.org/package/show?project=Java%3AFactory&package=java-1_8_0-openjdk
Comment 8 Wolfgang Rosenauer 2017-01-31 18:30:28 UTC 
*** Bug 1022638 has been marked as a duplicate of this bug. ***
Comment 9 Swamp Workflow Management 2017-01-31 20:12:17 UTC 
SUSE-SU-2017:0346-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1020905,1022053
CVE References: CVE-2016-2183,CVE-2016-5546,CVE-2016-5547,CVE-2016-5548,CVE-2016-5549,CVE-2016-5552,CVE-2017-3231,CVE-2017-3241,CVE-2017-3252,CVE-2017-3253,CVE-2017-3260,CVE-2017-3261,CVE-2017-3272,CVE-2017-3289
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    java-1_8_0-openjdk-1.8.0.121-20.1
SUSE Linux Enterprise Server 12-SP2 (src):    java-1_8_0-openjdk-1.8.0.121-20.1
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_8_0-openjdk-1.8.0.121-20.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    java-1_8_0-openjdk-1.8.0.121-20.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    java-1_8_0-openjdk-1.8.0.121-20.1
Comment 10 Jean Delvare 2017-02-01 14:30:57 UTC 
*** Bug 1022512 has been marked as a duplicate of this bug. ***
Comment 11 Andreas Stieger 2017-02-02 17:54:13 UTC 
*** Bug 1023243 has been marked as a duplicate of this bug. ***
Comment 12 Swamp Workflow Management 2017-02-03 11:07:42 UTC 
openSUSE-SU-2017:0374-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1020905,1022053
CVE References: CVE-2016-2183,CVE-2016-5546,CVE-2016-5547,CVE-2016-5548,CVE-2016-5549,CVE-2016-5552,CVE-2017-3231,CVE-2017-3241,CVE-2017-3252,CVE-2017-3253,CVE-2017-3260,CVE-2017-3261,CVE-2017-3272,CVE-2017-3289
Sources used:
openSUSE Leap 42.2 (src):    java-1_8_0-openjdk-1.8.0.121-6.4
openSUSE Leap 42.1 (src):    java-1_8_0-openjdk-1.8.0.121-21.4
Comment 13 Tom Warnke 2017-02-03 17:30:21 UTC 
Fixed with the Java update to 1.8.0.121