RFC: Buggy NSS dbm code ought to be updated



3 years ago
2 years ago


(Reporter: ISHIKAWA, Chiaki, Unassigned)


(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)




3 years ago
(This blocks bug 1170564: [META] Failure to deal with short read )

For details of short read, and how to fix, please read the bug

Here in this bugzilla entry, it is pointed out that NSS DBM
code (Berkeley db 1.85) ought to be updated to a new one.

This code is used by both C-C TB and FF since it is under M-C
tree.  This code cannot cope with short read, and cause
errors. It should be updated with later versions with more
robustness and nice features such as shared DB access.  (It is
way too old: I think it is from the first half of 1990's).

This was initially posted in a newsgroup posting by me [2].

I found that if short read operation occurs against one of the
following files under my MOZOBJ directory during
|make mozmill| test, TB causes errors reported in the test log.


And I found these files are managed by NSS dbm code and the
code inspection reveals that it is not safe from short read at

In response to the posting, Philip Chee responded in the
newsgroup posting [3],
(line break positions have been changed somewhat.)

--- begin quote ---

According to Google, current versions of NSS can use SQLite
for its backend. Butt the file names are different:

key3.db -> key4.db
cert8.db -> cert9.db
secmod.db -> pkcs11.txt


Advantage is that Firefox/Thunderbird/SeaMonkey can all share
the same files

> However, now that Sleepycat has been bought by Oracle, I am
> not sure what is the good option left.

I think v5 of Berkeley DB is still under the Sleepycat
--- end quote ---

From my own testing, I can confirm SQLite seems to be solid in
handling short read/write among many advantages it has. My
emulation of short read/write was done against SQLite
databases during tests, and I have not seen problems caused by
them if I am not mistaken. SQLite library handles the
necessary additional reads automagically. The casual code
browsing I did many months ago also support this informally.

> Advantage is that Firefox/Thunderbird/SeaMonkey can all
> share the same files

Frankly, I have no background to comment on this. But maybe if
one needs to add local certificates due to organizational
issues, there will be one less additional database to take
care of.

Re version v5 vs. v6.

Oracle web page today has a link to v6 code.


If I am not mistaken, v6 even claims to have SQL interface
based on SQLite (!).  I don't know if it is done via talking
to a separate engine or even incorporate the SQLite source
code inside.

Anyway, it looks replacing the current code with the new NSS
code/backend seems a BIG WIN in the long run.

What do people think?

In the meantime, the bug caused by the short read is for real
and acute.


[1] Bug 1170564 - [META] Failure to deal with short read

[2] The second posting "DBM code too old (Re: mozmill test:
    Hightail ???)", in the newsgroup thread:
[3] The third posting in the above newsgroup thread.

PS: I have created a small patch for DBM code before not knowing the extent of the problem, but I think now it should be ditched and replaced with a new version.


3 years ago
Blocks: 1170564


3 years ago
Blocks: 1170606


3 years ago
Blocks: 1170646


3 years ago
Blocks: 1170668


3 years ago
No longer blocks: 1170668


3 years ago
No longer blocks: 1170606


3 years ago
No longer blocks: 1170646


3 years ago

Comment 1

3 years ago
Is there not already a bug about doing sqlite?
I had a brief look around but didn't find one that's open.


2 years ago
Assignee: nobody → nobody
Component: Security → Libraries
Product: Core → NSS
Version: unspecified → trunk
You need to log in before you can comment on or make changes to this bug.