1506407 - stretch-proposed-upgrade from 52.x to 60.x breaks master password

Status: RESOLVED DUPLICATE of bug 1505038

(Thunderbird :: Security, defect)

Description

[fettucini]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

Due to a blocker conflict of Enigmail + gnupg, preventing the important security update from Thunderbird to 60.x, I enabled stretch-proposed-updates and upgraded TB from 1:52.8.0-1~deb9u1 (stable) to 1:60.2.1-2~deb9u1 (proposed-updates) and Enigmail from 1.99.x to 2.0.8-5, along with gnupg and other system updates.


Actual results:

Now, it's not possible anymore, to use the master password and key storage, very much like described here (filing a new bug now, since it's another version):
https://bugzilla.mozilla.org/show_bug.cgi?id=1209803


Expected results:

Master password and stored passwords are still set, and it should be possible to set a new master password - which isn't.

Comment 1

[Magnus Melin [:mkmelin]]

Could you elaborate on exactly what isn't working, and what your setup is?

Comment 2

[fettucini]

My setup is Debian stable, with the exception of the mentioned updating to TB 60.x and Enigmail 2.0.8-5 by using 
deb http://ftp.de.debian.org/debian stretch-proposed-updates main contrib non-free

Now, as I start TB, I get immediately prompted for the mail server passwords of all of my accounts.
If I enable password management for storing it, connecting the corresponding server and retrieving the mails will fail.
Entering the mail server passwords without using the password safe works.

Looking into the password safe, all passwords are gone and master password usage is disabled.
Enabling master password and trying to safe a new one will result in an error that TB is unable to store the master password.

Have only looked brievely into the cryptography module management, as it should not directly correspond to the master password problem, but found 3 entries for "nss internal pkcs #11 module" and 2 "PSM-internal crypto-service" entries there, all with "path null", if that information is of any use here.

What else information would you need, if I can provide it?

Comment 3

[fettucini]

My setup is Debian stable, with the exception of the mentioned updating to TB 60.x and Enigmail 2.0.8-5 by using 
deb http://ftp.de.debian.org/debian stretch-proposed-updates main contrib non-free

Now, as I start TB, I get immediately prompted for the mail server passwords of all of my accounts.
If I enable password management for storing it, connecting the corresponding server and retrieving the mails will fail.
Entering the mail server passwords without using the password safe works.

Looking into the password safe, all passwords are gone and master password usage is disabled.
Enabling master password and trying to safe a new one will result in an error that TB is unable to store the master password.

Have only looked brievely into the cryptography module management, as it should not directly correspond to the master password problem, but found 3 entries for "nss internal pkcs #11 module" and 2 "PSM-internal crypto-service" entries there, all with "path null", if that information is of any use here.

What else information would you need, if I can provide it?

Comment 4

[Magnus Melin [:mkmelin]]

Might have a relation to bug 1505038 which has some suggestions.

Comment 5

[fettucini]

I'll have a closer look later, when I've got more time, but seems indeed the same issue to me, as with my bug report for upgrading version 38.x.

Comment 6

[fettucini]

Hello again, as already commented in Bug 1505038, the problem could be resolved, following the information I found there.

For the record, the changes between old and new "pkcs11.txt" file:

--- <unbenannt>
+++ <unbenannt>
@@ -1,8 +1,5 @@
-library=libnsssysinit.so
+library=
 name=NSS Internal PKCS #11 Module
-parameters=configdir='sql:/home/USER/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=moduleDBOnly,internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+parameters=configdir='sql:/USER/buddy/.thunderbird/0000000.default' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''  manufacturerID='Mozilla.org' libraryDescription='PSM-interne Krypto-Dienste' cryptoTokenDescription='Allgemeine Krypto-Dienste' dbTokenDescription='das Software-Sicherheitsmodul' cryptoSlotDescription='PSM-interne Kryptographie-Dienste' dbSlotDescription='PSM private Schlüssel' FIPSSlotDescription='FIPS 140 Krypto-, Schlüssel- und Zertifikat-Dienste' FIPSTokenDescription='das Softw.-Sicherh.modul (FIPS)' minPS=0
+NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical
 
-library=/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
-name=Mozilla Root Certs
-NSS=trustOrder=100

Comment 7

[Magnus Melin [:mkmelin]]

What did you actually do to resolve it?

In the pkcs11.txt file, do you know what the problem was? Wrong path?

Comment 8

[fettucini]

I'm not sure what's the exact cause of it, but basically I just renamed the file, which was generated newly, with the changed content listed above.

There's no such folder "~/.pki" in my profile, so this might have been a problem. But, there's no such path like ~/.thunderbird/0000000.default neither, so I can only guess. 

Also, that there were several more (invalid) entries in the security section for NSS before, now only 2 of them.
Maybe the NSS params listed above were invalid for the new version - I can't tell, sorry.

Comment 9

[Wayne Mery (:wsmwk)]

Undupe if someone disagress this is a duplicate