Closed Bug 1639537 Opened 4 years ago Closed 4 years ago

Evaluate removing OpenSC version 0.20 from Firefox' DLL blocklist

Categories

(External Software Affecting Firefox :: Other, enhancement)

Product:
External Software Affecting Firefox
Component:
Other
Type:
enhancement

Tracking

(firefox77 fixed, firefox78 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox77 --- fixed
firefox78 --- fixed

People

(Reporter: vaiklakristjan, Assigned: gsvelto)

References

Details

Attachments

(2 files)

80923_ML-opensc-debug_20200219.log.txt
2.64 MB, text/plain
Details
Bug 1639537 - Unblock OpenSC 0.20 injected DLL r=tkikuchi
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36

Steps to reproduce:

  1. Make sure You have OpenSC 0.20 https://github.com/OpenSC/OpenSC
  2. Open Firefox version 76.
  3. Do a random browsing

Actual results:

  1. Firefox crashes without any error or message
  2. Repeating steps brings up the same result

Expected results:

Firefox web browsing should work without any crashes.

Background description: The unknown crash is probably coming from commit(https://github.com/mozilla/gecko-dev/commit/4d14cf5024c65ab3b9d3c20fe80531244d0d25ad), where blacklist is interfering smart card reading utility(OpenSC) and crashes the Firefox web browser. Though there are minimal cases (overall 10) the troubleshooting between older and newer versions is limited by the previous commit.

Crash reports:

  1. https://bugzilla.mozilla.org/show_bug.cgi?id=1560486
  2. https://crash-stats.mozilla.org/report/index/4b860515-e5f4-4fef-b440-29bff0200318#tab-details
  3. Attached file/log

I would ask if reverting the blacklist is possible to find the right solution for that OpenSC crash.

Remark: Updating older Firefox release(74) to newer version(76) didn't have any effect. Crash results are the same.

Flags: needinfo?(gsvelto)

Moving to the right component and changed the title. The issue here is about the block we introduced in bug 1621804. It was a silent crash caused by an injected DLL which we already had trouble with in the past. My decision at the time was to block the affected version in nightly, inform the upstream project of the crash and let the block ride the trains.

The upstream software is used by a piece of ID software that is widely used for authentication in Estonia. While the problem was fixed in upstream OpenSC the change didn't make it to a stable release yet and thus hasn't shipped with said ID software, but now the block is in the release version of Firefox and it's affecting the ability of a large number of users (possibly in the 100ks) to identify themselves with public services and the like.

Since the number of crashes that were reported is small I was asked if we could lift the DLL block in version 77 to restore the missing functionality. Given that the upstream software should be updated soon and the crash volume was apparently low we should evaluate lifting the block.

Toshihito, how do we proceed in this kind of scenario?

Status: UNCONFIRMED → NEW
Component: Untriaged → Other
Ever confirmed: true
Flags: needinfo?(gsvelto) → needinfo?(tkikuchi)
Product: Firefox → External Software Affecting Firefox
Summary: OpenSC blacklisted in Firefox (vers. 76.0) → Evaluate removing OpenSC version 0.20 from Firefox' DLL blocklist
Version: 76 Branch → unspecified

If it's for OpenSC folks to investigate the issue and they can do it with Nightly, we can add a temporal code in Nightly to allow onepin-opensc-pkcs11.dll to be loaded conditionally (behind a environment variable, a registry value, or something), keeping the current blocklist as is.

Do you know any reports complaining any authentication device not working because of this block? If there are, I totally agree that we should lift the block.

I'm also wondering whether a pkcs11 module is loaded only when a user does authentication. If yes, blocking the module would not solve the user's problem. And if not, we might be able to improve the design i.e. to attempt to load a module only when needed..? I'm not sure about its feasibility, though.

Flags: needinfo?(tkikuchi)

Do you know any reports complaining any authentication device not working because of this block?

https://bugzilla.mozilla.org/show_bug.cgi?id=1636100#c0

More were reported directly to the vendor.

Thank you for the info. I agree that we have enough data that we should unblock onepin-opensc-pkcs11.dll v0.20.

Assignee: nobody → gsvelto
Status: NEW → ASSIGNED
Pushed by gsvelto@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/93a28d6c556d Unblock OpenSC 0.20 injected DLL r=tkikuchi

https://hg.mozilla.org/mozilla-central/rev/93a28d6c556d

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox78: --- → fixed
Resolution: --- → FIXED

Comment on attachment 9151074 [details]
Bug 1639537 - Unblock OpenSC 0.20 injected DLL r=tkikuchi

Beta/Release Uplift Approval Request

  • User impact if declined: Estonian ID software doesn't work. See bug 1636100.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This only reverts a only line change in bug 1621804 that blocked the injection of the most recent stable version of OpenSC
  • String changes made/needed: none
Attachment #9151074 - Flags: approval-mozilla-beta?

Comment on attachment 9151074 [details]
Bug 1639537 - Unblock OpenSC 0.20 injected DLL r=tkikuchi

Approved for landing on beta before we build RC, thanks.

Attachment #9151074 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Blocks: 1636100
See Also: → 1560486
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: