1683004 - Upgrade Firefox 84 to use NSS 3.59.1

Status: VERIFIED FIXED

(Core :: Security: PSM, enhancement, P1)

Description

[Kevin Jacobs [:kjacobs]]

Tracking NSS 3.59.1 for Firefox 84. Ultimate tag will be NSS_3_59_1_RTM.

[Tracking Requested - why for this release]:

It appears that Bug 1679290 requires uplift to 84. See bug 1682881.

Comment 1

[Kevin Jacobs [:kjacobs]]

[Tracking Requested - why for this release]:

Comment 2

[Kevin Jacobs [:kjacobs]]

Attachment: Bug 1683004 - land NSS NSS_3_59_1_RTM UPGRADE_NSS_RELEASE, r=keeler

2020-12-16 Kevin Jacobs <kjacobs@mozilla.com>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.59.1 final
[8cb6b2f46a75] [NSS_3_59_1_RTM] <NSS_3_59_BRANCH>

2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>

* lib/dev/devslot.c:
Bug 1679290 - Don't hold slot lock when taking session lock
r=bbeurdouche

[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362c
d61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed
a number of race conditions related to NSSSlot member accesses.
Unfortunately the locking order that was imposed by that patch has
been found to cause problems for at least one PKCS11 module,
libnsspem.

This patch drops nested locking in favor of unlocking/re-locking.
While this isn't perfect, the original problem in bug 1663661 was
that `slot->token` could become NULL, which we can easily check
after reacquiring.

[e8f82b2381bc] <NSS_3_59_BRANCH>

2020-11-13 J.C. Jones <jjones@mozilla.com>

* .hgtags:
Added tag NSS_3_59_RTM for changeset c5d760cbe8d0
[69d4b94977f1] <NSS_3_59_BRANCH>

Comment 3

[Kevin Jacobs [:kjacobs]]

Comment on attachment 9193648 [details]
Bug 1683004 - land NSS NSS_3_59_1_RTM UPGRADE_NSS_RELEASE, r=keeler

(below)

Comment 4

[Kevin Jacobs [:kjacobs]]

Comment on attachment 9193648 [details]
Bug 1683004 - land NSS NSS_3_59_1_RTM UPGRADE_NSS_RELEASE, r=keeler

Beta/Release Uplift Approval Request

Beta/Release Uplift Approval Request

• User impact if declined: For users with certain third-party PKCS11 modules, the browser may become unresponsive and fail to load websites over HTTPS. (Bug 1682881)
• Is this code covered by automated tests?: Yes, but using certain third-party PKCS11 modules is what triggers the deadlock. There is no test that reproduces this.
• Has the fix been verified in Nightly?: Yes. The code landed in m-c in https://hg.mozilla.org/mozilla-central/rev/bc61343b5d68. Verified in Beta.
• List of other uplifts needed: None.
• Risk to taking this patch: Low-medium. The bugfix code has not been run in release yet, but it seems to have stopped these crash reports in 85.
• Why is the change risky/not risky? (and alternatives if risky): The fix landed in Nightly 85 and is now in Beta. It has been verified with both Firefox and curl using NSS. It's a relatively simple relaxation of the previous patch, removing the nested locking that caused the deadlock.
• String changes made/needed: None

Comment 5

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9193648 [details]
Bug 1683004 - land NSS NSS_3_59_1_RTM UPGRADE_NSS_RELEASE, r=keeler

Approved for 84.0.1.

Comment 6

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-release/rev/bf27056390b7

Comment 7

[Bogdan Maris, Desktop QA]

Since this is linked to bug 1682881 I left a comment there for the reporter to verify it since my setup and unfortunately my knowledge are not enough to do so, thus removing qe-verify+.

Comment 8

[Bogdan Maris, Desktop QA]

(In reply to Bogdan Maris [:bogdan_maris], Release Desktop QA from comment #7)

Since this is linked to bug 1682881 I left a comment there for the reporter to verify it since my setup and unfortunately my knowledge are not enough to do so, thus removing qe-verify+.

I actually managed to reproduce the crash in bug 1682881 thanks to J.K.Umeboshi, and verified that the crash does not occur for me on Windows 7 and Ubuntu 18.04 but still get Firefox freeze, same as J.K. reported, more details in bug 1682881.