Re: [global-libreoffice-ci] UBSAN Linux Build - Build # 2217 - Still Failing!

[Michael Stahl <mst@xxxxxxxxxxxxxxx>]

On 01.12.21 13:24, Stephan Bergmann wrote:
> On 30/11/2021 03:23, ci@xxxxxxxxxxxxxxx wrote:
> > UBSAN Linux Build - Build # 2217 - Still Failing:
> > Identified problems:
> > * cppunit failure: the cppunit test CppunitTest_desktop_lib failed
> >    * Indication 1:
> >      
> > <https://ci.libreoffice.org//job/lo_ubsan/2217/consoleFull#-1103831567d893063f-7f3d-4b7e-b56f-4e0f225817cd> 
>
> ...due to
>
> > warn:xmlsecurity.xmlsec:17850:17850:xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:824: 
> > Can't get the private key from the certificate.
> > warn:xmlsecurity.xmlsec:17850:17850:xmlsecurity/source/xmlsec/errorcallback.cxx:53: 
> > keys.c:1253: xmlSecKeysMngrGetKey() '' 'xmlSecKeysMngrFindKey' 1 ' '
> > warn:xmlsecurity.xmlsec:17850:17850:xmlsecurity/source/xmlsec/errorcallback.cxx:53: 
> > xmldsig.c:793: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL'
> > warn:xmlsecurity.xmlsec:17850:17850:xmlsecurity/source/xmlsec/errorcallback.cxx:53: 
> > xmldsig.c:508: xmlSecDSigCtxProcessSignatureNode() '' 
> > 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' '
> > warn:xmlsecurity.xmlsec:17850:17850:xmlsecurity/source/xmlsec/errorcallback.cxx:53: 
> > xmldsig.c:291: xmlSecDSigCtxSign() '' 
> > 'xmlSecDSigCtxProcessSignatureNode' 1 ' '

^ iirc the above from xmlsec don't matter, it can validate the signature 
regardless, the problem is that later the validation of the certificate 
fails.

> > warn:xmlsecurity.xmlsec:17850:17850:xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:824: 
> > Can't get the private key from the certificate.
> > warn:xmlsecurity.xmlsec:17850:17850:xmlsecurity/source/xmlsec/errorcallback.cxx:53: 
> > digests.c:219: xmlSecNssDigestVerify() 'sha256' '' 12 'invalid data: 
> > actual value 'dataSize'=0, actual value 'dgstSize'=32 and expected 
> > dataSize == dgstSize'
> > warn:xmlsecurity.xmlsec:17850:17850:xmlsecurity/source/xmlsec/errorcallback.cxx:53: 
> > digests.c:219: xmlSecNssDigestVerify() 'sha256' '' 12 'invalid data: 
> > actual value 'dataSize'=0, actual value 'dgstSize'=32 and expected 
> > dataSize == dgstSize'
> > warn:xmlsecurity.xmlsec:17850:17850:xmlsecurity/source/xmlsec/errorcallback.cxx:53: 
> > digests.c:219: xmlSecNssDigestVerify() 'sha256' '' 12 'invalid data: 
> > actual value 'dataSize'=0, actual value 'dgstSize'=32 and expected 
> > dataSize == dgstSize'
> > /home/tdf/lode/jenkins/workspace/lo_ubsan/desktop/qa/desktop_lib/test_desktop_lib.cxx:2614:DesktopLOKTest::testInsertCertificate_DER_ODT 
> >
> > equality assertion failed
> > - Expected: 1
> > - Actual  : 2
>
> I cannot reproduce that with my own local ASan+UBSan build.  Does 
> anybody have an idea what is going wrong here?
>
> Unfortunately, the last preceding build with a (successful)
>
> > [build CUT] desktop_lib
>
> is <https://ci.libreoffice.org/job/lo_ubsan/2212> (the intermediate 
> builds failed for some other reasons before they would have run that 
> test), so we are looking at the range 
> ddc57169ac8d1de00403dbb09fef5221beaa0f3d..e9332dcdc8f2ea268d1b17c73d43a8834cf75365 
> of 162 commits.

i think it's caused by --with-system-nss on the CentOS7 baseline, 
doesn't happen on more recent Fedora, would be great if somebody had 
time to debug why this happens...