Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 512664 - x11-base/xorg-server should conditionally depend on dev-libs/openssl
Summary: x11-base/xorg-server should conditionally depend on dev-libs/openssl
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo X packagers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 561906
  Show dependency tree
 
Reported: 2014-06-07 16:33 UTC by Marek Behún
Modified: 2017-01-26 06:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marek Behún 2014-06-07 16:33:04 UTC 
Hello, with recent openssl vulnerabilities I have been looking a bit for all packages that actually depend on openssl and I have found that xorg-server has a dependency on openssl just for the SHA1 algorithm. The configure script help prints:
  --with-sha1=
   libc|libmd|libnettle|libgcrypt|libcrypto|libsha1|CommonCrypto|CryptoAPI
   choose SHA1 implementation

It would be nice if I could choose from these with USE flags, istead of hard dependency on openssl.


Reproducible: Always
Comment 1 Rémi Cardona (RETIRED) gentoo-dev 2014-06-08 10:42:06 UTC 
The server's use of OpenSSL is strictly limited to this one file http://cgit.freedesktop.org/xorg/xserver/tree/os/xsha1.c#n223 In fact, nowhere else is the #include to be found. As bad as the SSL/TLS handling parts of OpenSSL may be, I've yet to hear horror stories about OpenSSL's libcrypto (which is where the SHA1 implementation is).

Given the recent vulnerabilities in _all_ crypto libraries, I don't trust any of the offered choices more than I trust OpenSSL. So my initial reaction would be not to change anything.

@security, you guys are probably better read than us mere mortals on the subject, what say you?
Comment 2 Marek Behún 2014-06-08 13:16:17 UTC 
I still would like to have the ability to choose. Still, in the main package x_sha1_* are only used in HashGlyph http://cgit.freedesktop.org/xorg/xserver/tree/render/glyph.c#n164 and HashGlyph is only used in http://cgit.freedesktop.org/xorg/xserver/tree/render/render.c#n1084

It seems glyphs are stored in something like a hashmap, using sha1 as the hash. Using external crypto library for a hashmap is insane. I will try to ask xserver developers if it could not be done other way.

Still, there is the possibility to use libnettle or libgcrypt.
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2014-06-10 08:12:03 UTC 
There was a recent discussion about ssl related USE_EXPAND on the -dev mailing list.

http://thread.gmane.org/gmane.linux.gentoo.devel/91280

I think it could be expanded to general crypto providers instead of just SSL, and then the xorg-server ebuild could be ported to that.
Comment 4 Sergey Popov gentoo-dev 2014-06-11 10:22:49 UTC 
<security team member hat>
There is nothing to do for security@. Xorg-server itself does not vulnerable to any stuff here. It's up to maintainer to decide how implement deps on crypto providers.
But if they can do it, and this does not bloat user configurations, i am strongly suggest to do this.
</security team member hat>
Comment 5 Matt Turner gentoo-dev 2015-03-04 06:49:19 UTC 
I'd maybe be receptive to patches (against xorg-server-9999.ebuild) that allow selection of the sha1 implementation, but I'm not interested in doing it myself.
Comment 6 Chí-Thanh Christopher Nguyễn gentoo-dev 2015-09-30 14:20:46 UTC 
Reopening as we consider adding libressl support in bug 561906, then we might as well go the whole way.
Comment 7 Matt Turner gentoo-dev 2017-01-26 06:46:55 UTC 
openssl and libressl are both options now.