732664 – net-misc/dropbear: bundles libtomcrypt

Bug 732664 - net-misc/dropbear: bundles libtomcrypt

Summary: net-misc/dropbear: bundles libtomcrypt

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security Audit Team

URL:
Whiteboard:
Keywords:

Depends on:	723844 761226
Blocks:	bundled-libs
	Show dependency tree

Reported:	2020-07-14 22:12 UTC by Sam James
Modified:	2021-01-17 17:28 UTC (History)
CC List:	4 users (show)

See Also:	CVE-2018-12437
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-07-14 22:12:10 UTC

Dropbear currently bundles libtomcrypt. It uses the system libtommath if it finds it.

Comment 1 Sam James archtester

2020-07-14 22:12:34 UTC

This has caused security vulnerabilities in Dropbear in the past.

Comment 2 Matt Whitlock 2020-08-16 17:28:45 UTC

(In reply to Sam James from comment #0)
> It uses the system libtommath if it finds it.

I don't believe this is true.

# emerge -pqv net-misc/dropbear dev-libs/libtommath
[ebuild   R   ] dev-libs/libtommath-1.2.0  USE="-doc -examples -static-libs"
[ebuild  N    ] net-misc/dropbear-2020.80-r1  USE="shadow syslog -bsdpty -minimal -multicall -pam -savedconfig -static -zlib"

net-misc/dropbear configure output includes these lines:

checking for mp_to_ubin in -ltommath... yes
checking for poly1305_init in -ltomcrypt... no
...
configure: 
configure: Using bundled libtomcrypt and libtommath
configure: 

You can force dropbear not to use the bundled libraries by passing '--disable-bundled-libtom' to configure. (I *HIGHLY* recommend that this flag be added to the ebuild.) Then configure fails with:

configure: error: Missing/old system libtomcrypt and --disable-bundled-libtom was specified

Inspecting Dropbear's configure.ac reveals that Dropbear either uses the system versions of libtommath and libtomcrypt or the bundled versions of both but does not mix a system version of libtommath with the bundled version of libtomcrypt.

Comment 3 Sam James archtester

2020-12-22 02:30:53 UTC

(In reply to Matt Whitlock from comment #2)
> (In reply to Sam James from comment #0)
> > It uses the system libtommath if it finds it.
> 
> I don't believe this is true.


I checked after you said and agreed. Thank you!

We now have libtomcrypt in tree, so we should see about debundling this.

Comment 4 Sam James archtester

2020-12-22 02:41:04 UTC

(In reply to Sam James from comment #3)
> (In reply to Matt Whitlock from comment #2)
> > (In reply to Sam James from comment #0)
> > > It uses the system libtommath if it finds it.
> > 
> > I don't believe this is true.
> 
> 
> I checked after you said and agreed. Thank you!
> 
> We now have libtomcrypt in tree, so we should see about debundling this.

Oh, I get my confusion now. LIBTOM_LIBS is actually set correctly at first, but it is overrides later anyway. So yes, it's one-or-the-other.

Comment 5 Larry the Git Cow gentoo-dev

2021-01-17 17:28:57 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4290b8f0eebff36d727099e734e927ac84c9957

commit b4290b8f0eebff36d727099e734e927ac84c9957
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-17 17:28:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-17 17:28:53 +0000

    net-misc/dropbear: unbundle libtom{crypt,math}
    
    Finally unbundle dev-libs/libtom{crypt,math}.
    
    Closes: https://bugs.gentoo.org/732664
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/dropbear/dropbear-2020.81-r1.ebuild | 111 +++++++++++++++++++++++++++
 1 file changed, 111 insertions(+)