Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 931505 - net-misc/dropbear: DSS algorithm is always enabled regardless of the savedconfig
Summary: net-misc/dropbear: DSS algorithm is always enabled regardless of the savedconfig
Status: UNCONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: B4 [upstream/ebuild]
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-07 18:12 UTC by fariouche
Modified: 2024-05-08 05:23 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description fariouche 2024-05-07 18:12:28 UTC 
When we compile dropbear (with or without a savedconfig) with DROPBEAR_DSS set to 0, the DSS algorithm is still enabled.

The main reason is upstream (as it is enforced in sysoptions.h to make Fuzzing happy as far as I understood).
However, the init.d/dropbear script relies on the output of "dropbearkey -h" to detect available algorithms and generates a key for each of them.

A solution is to avoid to rely on the dropbearkey output and have a variable in conf.d/dropbear to list algorithms... or, better, just let the admin generate the keys he wants to support without letting the script decide.

upstream don't want to fix that as their proposed solution is to just no create a dss key file.

Reproducible: Always
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-07 18:14:34 UTC 
(In reply to fariouche from comment #0)
> [...]
> upstream don't want to fix that as their proposed solution is to just no
> create a dss key file.

Do you have a source/reference for this, just for completeness?
Comment 2 Viorel Munteanu gentoo-dev 2024-05-07 18:32:15 UTC 
There is also a related PR ( https://github.com/gentoo/gentoo/pull/36489 ), maybe instead of adding ed25519 we could move all of them in conf.d and disable dss by default.