Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 512664

Summary: x11-base/xorg-server should conditionally depend on dev-libs/openssl
Product: Gentoo Linux Reporter: Marek Behún <kabel>
Component: Current packagesAssignee: Gentoo X packagers <x11>
Status: RESOLVED FIXED    
Severity: normal CC: alexander
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=539266
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 561906    

Description Marek Behún 2014-06-07 16:33:04 UTC 
Hello, with recent openssl vulnerabilities I have been looking a bit for all packages that actually depend on openssl and I have found that xorg-server has a dependency on openssl just for the SHA1 algorithm. The configure script help prints:
  --with-sha1=
   libc|libmd|libnettle|libgcrypt|libcrypto|libsha1|CommonCrypto|CryptoAPI
   choose SHA1 implementation

It would be nice if I could choose from these with USE flags, istead of hard dependency on openssl.


Reproducible: Always
Comment 1 Rémi Cardona (RETIRED) gentoo-dev 2014-06-08 10:42:06 UTC 
The server's use of OpenSSL is strictly limited to this one file http://cgit.freedesktop.org/xorg/xserver/tree/os/xsha1.c#n223 In fact, nowhere else is the #include to be found. As bad as the SSL/TLS handling parts of OpenSSL may be, I've yet to hear horror stories about OpenSSL's libcrypto (which is where the SHA1 implementation is).

Given the recent vulnerabilities in _all_ crypto libraries, I don't trust any of the offered choices more than I trust OpenSSL. So my initial reaction would be not to change anything.

@security, you guys are probably better read than us mere mortals on the subject, what say you?
Comment 2 Marek Behún 2014-06-08 13:16:17 UTC 
I still would like to have the ability to choose. Still, in the main package x_sha1_* are only used in HashGlyph http://cgit.freedesktop.org/xorg/xserver/tree/render/glyph.c#n164 and HashGlyph is only used in http://cgit.freedesktop.org/xorg/xserver/tree/render/render.c#n1084

It seems glyphs are stored in something like a hashmap, using sha1 as the hash. Using external crypto library for a hashmap is insane. I will try to ask xserver developers if it could not be done other way.

Still, there is the possibility to use libnettle or libgcrypt.
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2014-06-10 08:12:03 UTC 
There was a recent discussion about ssl related USE_EXPAND on the -dev mailing list.

http://thread.gmane.org/gmane.linux.gentoo.devel/91280

I think it could be expanded to general crypto providers instead of just SSL, and then the xorg-server ebuild could be ported to that.
Comment 4 Sergey Popov (RETIRED) gentoo-dev 2014-06-11 10:22:49 UTC 
<security team member hat>
There is nothing to do for security@. Xorg-server itself does not vulnerable to any stuff here. It's up to maintainer to decide how implement deps on crypto providers.
But if they can do it, and this does not bloat user configurations, i am strongly suggest to do this.
</security team member hat>
Comment 5 Matt Turner gentoo-dev 2015-03-04 06:49:19 UTC 
I'd maybe be receptive to patches (against xorg-server-9999.ebuild) that allow selection of the sha1 implementation, but I'm not interested in doing it myself.
Comment 6 Chí-Thanh Christopher Nguyễn gentoo-dev 2015-09-30 14:20:46 UTC 
Reopening as we consider adding libressl support in bug 561906, then we might as well go the whole way.
Comment 7 Matt Turner gentoo-dev 2017-01-26 06:46:55 UTC 
openssl and libressl are both options now.