Bug 931505

Summary:	net-misc/dropbear: DSS algorithm is always enabled regardless of the savedconfig
Product:	Gentoo Security	Reporter:	fariouche <fariouche>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	UNCONFIRMED ---
Severity:	normal	CC:	ceamac, embedded, njsg
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	B4 [upstream/ebuild]
See Also:	https://github.com/mkj/dropbear/issues/288 https://github.com/mkj/dropbear/issues/295 https://github.com/mkj/dropbear/pull/297 https://github.com/gentoo/gentoo/pull/36489
Whiteboard:
Package list:		Runtime testing required:	---

Description fariouche 2024-05-07 18:12:28 UTC

When we compile dropbear (with or without a savedconfig) with DROPBEAR_DSS set to 0, the DSS algorithm is still enabled.

The main reason is upstream (as it is enforced in sysoptions.h to make Fuzzing happy as far as I understood).
However, the init.d/dropbear script relies on the output of "dropbearkey -h" to detect available algorithms and generates a key for each of them.

A solution is to avoid to rely on the dropbearkey output and have a variable in conf.d/dropbear to list algorithms... or, better, just let the admin generate the keys he wants to support without letting the script decide.

upstream don't want to fix that as their proposed solution is to just no create a dss key file.

Reproducible: Always

Comment 1 Sam James archtester

2024-05-07 18:14:34 UTC

(In reply to fariouche from comment #0)
> [...]
> upstream don't want to fix that as their proposed solution is to just no
> create a dss key file.

Do you have a source/reference for this, just for completeness?

Comment 2 Viorel Munteanu gentoo-dev

2024-05-07 18:32:15 UTC

There is also a related PR ( https://github.com/gentoo/gentoo/pull/36489 ), maybe instead of adding ed25519 we could move all of them in conf.d and disable dss by default.