Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 328409 - <net-misc/dropbear-2012.55: weakness in embedded version of mp_prime_next_prime() opens a security risk
Summary: <net-misc/dropbear-2012.55: weakness in embedded version of mp_prime_next_pri...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords:
Depends on: CVE-2012-0920
Blocks:
  Show dependency tree
 
Reported: 2010-07-15 15:12 UTC by Mark Karpeles
Modified: 2013-09-27 00:13 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Karpeles 2010-07-15 15:12:17 UTC
dropbear includes a version of libtommath containing an issue with prime number generation.
Generated prime numbers do not get their correct number of Miller-Rabin rounds (only get one instead of requested 8 for rsa or 18 for dss), which increase dramatically the odds of having a composite number passed as a prime.

mp_prime_next_prime() called at:
./dropbear-0.52/gendss.c:83 (t=18)
./dropbear-0.52/genrsa.c:110 (t=8)


Reproducible: Always

Steps to Reproduce:




This bug is related to bug 328383
Comment 1 Mark Karpeles 2010-07-15 15:17:37 UTC
Adding security@gentoo.org as CC (recommanded by bonsaikitten on irc)
Comment 2 Mark Karpeles 2010-07-15 16:36:52 UTC
Got reply from upstream regarding this issue:

Thanks for the notice - I'll try to get a Dropbear fix in
the next few days. I'll have to think about the best way to
test existing keys in the wild.
Comment 3 SpanKY gentoo-dev 2011-02-28 16:29:08 UTC
dropbear-0.53 is in the tree now
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-28 16:46:09 UTC
Thank you. Could you take a more detailed look at the upstream's ChangeLog?

- Attempt to build against system libtomcrypt/libtommath if available. This
  can be disabled with ./configure --enable-bundled-libtom

I didn't see any mention of that in the new ebuild, so either we have an automagic dependency, or we're missing an important opportunity to disable this bundled library.

The problem seems to be that libtommath has no maintainer and the version in tree is vulnerable (bug #328383). What's your advice then?
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-13 10:05:55 UTC
Okay, so dropbear-0.53.1 is in tree, but it doesn't DEPEND on libtommath, so it is likely to use the vulnerable bundled version.

Maintainers, please resolve this issue or at least comment on it.
Comment 6 Jeroen Roovers gentoo-dev 2012-02-25 18:08:22 UTC
dropbear appears to bundle and use libtomcrypt 1.16 and libtommath 0.40.

Setting econf --disable-bundled-libtom does not appear to make it use the system version. But setting LTC and LTM does appear to work:

Index: dropbear-2012.55.ebuild
===================================================================
RCS file: /var/cvsroot/gentoo-x86/net-misc/dropbear/dropbear-2012.55.ebuild,v
retrieving revision 1.1
diff -u -B -r1.1 dropbear-2012.55.ebuild
--- dropbear-2012.55.ebuild     24 Feb 2012 18:24:24 -0000      1.1
+++ dropbear-2012.55.ebuild     25 Feb 2012 18:07:56 -0000
@@ -53,7 +53,7 @@
 
 src_compile() {
        set_options
-       emake ${makeopts} PROGRAMS="${progs}"
+       emake LTC=/usr/lib/libtomcrypt.a LTM=/usr/lib/libtommath.a ${makeopts} PROGRAMS="${progs}"
 }
 
 src_install() {
Comment 7 Jeroen Roovers gentoo-dev 2012-02-25 18:09:54 UTC
(In reply to comment #6)
> dropbear appears to bundle and use libtomcrypt 1.16 and libtommath 0.40.
> 
> Setting econf --disable-bundled-libtom does not appear to make it use the
> system version. But setting LTC and LTM does appear to work:

Needs more than that, since it would still use the bundled headers.
Comment 8 Sean Amoss gentoo-dev Security 2012-02-28 12:29:47 UTC
If dropbear is using the bundled libtommath, we shouldn't be vulnerable any more. Upstream changelog [1] shows the issue fixed in 0.53: 

Fix a prime generation bug in bundled libtommath. This is unlikely to have
  generated any bad keys in the wild.
  See 
  https://bugzilla.redhat.com/show_bug.cgi?id=615088
  http://bugs.gentoo.org/show_bug.cgi?id=328383
  http://bugs.gentoo.org/show_bug.cgi?id=328409


[1] https://matt.ucc.asn.au/dropbear/CHANGES
Comment 9 Chris Reffett gentoo-dev Security 2013-09-03 20:09:53 UTC
Added to existing request. @maintainers: cleanup, please.
Comment 10 Anthony Basile gentoo-dev 2013-09-12 18:25:51 UTC
(In reply to Chris Reffett from comment #9)
> Added to existing request. @maintainers: cleanup, please.

Looks to me like we should remove the following versions (cutting and pasting from eshowkw)

              |                           | u   |  
              | a a             p     s   | n   |  
              | l m   h i m m   p s   p   | u s | r
              | p d a p a 6 i p c 3   a x | s l | e
              | h 6 r p 6 8 p p 6 9 s r 8 | e o | p
              | a 4 m a 4 k s c 4 0 h c 6 | d t | o
--------------+---------------------------+-----+-------
      0.52    | + + + + + + ~ + + + + + + | # 0 | gentoo
      0.52-r1 | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | #   | gentoo
    0.53.1    | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | #   | gentoo
   2011.54    | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | #   | gentoo



and we should keep

[I]2012.55    | + + + + + + ~ + + + + + + | o   | gentoo
   2013.56    | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | #   | gentoo
   2013.57    | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | #   | gentoo
   2013.58    | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | o   | gentoo

I can do that in a week if there are no objections --- mostly this is vapier's package so I don't want to step on toes.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-09-27 00:13:39 UTC
This issue was resolved and addressed in
 GLSA 201309-20 at http://security.gentoo.org/glsa/glsa-201309-20.xml
by GLSA coordinator Chris Reffett (creffett).