Dropbear currently bundles libtomcrypt. It uses the system libtommath if it finds it.
This has caused security vulnerabilities in Dropbear in the past.
(In reply to Sam James from comment #0) > It uses the system libtommath if it finds it. I don't believe this is true. # emerge -pqv net-misc/dropbear dev-libs/libtommath [ebuild R ] dev-libs/libtommath-1.2.0 USE="-doc -examples -static-libs" [ebuild N ] net-misc/dropbear-2020.80-r1 USE="shadow syslog -bsdpty -minimal -multicall -pam -savedconfig -static -zlib" net-misc/dropbear configure output includes these lines: checking for mp_to_ubin in -ltommath... yes checking for poly1305_init in -ltomcrypt... no ... configure: configure: Using bundled libtomcrypt and libtommath configure: You can force dropbear not to use the bundled libraries by passing '--disable-bundled-libtom' to configure. (I *HIGHLY* recommend that this flag be added to the ebuild.) Then configure fails with: configure: error: Missing/old system libtomcrypt and --disable-bundled-libtom was specified Inspecting Dropbear's configure.ac reveals that Dropbear either uses the system versions of libtommath and libtomcrypt or the bundled versions of both but does not mix a system version of libtommath with the bundled version of libtomcrypt.
(In reply to Matt Whitlock from comment #2) > (In reply to Sam James from comment #0) > > It uses the system libtommath if it finds it. > > I don't believe this is true. I checked after you said and agreed. Thank you! We now have libtomcrypt in tree, so we should see about debundling this.
(In reply to Sam James from comment #3) > (In reply to Matt Whitlock from comment #2) > > (In reply to Sam James from comment #0) > > > It uses the system libtommath if it finds it. > > > > I don't believe this is true. > > > I checked after you said and agreed. Thank you! > > We now have libtomcrypt in tree, so we should see about debundling this. Oh, I get my confusion now. LIBTOM_LIBS is actually set correctly at first, but it is overrides later anyway. So yes, it's one-or-the-other.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4290b8f0eebff36d727099e734e927ac84c9957 commit b4290b8f0eebff36d727099e734e927ac84c9957 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-01-17 17:28:49 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-17 17:28:53 +0000 net-misc/dropbear: unbundle libtom{crypt,math} Finally unbundle dev-libs/libtom{crypt,math}. Closes: https://bugs.gentoo.org/732664 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> net-misc/dropbear/dropbear-2020.81-r1.ebuild | 111 +++++++++++++++++++++++++++ 1 file changed, 111 insertions(+)