Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 732664 - net-misc/dropbear: bundles libtomcrypt
Summary: net-misc/dropbear: bundles libtomcrypt
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security Audit Team
URL:
Whiteboard:
Keywords:
Depends on: 723844 761226
Blocks: bundled-libs
  Show dependency tree
 
Reported: 2020-07-14 22:12 UTC by Sam James
Modified: 2021-01-17 17:28 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 22:12:10 UTC
Dropbear currently bundles libtomcrypt. It uses the system libtommath if it finds it.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 22:12:34 UTC
This has caused security vulnerabilities in Dropbear in the past.
Comment 2 Matt Whitlock 2020-08-16 17:28:45 UTC
(In reply to Sam James from comment #0)
> It uses the system libtommath if it finds it.

I don't believe this is true.

# emerge -pqv net-misc/dropbear dev-libs/libtommath
[ebuild   R   ] dev-libs/libtommath-1.2.0  USE="-doc -examples -static-libs"
[ebuild  N    ] net-misc/dropbear-2020.80-r1  USE="shadow syslog -bsdpty -minimal -multicall -pam -savedconfig -static -zlib"

net-misc/dropbear configure output includes these lines:

checking for mp_to_ubin in -ltommath... yes
checking for poly1305_init in -ltomcrypt... no
...
configure: 
configure: Using bundled libtomcrypt and libtommath
configure: 

You can force dropbear not to use the bundled libraries by passing '--disable-bundled-libtom' to configure. (I *HIGHLY* recommend that this flag be added to the ebuild.) Then configure fails with:

configure: error: Missing/old system libtomcrypt and --disable-bundled-libtom was specified

Inspecting Dropbear's configure.ac reveals that Dropbear either uses the system versions of libtommath and libtomcrypt or the bundled versions of both but does not mix a system version of libtommath with the bundled version of libtomcrypt.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 02:30:53 UTC
(In reply to Matt Whitlock from comment #2)
> (In reply to Sam James from comment #0)
> > It uses the system libtommath if it finds it.
> 
> I don't believe this is true.


I checked after you said and agreed. Thank you!

We now have libtomcrypt in tree, so we should see about debundling this.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 02:41:04 UTC
(In reply to Sam James from comment #3)
> (In reply to Matt Whitlock from comment #2)
> > (In reply to Sam James from comment #0)
> > > It uses the system libtommath if it finds it.
> > 
> > I don't believe this is true.
> 
> 
> I checked after you said and agreed. Thank you!
> 
> We now have libtomcrypt in tree, so we should see about debundling this.

Oh, I get my confusion now. LIBTOM_LIBS is actually set correctly at first, but it is overrides later anyway. So yes, it's one-or-the-other.
Comment 5 Larry the Git Cow gentoo-dev 2021-01-17 17:28:57 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4290b8f0eebff36d727099e734e927ac84c9957

commit b4290b8f0eebff36d727099e734e927ac84c9957
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-17 17:28:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-17 17:28:53 +0000

    net-misc/dropbear: unbundle libtom{crypt,math}
    
    Finally unbundle dev-libs/libtom{crypt,math}.
    
    Closes: https://bugs.gentoo.org/732664
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/dropbear/dropbear-2020.81-r1.ebuild | 111 +++++++++++++++++++++++++++
 1 file changed, 111 insertions(+)