931505 – <net-misc/dropbear-2024.85-r1: DSS algorithm is always enabled regardless of the savedconfig

Bug 931505 - <net-misc/dropbear-2024.85-r1: DSS algorithm is always enabled regardless of the savedconfig

Summary: <net-misc/dropbear-2024.85-r1: DSS algorithm is always enabled regardless of ...

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	B4 [upstream/ebuild]
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2024-05-07 18:12 UTC by fariouche
Modified:	2024-08-28 04:20 UTC (History)
CC List:	5 users (show)

See Also:	https://github.com/mkj/dropbear/issues/288 https://github.com/mkj/dropbear/issues/295 https://github.com/mkj/dropbear/pull/297 https://github.com/gentoo/gentoo/pull/36489
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description fariouche 2024-05-07 18:12:28 UTC

When we compile dropbear (with or without a savedconfig) with DROPBEAR_DSS set to 0, the DSS algorithm is still enabled.

The main reason is upstream (as it is enforced in sysoptions.h to make Fuzzing happy as far as I understood).
However, the init.d/dropbear script relies on the output of "dropbearkey -h" to detect available algorithms and generates a key for each of them.

A solution is to avoid to rely on the dropbearkey output and have a variable in conf.d/dropbear to list algorithms... or, better, just let the admin generate the keys he wants to support without letting the script decide.

upstream don't want to fix that as their proposed solution is to just no create a dss key file.

Reproducible: Always

Comment 1 Sam James archtester

2024-05-07 18:14:34 UTC

(In reply to fariouche from comment #0)
> [...]
> upstream don't want to fix that as their proposed solution is to just no
> create a dss key file.

Do you have a source/reference for this, just for completeness?

Comment 2 Viorel Munteanu gentoo-dev

2024-05-07 18:32:15 UTC

There is also a related PR ( https://github.com/gentoo/gentoo/pull/36489 ), maybe instead of adding ed25519 we could move all of them in conf.d and disable dss by default.

Comment 3 fariouche 2024-08-27 17:57:26 UTC

It seems like since 2024.84, dropbear fixed that.
From the release note: Don't unconditionally enable DROPBEAR_DSS

https://github.com/mkj/dropbear/releases

Confirmed by running 2024.85 latest version in portage, dropbear -h do not report DSS now anymore.

Comment 4 Larry the Git Cow gentoo-dev

2024-08-27 18:26:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c52263280244bbcc756012c3bef6b3f3aa5f7d90

commit c52263280244bbcc756012c3bef6b3f3aa5f7d90
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2024-08-27 18:18:26 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2024-08-27 18:18:26 +0000

    net-misc/dropbear: disable generating the dss key
    
    Bug: https://bugs.gentoo.org/931505
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 .../dropbear/{dropbear-2022.83.ebuild => dropbear-2022.83-r1.ebuild}    | 2 +-
 .../dropbear/{dropbear-2024.85.ebuild => dropbear-2024.85-r1.ebuild}    | 0
 net-misc/dropbear/files/dropbear.init.d                                 | 2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)