Bug 11036

Summary: dropbear should maybe use system libtommath
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dan, fundawang, mageia, mageia, thierry.vignaud, tmb
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/563959/
Whiteboard:
Source RPM: dropbear CVE:
Status comment:

Description David Walser 2013-08-20 00:13:54 CEST 
Fedora has issued an advisory on August 9:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114306.html

The security issue in libtommath was fixed in version 0.42.0, which Funda updated us to two years ago (thanks Funda!).

As is noted in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=615088

dropbear bundles libtommath and libtomcrypt.  I would imagine that the current version of dropbear we have has updated these bundled libraries and isn't affected by the security issue.  That being said, we usually prefer to use system libraries instead of bundled ones, and dropbear can do that, according to the comments in the RH bug.  However, while we do have libtommath packaged, we do not have libtomcrypt packaged, so if we wanted to switch to system libraries for that, we'd have to import libtomcrypt.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-20 00:15:34 CEST 
CC'ing Funda (libtommath packager), Colin and Dan (dropbear packagers), and Thierry (because IIRC dropbear is used in the installer and may be impacted by any change to it).

CC: (none) => dan, fundawang, mageia, thierry.vignaud

Comment 2 Thomas Backlund 2013-08-20 07:22:24 CEST 
Its not used in the installer as such, but on the rescue image

CC: (none) => tmb

Comment 3 Sander Lepik 2014-10-04 14:40:52 CEST 
Ping. Is it still used the same way in rescue image?

CC: (none) => mageia

Comment 4 Thierry Vignaud 2014-10-04 17:43:12 CEST 
go on, any new lib will automatically got pulled in rescue system
Comment 5 Dan Fandrich 2014-10-05 03:31:56 CEST 
I've imported libtomcrypt and switched Dropbear to use the system libtommath and libtomcrypt as suggested.

Status: NEW => RESOLVED
Resolution: (none) => FIXED