Bug 11036 - dropbear should maybe use system libtommath
Summary: dropbear should maybe use system libtommath
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/563959/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-20 00:13 CEST by David Walser
Modified: 2014-10-05 03:31 CEST (History)
6 users (show)

See Also:
Source RPM: dropbear
CVE:
Status comment:


Attachments

Description David Walser 2013-08-20 00:13:54 CEST
Fedora has issued an advisory on August 9:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114306.html

The security issue in libtommath was fixed in version 0.42.0, which Funda updated us to two years ago (thanks Funda!).

As is noted in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=615088

dropbear bundles libtommath and libtomcrypt.  I would imagine that the current version of dropbear we have has updated these bundled libraries and isn't affected by the security issue.  That being said, we usually prefer to use system libraries instead of bundled ones, and dropbear can do that, according to the comments in the RH bug.  However, while we do have libtommath packaged, we do not have libtomcrypt packaged, so if we wanted to switch to system libraries for that, we'd have to import libtomcrypt.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-20 00:15:34 CEST
CC'ing Funda (libtommath packager), Colin and Dan (dropbear packagers), and Thierry (because IIRC dropbear is used in the installer and may be impacted by any change to it).

CC: (none) => dan, fundawang, mageia, thierry.vignaud

Comment 2 Thomas Backlund 2013-08-20 07:22:24 CEST
Its not used in the installer as such, but on the rescue image

CC: (none) => tmb

Comment 3 Sander Lepik 2014-10-04 14:40:52 CEST
Ping. Is it still used the same way in rescue image?

CC: (none) => mageia

Comment 4 Thierry Vignaud 2014-10-04 17:43:12 CEST
go on, any new lib will automatically got pulled in rescue system
Comment 5 Dan Fandrich 2014-10-05 03:31:56 CEST
I've imported libtomcrypt and switched Dropbear to use the system libtommath and libtomcrypt as suggested.

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.