Should use a cryptographic implementation in the main component
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
librist (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
librist invokes sensitive (AES) functions in mbedTLS, that is in the universe component. There are already (at least) two cryptographic implementations in the main component: libgcrypt and OpenSSL. The libraries for these implementations are preinstalled in all Ubuntu desktop flavors.
To reduce bloat and given that the Ubuntu Security Team generally refuses to patch CVEs in packages in the universe component, a switch should be made.
List of mbedTLS functions used in librist (generated by the attached shell script, that only works on amd64, but is trivial to port):
mbedtls_
mbedtls_aes_free
mbedtls_aes_init
mbedtls_
mbedtls_
mbedtls_
mbedtls_
mbedtls_
mbedtls_
mbedtls_md_free
mbedtls_
mbedtls_md_init
mbedtls_md_setup
mbedtls_mpi_add_mpi
mbedtls_mpi_cmp_int
mbedtls_mpi_exp_mod
mbedtls_
mbedtls_mpi_free
mbedtls_mpi_init
mbedtls_mpi_mod_mpi
mbedtls_mpi_mul_mpi
mbedtls_
mbedtls_
mbedtls_mpi_size
mbedtls_mpi_sub_mpi
mbedtls_
mbedtls_
mbedtls_
mbedtls_
mbedtls_sha1_init
mbedtls_sha1_ret
mbedtls_
mbedtls_
mbedtls_sha256_init
mbedtls_sha256_ret
mbedtls_
mbedtls_
mbedtls_sha512_init
mbedtls_sha512_ret
mbedtls_
ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: librist4 0.2.7+dfsg-1
ProcVersionSign
Uname: Linux 5.15.0-27-generic x86_64
ApportVersion: 2.22.0-0ubuntu4
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: MATE
Date: Wed Jul 20 23:42:14 2022
InstallationDate: Installed on 2022-06-26 (24 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220624)
SourcePackage: librist
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in librist (Ubuntu): | |
status: | New → Confirmed |
Corrected version of mbedtls_symbols.sh