| 2022-07-20 23:11:20 |
Luís Infante da Câmara |
description |
librist invokes sensitive (AES) functions in mbedTLS, that is in universe component. There are already (at least) two cryptographic implementations in the main component: libgcrypt and openssl.
To reduce bloat and given that the Ubuntu Security Team generally refuses to patch CVEs in packages in the universe component, a switch should be made.
List of mbedTLS functions used in librist (generated by the attached shell script, that only works on amd64, but is trivial to port):
mbedtls_aes_crypt_ctr
mbedtls_aes_free
mbedtls_aes_init
mbedtls_aes_setkey_enc
mbedtls_ctr_drbg_init
mbedtls_ctr_drbg_random
mbedtls_ctr_drbg_seed
mbedtls_entropy_func
mbedtls_entropy_init
mbedtls_md_free
mbedtls_md_info_from_type
mbedtls_md_init
mbedtls_md_setup
mbedtls_mpi_add_mpi
mbedtls_mpi_cmp_int
mbedtls_mpi_exp_mod
mbedtls_mpi_fill_random
mbedtls_mpi_free
mbedtls_mpi_init
mbedtls_mpi_mod_mpi
mbedtls_mpi_mul_mpi
mbedtls_mpi_read_binary
mbedtls_mpi_read_string
mbedtls_mpi_size
mbedtls_mpi_sub_mpi
mbedtls_mpi_write_binary
mbedtls_mpi_write_string
mbedtls_pkcs5_pbkdf2_hmac
mbedtls_sha1_finish_ret
mbedtls_sha1_init
mbedtls_sha1_ret
mbedtls_sha1_update_ret
mbedtls_sha256_finish_ret
mbedtls_sha256_init
mbedtls_sha256_ret
mbedtls_sha256_update_ret
mbedtls_sha512_finish_ret
mbedtls_sha512_init
mbedtls_sha512_ret
mbedtls_sha512_update_ret
ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: librist4 0.2.7+dfsg-1
ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
Uname: Linux 5.15.0-27-generic x86_64
ApportVersion: 2.22.0-0ubuntu4
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: MATE
Date: Wed Jul 20 23:42:14 2022
InstallationDate: Installed on 2022-06-26 (24 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220624)
SourcePackage: librist
UpgradeStatus: No upgrade log present (probably fresh install) |
librist invokes sensitive (AES) functions in mbedTLS, that is in the universe component. There are already (at least) two cryptographic implementations in the main component: libgcrypt and OpenSSL. The libraries for these implementations are preinstalled in all Ubuntu desktop flavors.
To reduce bloat and given that the Ubuntu Security Team generally refuses to patch CVEs in packages in the universe component, a switch should be made.
List of mbedTLS functions used in librist (generated by the attached shell script, that only works on amd64, but is trivial to port):
mbedtls_aes_crypt_ctr
mbedtls_aes_free
mbedtls_aes_init
mbedtls_aes_setkey_enc
mbedtls_ctr_drbg_init
mbedtls_ctr_drbg_random
mbedtls_ctr_drbg_seed
mbedtls_entropy_func
mbedtls_entropy_init
mbedtls_md_free
mbedtls_md_info_from_type
mbedtls_md_init
mbedtls_md_setup
mbedtls_mpi_add_mpi
mbedtls_mpi_cmp_int
mbedtls_mpi_exp_mod
mbedtls_mpi_fill_random
mbedtls_mpi_free
mbedtls_mpi_init
mbedtls_mpi_mod_mpi
mbedtls_mpi_mul_mpi
mbedtls_mpi_read_binary
mbedtls_mpi_read_string
mbedtls_mpi_size
mbedtls_mpi_sub_mpi
mbedtls_mpi_write_binary
mbedtls_mpi_write_string
mbedtls_pkcs5_pbkdf2_hmac
mbedtls_sha1_finish_ret
mbedtls_sha1_init
mbedtls_sha1_ret
mbedtls_sha1_update_ret
mbedtls_sha256_finish_ret
mbedtls_sha256_init
mbedtls_sha256_ret
mbedtls_sha256_update_ret
mbedtls_sha512_finish_ret
mbedtls_sha512_init
mbedtls_sha512_ret
mbedtls_sha512_update_ret
ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: librist4 0.2.7+dfsg-1
ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
Uname: Linux 5.15.0-27-generic x86_64
ApportVersion: 2.22.0-0ubuntu4
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: MATE
Date: Wed Jul 20 23:42:14 2022
InstallationDate: Installed on 2022-06-26 (24 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220624)
SourcePackage: librist
UpgradeStatus: No upgrade log present (probably fresh install) |
|
