Recently, paramiko had two important security bugs related to its server components (bug 664346 and a bug yet-to-be-created based on https://github.com/paramiko/paramiko/issues/1283 ). Those bugs were serious (login without auth) and, frankly, of the rather "obvious" type. This tells us that the server component of that library wasn't built with security in mind and that we can expect it to still contain important holes. Because the server component is very seldom used and because its presence require us to go through a rather heavy security process every time a new bug is found, I suggest that we disable the server functionality through patches, patches that can conditionally be applied with a USE flag. We would mask this USE flag with a link to this bug. This way, we can ignore future server-related CVEs. I made a quick survey of the main revdeps and they didn't seem to use start_server(). In a quick local test I've made, I simply raise an exception at the beginning of start_server() and add a condition to it so that tests can spawn the server (many tests require a server, which might be why paramiko bothers adding that functionality at all). Seems to do the job. Unless this bug sees opposition, I'll implement this patch in the upcoming 2.4.2 bump, linking the USE flag mask to this bug.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5378291a91a7bd63b67cc9782bbb860abc69c75f commit 5378291a91a7bd63b67cc9782bbb860abc69c75f Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-09-26 14:02:09 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-09-26 14:02:09 +0000 profiles: hard-mask server USE flag on dev-python/paramiko For security reasons. Bug: https://bugs.gentoo.org/666619 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> profiles/base/package.use.mask | 6 ++++++ 1 file changed, 6 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28e7e2b6ccd187aa7850b3a9201b6d8b43898905 commit 28e7e2b6ccd187aa7850b3a9201b6d8b43898905 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-09-26 13:56:25 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-09-26 14:00:47 +0000 dev-python/paramiko: bump to 2.4.2 Also, disable the server feature by default for security reasons. It can be re-enabled with the 'server' USE flag, which is going to be hard-masked. Bug: https://bugs.gentoo.org/666619 Package-Manager: Portage-2.3.50, Repoman-2.3.11 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> dev-python/paramiko/Manifest | 1 + .../files/paramiko-2.4.2-disable-server.patch | 46 ++++++++++++++++ dev-python/paramiko/metadata.xml | 3 ++ dev-python/paramiko/paramiko-2.4.2.ebuild | 62 ++++++++++++++++++++++ 4 files changed, 112 insertions(+)
Let's keep this bug open and see if a little while if paramiko's security status has improved so that we can unmask or remove that server USE flag.
I am confused. This bug is quite old and CVE-2018-1000805 looks solved. Should we still use the server patch?
(In reply to Fabio Rossi from comment #3) > I am confused. This bug is quite old and CVE-2018-1000805 looks solved. > Should we still use the server patch? Probably. Nobody has audited the code so far to the best of my knowledge, and paramiko isn't exactly a package giving much confidence.
I don't really see the point in doing this unless the patch is trivial. We should instead make sure packages don't use this at all (the USE flag isn't helpful for that).
