Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 664346 (CVE-2018-7750)

Summary: <dev-python/paramiko-2.4.1: Authentication Bypass Vulnerability
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alicef, python, vdupras
Priority: High Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/paramiko/paramiko/issues/1175
See Also: https://bugs.gentoo.org/show_bug.cgi?id=666619
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 647562    
Bug Blocks:    

Description D'juan McDonald (domhnall) 2018-08-23 08:01:27 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2018-7750):

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

(http://www.paramiko.org/changelog.html):
"Additionally, pyasn1 has been removed from setup.py and its imports in the GSSAPI code made optional."

@maintainer(s): 2.4.1 is in tree, as is vulnerable 2.3.1. are we dropping vulnerable version(s)?


Gentoo Security Padawan
(domhnall)
Comment 1 Virgil Dupras (RETIRED) gentoo-dev 2018-08-23 11:06:05 UTC 
We will have to stabilize alpha first, which depends on bug 647562. Because it could take a while, maybe we should mask 2.1.2 (the current stable version for alpha).

I don't see, in revdep, any version constraint that would require us to keep anything below 2.4.1.
Comment 2 Larry the Git Cow gentoo-dev 2018-08-23 12:15:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef708bfa3da9a5d0ffa1485e16292723d4664e6b

commit ef708bfa3da9a5d0ffa1485e16292723d4664e6b
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-23 12:13:25 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-23 12:14:48 +0000

    profiles: mask vulnerable versions of dev-python/paramiko
    
    Bug: https://bugs.gentoo.org/664346

 profiles/arch/alpha/package.use.mask | 4 ++++
 profiles/package.mask                | 4 ++++
 2 files changed, 8 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2018-08-23 13:11:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2617dd4dd47aacc4bfed6787dc9b9c65ab6bb2b

commit e2617dd4dd47aacc4bfed6787dc9b9c65ab6bb2b
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-23 13:09:02 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-23 13:10:38 +0000

    dev-python/paramiko: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/664346
    Package-Manager: Portage-2.3.48, Repoman-2.3.10

 dev-python/paramiko/Manifest              |  3 --
 dev-python/paramiko/paramiko-2.2.1.ebuild | 45 --------------------------
 dev-python/paramiko/paramiko-2.3.1.ebuild | 52 -----------------------------
 dev-python/paramiko/paramiko-2.4.0.ebuild | 54 -------------------------------
 4 files changed, 154 deletions(-)
Comment 4 Virgil Dupras (RETIRED) gentoo-dev 2018-10-05 18:22:01 UTC 
Now that alpha was keyworded, we can start stabilization.

Alpha, please stabilize:

=dev-python/paramiko-2.4.1
=dev-python/pynacl-1.2.1

Thanks!
Comment 5 Stabilization helper bot gentoo-dev 2018-10-05 19:00:35 UTC 
An automated check of this bug failed - repoman reported dependency errors (2 lines truncated): 

> dependency.bad dev-python/pynacl/pynacl-1.2.1.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=dev-python/hypothesis-3.27.0[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
> dependency.bad dev-python/pynacl/pynacl-1.2.1.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-python/hypothesis-3.27.0[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
> dependency.bad dev-python/pynacl/pynacl-1.2.1.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-python/hypothesis-3.27.0[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
Comment 6 Stabilization helper bot gentoo-dev 2018-10-05 20:00:38 UTC 
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-10-13 06:57:43 UTC 
Stable on alpha.
Comment 8 Larry the Git Cow gentoo-dev 2018-10-13 12:54:05 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0e97bc46d463f386d48b2a26dccc9493407903a

commit e0e97bc46d463f386d48b2a26dccc9493407903a
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-10-13 12:53:26 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-10-13 12:53:26 +0000

    profiles: remove obsolete paramiko masks
    
    Bug: https://bugs.gentoo.org/664346
    
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>

 profiles/arch/alpha/package.use.mask | 4 ----
 profiles/package.mask                | 4 ----
 2 files changed, 8 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f212b2b47de2f73f65316a340f840d8bae8bd7c

commit 6f212b2b47de2f73f65316a340f840d8bae8bd7c
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-10-13 12:51:57 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-10-13 12:51:57 +0000

    dev-python/paramiko: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/664346
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 dev-python/paramiko/Manifest              |  1 -
 dev-python/paramiko/paramiko-2.1.2.ebuild | 42 -------------------------------
 2 files changed, 43 deletions(-)
Comment 9 Virgil Dupras (RETIRED) gentoo-dev 2018-10-13 12:54:59 UTC 
Stabilization complete, cleanup done.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-12-03 22:24:17 UTC 
Cleanup will happen in bug 668876