Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 666619 - dev-python/paramiko: Patch out server functionality behind a masked USE flag
Summary: dev-python/paramiko: Patch out server functionality behind a masked USE flag
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Python Gentoo Team
Depends on:
Reported: 2018-09-20 12:45 UTC by Virgil Dupras
Modified: 2019-12-05 05:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Virgil Dupras gentoo-dev 2018-09-20 12:45:59 UTC
Recently, paramiko had two important security bugs related to its server components (bug 664346 and a bug yet-to-be-created based on ).

Those bugs were serious (login without auth) and, frankly, of the rather "obvious" type. This tells us that the server component of that library wasn't built with security in mind and that we can expect it to still contain important holes.

Because the server component is very seldom used and because its presence require us to go through a rather heavy security process every time a new bug is found, I suggest that we disable the server functionality through patches, patches that can conditionally be applied with a USE flag. We would mask this USE flag with a link to this bug. This way, we can ignore future server-related CVEs.

I made a quick survey of the main revdeps and they didn't seem to use start_server(). In a quick local test I've made, I simply raise an exception at the beginning of start_server() and add a condition to it so that tests can spawn the server (many tests require a server, which might be why paramiko bothers adding that functionality at all). Seems to do the job.

Unless this bug sees opposition, I'll implement this patch in the upcoming 2.4.2 bump, linking the USE flag mask to this bug.
Comment 1 Larry the Git Cow gentoo-dev 2018-09-26 14:04:38 UTC
The bug has been referenced in the following commit(s):

commit 5378291a91a7bd63b67cc9782bbb860abc69c75f
Author:     Virgil Dupras <>
AuthorDate: 2018-09-26 14:02:09 +0000
Commit:     Virgil Dupras <>
CommitDate: 2018-09-26 14:02:09 +0000

    profiles: hard-mask server USE flag on dev-python/paramiko
    For security reasons.
    Signed-off-by: Virgil Dupras <>

 profiles/base/package.use.mask | 6 ++++++
 1 file changed, 6 insertions(+)

commit 28e7e2b6ccd187aa7850b3a9201b6d8b43898905
Author:     Virgil Dupras <>
AuthorDate: 2018-09-26 13:56:25 +0000
Commit:     Virgil Dupras <>
CommitDate: 2018-09-26 14:00:47 +0000

    dev-python/paramiko: bump to 2.4.2
    Also, disable the server feature by default for security reasons. It can
    be re-enabled with the 'server' USE flag, which is going to be
    Package-Manager: Portage-2.3.50, Repoman-2.3.11
    Signed-off-by: Virgil Dupras <>

 dev-python/paramiko/Manifest                       |  1 +
 .../files/paramiko-2.4.2-disable-server.patch      | 46 ++++++++++++++++
 dev-python/paramiko/metadata.xml                   |  3 ++
 dev-python/paramiko/paramiko-2.4.2.ebuild          | 62 ++++++++++++++++++++++
 4 files changed, 112 insertions(+)
Comment 2 Virgil Dupras gentoo-dev 2018-09-26 14:09:18 UTC
Let's keep this bug open and see if a little while if paramiko's security status has improved so that we can unmask or remove that server USE flag.