Change-Id: I2d765ec98a93a81e6d3a596c1bfc6ea1ad52d451
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6497
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,160 @@ |
0 |
+diff -ru a/paramiko/auth_handler.py b/paramiko/auth_handler.py |
|
1 |
+--- a/paramiko/auth_handler.py 2018-03-13 01:02:51.000000000 +0000 |
|
2 |
+@@ -630,17 +630,41 @@ |
|
3 |
+ self.auth_event.set() |
|
4 |
+ return |
|
5 |
+ |
|
6 |
+- _handler_table = { |
|
7 |
++ # TODO: do the same to the other tables, in Transport. |
|
8 |
++ # TODO 3.0: MAY make sense to make these tables into actual |
|
9 |
++ # classes/instances that can be fed a mode bool or whatever. Or, |
|
10 |
++ # alternately (both?) make the message types small classes or enums that |
|
11 |
++ # embed this info within themselves (which could also then tidy up the |
|
12 |
++ # current 'integer -> human readable short string' stuff in common.py). |
|
13 |
++ # TODO: if we do that, also expose 'em publicly. |
|
14 |
++ |
|
15 |
++ # Messages which should be handled _by_ servers (sent by clients) |
|
16 |
++ _server_handler_table = { |
|
17 |
+ MSG_SERVICE_REQUEST: _parse_service_request, |
|
18 |
+- MSG_SERVICE_ACCEPT: _parse_service_accept, |
|
19 |
+ MSG_USERAUTH_REQUEST: _parse_userauth_request, |
|
20 |
++ MSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response, |
|
21 |
++ } |
|
22 |
++ |
|
23 |
++ # Messages which should be handled _by_ clients (sent by servers) |
|
24 |
++ _client_handler_table = { |
|
25 |
++ MSG_SERVICE_ACCEPT: _parse_service_accept, |
|
26 |
+ MSG_USERAUTH_SUCCESS: _parse_userauth_success, |
|
27 |
+ MSG_USERAUTH_FAILURE: _parse_userauth_failure, |
|
28 |
+ MSG_USERAUTH_BANNER: _parse_userauth_banner, |
|
29 |
+ MSG_USERAUTH_INFO_REQUEST: _parse_userauth_info_request, |
|
30 |
+- MSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response, |
|
31 |
+ } |
|
32 |
+ |
|
33 |
++ # NOTE: prior to the fix for #1283, this was a static dict instead of a |
|
34 |
++ # property. Should be backwards compatible in most/all cases. |
|
35 |
++ @property |
|
36 |
++ def _handler_table(self): |
|
37 |
++ if self.transport.server_mode: |
|
38 |
++ return self._server_handler_table |
|
39 |
++ else: |
|
40 |
++ return self._client_handler_table |
|
41 |
++ |
|
42 |
++ |
|
43 |
++ |
|
44 |
+ |
|
45 |
+ class GssapiWithMicAuthHandler(object): |
|
46 |
+ """A specialized Auth handler for gssapi-with-mic |
|
47 |
+@@ -733,9 +757,15 @@ |
|
48 |
+ self._restore_delegate_auth_handler() |
|
49 |
+ return self._delegate._parse_userauth_request(m) |
|
50 |
+ |
|
51 |
+- _handler_table = { |
|
52 |
++ __handler_table = { |
|
53 |
+ MSG_SERVICE_REQUEST: _parse_service_request, |
|
54 |
+ MSG_USERAUTH_REQUEST: _parse_userauth_request, |
|
55 |
+ MSG_USERAUTH_GSSAPI_TOKEN: _parse_userauth_gssapi_token, |
|
56 |
+ MSG_USERAUTH_GSSAPI_MIC: _parse_userauth_gssapi_mic, |
|
57 |
+ } |
|
58 |
++ |
|
59 |
++ @property |
|
60 |
++ def _handler_table(self): |
|
61 |
++ # TODO: determine if we can cut this up like we did for the primary |
|
62 |
++ # AuthHandler class. |
|
63 |
++ return self.__handler_table |
|
64 |
+diff -ru a/sites/www/changelog.rst b/sites/www/changelog.rst |
|
65 |
+--- a/sites/www/changelog.rst 2018-03-13 01:02:51.000000000 +0000 |
|
66 |
+@@ -3,6 +3,18 @@ |
|
67 |
+ ========= |
|
68 |
+ |
|
69 |
+ * :release:`2.1.5 <2018-03-12>` |
|
70 |
++- :bug:`1283 (1.17+)` Fix exploit (CVE-2018-1000805) in Paramiko's server mode |
|
71 |
++ (**not** client mode) where hostile clients could trick the server into |
|
72 |
++ thinking they were authenticated without actually submitting valid |
|
73 |
++ authentication. |
|
74 |
++ |
|
75 |
++ Specifically, steps have been taken to start separating client and server |
|
76 |
++ related message types in the message handling tables within ``Transport`` and |
|
77 |
++ ``AuthHandler``; this work is not complete but enough has been performed to |
|
78 |
++ close off this particular exploit (which was the only obvious such exploit |
|
79 |
++ for this particular channel). |
|
80 |
++ |
|
81 |
++ Thanks to Daniel Hoffman for the detailed report. |
|
82 |
+ * :release:`2.0.8 <2018-03-12>` |
|
83 |
+ * :bug:`1175 (1.17+)` Fix a security flaw (CVE-2018-7750) in Paramiko's server |
|
84 |
+ mode (emphasis on **server** mode; this does **not** impact *client* use!) |
|
85 |
+diff -ru a/tests/test_transport.py b/tests/test_transport.py |
|
86 |
+--- a/tests/test_transport.py 2018-03-13 01:02:51.000000000 +0000 |
|
87 |
+@@ -33,15 +33,16 @@ |
|
88 |
+ |
|
89 |
+ from paramiko import ( |
|
90 |
+ Transport, SecurityOptions, ServerInterface, RSAKey, DSSKey, SSHException, |
|
91 |
+- ChannelException, Packetizer, Channel, |
|
92 |
++ ChannelException, Packetizer, Channel, AuthHandler, |
|
93 |
+ ) |
|
94 |
+ from paramiko import AUTH_FAILED, AUTH_SUCCESSFUL |
|
95 |
+ from paramiko import OPEN_SUCCEEDED, OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED |
|
96 |
+ from paramiko.common import ( |
|
97 |
+ MSG_KEXINIT, cMSG_CHANNEL_WINDOW_ADJUST, MIN_PACKET_SIZE, MIN_WINDOW_SIZE, |
|
98 |
+- MAX_WINDOW_SIZE, DEFAULT_WINDOW_SIZE, DEFAULT_MAX_PACKET_SIZE, |
|
99 |
++ MAX_WINDOW_SIZE, DEFAULT_WINDOW_SIZE, DEFAULT_MAX_PACKET_SIZE, MSG_NAMES, |
|
100 |
++ MSG_UNIMPLEMENTED, MSG_USERAUTH_SUCCESS, |
|
101 |
+ ) |
|
102 |
+-from paramiko.py3compat import bytes |
|
103 |
++from paramiko.py3compat import bytes, byte_chr |
|
104 |
+ from paramiko.message import Message |
|
105 |
+ from tests import skipUnlessBuiltin |
|
106 |
+ from tests.loop import LoopSocket |
|
107 |
+@@ -972,3 +973,49 @@ |
|
108 |
+ assert "forwarding request denied" in str(e) |
|
109 |
+ else: |
|
110 |
+ assert False, "Did not raise SSHException!" |
|
111 |
++ |
|
112 |
++ |
|
113 |
++ def _send_client_message(self, message_type): |
|
114 |
++ self.setup_test_server(connect_kwargs={}) |
|
115 |
++ self.ts._send_message = Mock() |
|
116 |
++ # NOTE: this isn't 100% realistic (most of these message types would |
|
117 |
++ # have actual other fields in 'em) but it suffices to test the level of |
|
118 |
++ # message dispatch we're interested in here. |
|
119 |
++ msg = Message() |
|
120 |
++ # TODO: really not liking the whole cMSG_XXX vs MSG_XXX duality right |
|
121 |
++ # now, esp since the former is almost always just byte_chr(the |
|
122 |
++ # latter)...but since that's the case... |
|
123 |
++ msg.add_byte(byte_chr(message_type)) |
|
124 |
++ self.tc._send_message(msg) |
|
125 |
++ # No good way to actually wait for server action (see above tests re: |
|
126 |
++ # MSG_UNIMPLEMENTED). Grump. |
|
127 |
++ time.sleep(0.1) |
|
128 |
++ |
|
129 |
++ def _expect_unimplemented(self): |
|
130 |
++ # Ensure MSG_UNIMPLEMENTED was sent (implies it hit end of loop instead |
|
131 |
++ # of truly handling the given message). |
|
132 |
++ # NOTE: When bug present, this will actually be the first thing that |
|
133 |
++ # fails (since in many cases actual message handling doesn't involve |
|
134 |
++ # sending a message back right away). |
|
135 |
++ assert self.ts._send_message.call_count == 1 |
|
136 |
++ reply = self.ts._send_message.call_args[0][0] |
|
137 |
++ reply.rewind() # Because it's pre-send, not post-receive |
|
138 |
++ assert reply.get_byte() == cMSG_UNIMPLEMENTED |
|
139 |
++ |
|
140 |
++ def test_server_transports_reject_client_message_types(self): |
|
141 |
++ # TODO: handle Transport's own tables too, not just its inner auth |
|
142 |
++ # handler's table. See TODOs in auth_handler.py |
|
143 |
++ for message_type in AuthHandler._client_handler_table: |
|
144 |
++ self._send_client_message(message_type) |
|
145 |
++ self._expect_unimplemented() |
|
146 |
++ # Reset for rest of loop |
|
147 |
++ self.tearDown() |
|
148 |
++ self.setUp() |
|
149 |
++ |
|
150 |
++ def test_server_rejects_client_MSG_USERAUTH_SUCCESS(self): |
|
151 |
++ self._send_client_message(MSG_USERAUTH_SUCCESS) |
|
152 |
++ # Sanity checks |
|
153 |
++ assert not self.ts.authenticated |
|
154 |
++ assert not self.ts.auth_handler.authenticated |
|
155 |
++ # Real fix's behavior |
|
156 |
++ self._expect_unimplemented() |
... | ... |
@@ -3,7 +3,7 @@ |
3 | 3 |
Summary: Python SSH module |
4 | 4 |
Name: paramiko |
5 | 5 |
Version: 2.1.5 |
6 |
-Release: 1%{?dist} |
|
6 |
+Release: 2%{?dist} |
|
7 | 7 |
License: LGPL |
8 | 8 |
Group: System Environment/Security |
9 | 9 |
Vendor: VMware, Inc. |
... | ... |
@@ -11,7 +11,7 @@ Distribution: Photon |
11 | 11 |
URL: http://www.paramiko.org/ |
12 | 12 |
Source0: https://github.com/paramiko/paramiko/archive/paramiko-%{version}.tar.gz |
13 | 13 |
%define sha1 paramiko=0f1e47ec1822964aeb96974562716c834292962c |
14 |
- |
|
14 |
+Patch0: paramiko-CVE-2018-1000805.patch |
|
15 | 15 |
BuildArch: noarch |
16 | 16 |
|
17 | 17 |
BuildRequires: python-setuptools |
... | ... |
@@ -48,6 +48,7 @@ Python 3 version. |
48 | 48 |
|
49 | 49 |
%prep |
50 | 50 |
%setup -q |
51 |
+%patch0 -p1 |
|
51 | 52 |
|
52 | 53 |
%build |
53 | 54 |
python2 setup.py build |
... | ... |
@@ -81,6 +82,8 @@ LANG=en_US.UTF-8 python3 test.py |
81 | 81 |
%{python3_sitelib}/* |
82 | 82 |
|
83 | 83 |
%changelog |
84 |
+* Fri Jan 11 2019 Siju Maliakkal <smaliakkal@vmware.com> 2.1.5-2 |
|
85 |
+- Applied patch for CVE-2018-1000805 |
|
84 | 86 |
* Mon Apr 16 2018 Xiaolin Li <xiaolinl@vmware.com> 2.1.5-1 |
85 | 87 |
- Update version to 2.1.5 for CVE-2018-1000132 |
86 | 88 |
* Tue Jul 25 2017 Divya Thaluru <dthaluru@vmware.com> 2.1.2-5 |