Browse code
Apply patch for CVE-2018-1000805 for paramiko
Change-Id: I5abc8b0457cac5f080c8e12d736908ff7030af3d
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6607
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
smaliakkal authored on 2019/01/29 11:17:52Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,66 @@ |
| 0 |
+diff -ru a/paramiko/auth_handler.py b/paramiko/auth_handler.py |
|
| 1 |
+--- a/paramiko/auth_handler.py 2019-01-25 18:56:51.783771842 +0000 |
|
| 2 |
+@@ -603,13 +603,37 @@ |
|
| 3 |
+ return |
|
| 4 |
+ self._send_auth_result(self.auth_username, 'keyboard-interactive', result) |
|
| 5 |
+ |
|
| 6 |
+- _handler_table = {
|
|
| 7 |
++ # TODO: do the same to the other tables, in Transport. |
|
| 8 |
++ # TODO 3.0: MAY make sense to make these tables into actual |
|
| 9 |
++ # classes/instances that can be fed a mode bool or whatever. Or, |
|
| 10 |
++ # alternately (both?) make the message types small classes or enums that |
|
| 11 |
++ # embed this info within themselves (which could also then tidy up the |
|
| 12 |
++ # current 'integer -> human readable short string' stuff in common.py). |
|
| 13 |
++ # TODO: if we do that, also expose 'em publicly. |
|
| 14 |
++ |
|
| 15 |
++ # Messages which should be handled _by_ servers (sent by clients) |
|
| 16 |
++ _server_handler_table = {
|
|
| 17 |
+ MSG_SERVICE_REQUEST: _parse_service_request, |
|
| 18 |
+- MSG_SERVICE_ACCEPT: _parse_service_accept, |
|
| 19 |
+ MSG_USERAUTH_REQUEST: _parse_userauth_request, |
|
| 20 |
++ MSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response, |
|
| 21 |
++ } |
|
| 22 |
++ |
|
| 23 |
++ # Messages which should be handled _by_ clients (sent by servers) |
|
| 24 |
++ _client_handler_table = {
|
|
| 25 |
++ MSG_SERVICE_ACCEPT: _parse_service_accept, |
|
| 26 |
+ MSG_USERAUTH_SUCCESS: _parse_userauth_success, |
|
| 27 |
+ MSG_USERAUTH_FAILURE: _parse_userauth_failure, |
|
| 28 |
+ MSG_USERAUTH_BANNER: _parse_userauth_banner, |
|
| 29 |
+ MSG_USERAUTH_INFO_REQUEST: _parse_userauth_info_request, |
|
| 30 |
+- MSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response, |
|
| 31 |
+ } |
|
| 32 |
++ |
|
| 33 |
++ # NOTE: prior to the fix for #1283, this was a static dict instead of a |
|
| 34 |
++ # property. Should be backwards compatible in most/all cases. |
|
| 35 |
++ @property |
|
| 36 |
++ def _handler_table(self): |
|
| 37 |
++ if self.transport.server_mode: |
|
| 38 |
++ return self._server_handler_table |
|
| 39 |
++ else: |
|
| 40 |
++ return self._client_handler_table |
|
| 41 |
++ |
|
| 42 |
++ |
|
| 43 |
+diff -ru a/sites/www/changelog.rst b/sites/www/changelog.rst |
|
| 44 |
+--- a/sites/www/changelog.rst 2019-01-25 18:56:51.795771784 +0000 |
|
| 45 |
+@@ -3,6 +3,18 @@ |
|
| 46 |
+ ========= |
|
| 47 |
+ |
|
| 48 |
+ * :release:`1.17.6 <2018-03-12>` |
|
| 49 |
++- :bug:`1283 (1.17+)` Fix exploit (CVE-2018-1000805) in Paramiko's server mode |
|
| 50 |
++ (**not** client mode) where hostile clients could trick the server into |
|
| 51 |
++ thinking they were authenticated without actually submitting valid |
|
| 52 |
++ authentication. |
|
| 53 |
++ |
|
| 54 |
++ Specifically, steps have been taken to start separating client and server |
|
| 55 |
++ related message types in the message handling tables within ``Transport`` and |
|
| 56 |
++ ``AuthHandler``; this work is not complete but enough has been performed to |
|
| 57 |
++ close off this particular exploit (which was the only obvious such exploit |
|
| 58 |
++ for this particular channel). |
|
| 59 |
++ |
|
| 60 |
++ Thanks to Daniel Hoffman for the detailed report. |
|
| 61 |
+ * :bug:`1175 (1.17+)` Fix a security flaw (CVE-2018-7750) in Paramiko's server |
|
| 62 |
+ mode (emphasis on **server** mode; this does **not** impact *client* use!) |
|
| 63 |
+ where authentication status was not checked before processing channel-open |
| ... | ... |
@@ -4,7 +4,7 @@ |
| 4 | 4 |
Summary: Python SSH module |
| 5 | 5 |
Name: paramiko |
| 6 | 6 |
Version: 1.17.6 |
| 7 |
-Release: 1%{?dist}
|
|
| 7 |
+Release: 2%{?dist}
|
|
| 8 | 8 |
License: LGPL |
| 9 | 9 |
Group: System Environment/Security |
| 10 | 10 |
Vendor: VMware, Inc. |
| ... | ... |
@@ -12,6 +12,7 @@ Distribution: Photon |
| 12 | 12 |
URL: http://www.paramiko.org/ |
| 13 | 13 |
Source0: https://github.com/paramiko/paramiko/archive/paramiko-%{version}.tar.gz
|
| 14 | 14 |
%define sha1 paramiko=976685cac8faed4269e09eaa112372cbd0d2803c |
| 15 |
+Patch0: paramiko-CVE-2018-1000805.patch |
|
| 15 | 16 |
BuildArch: noarch |
| 16 | 17 |
|
| 17 | 18 |
BuildRequires: python-setuptools |
| ... | ... |
@@ -40,6 +41,7 @@ Requires: python3-ecdsa > 0.11 |
| 40 | 40 |
Python 3 version. |
| 41 | 41 |
%prep |
| 42 | 42 |
%setup -q |
| 43 |
+%patch0 -p1 |
|
| 43 | 44 |
|
| 44 | 45 |
%build |
| 45 | 46 |
python setup.py build |
| ... | ... |
@@ -67,6 +69,8 @@ python3 setup.py install -O1 --skip-build \ |
| 67 | 67 |
%{python3_sitelib}/*
|
| 68 | 68 |
|
| 69 | 69 |
%changelog |
| 70 |
+* Mon Jan 28 2019 Siju Maliakkal <smaliakkal@vmware.com> 1.17.6-2 |
|
| 71 |
+- Applied patch for CVE-2018-1000805 |
|
| 70 | 72 |
* Thu Apr 19 2018 Xiaolin Li <xiaolinl@vmware.com> 1.17.6-1 |
| 71 | 73 |
- Updated to version 1.17.6, fix CVE-2018-7750 |
| 72 | 74 |
* Thu Sep 07 2017 Kumar Kaushik <kaushikk@vmware.com> 1.17.3-1 |