diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f89c826 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/paramiko-2.1.1.tar.gz diff --git a/.python-paramiko.metadata b/.python-paramiko.metadata new file mode 100644 index 0000000..be221db --- /dev/null +++ b/.python-paramiko.metadata @@ -0,0 +1 @@ +0418c2fb8d2b8d1f4b86ac954ec31d5ba77d9956 SOURCES/paramiko-2.1.1.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 5231011..0000000 --- a/README.md +++ /dev/null @@ -1,8 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch -for CentOS-4, 5 or 6. If you find this file in a distro specific branch, it -means that no content has been checked in yet - -More information on how these git repositories are setup, is available at -http://wiki.centos.org/Sources diff --git a/SOURCES/CVE-2018-7750.diff b/SOURCES/CVE-2018-7750.diff new file mode 100644 index 0000000..cc52991 --- /dev/null +++ b/SOURCES/CVE-2018-7750.diff @@ -0,0 +1,174 @@ +diff --git a/paramiko/common.py b/paramiko/common.py +index 0b0cc2a..50355f6 100644 +--- a/paramiko/common.py ++++ b/paramiko/common.py +@@ -32,6 +32,7 @@ MSG_USERAUTH_INFO_REQUEST, MSG_USERAUTH_INFO_RESPONSE = range(60, 62) + MSG_USERAUTH_GSSAPI_RESPONSE, MSG_USERAUTH_GSSAPI_TOKEN = range(60, 62) + MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, MSG_USERAUTH_GSSAPI_ERROR,\ + MSG_USERAUTH_GSSAPI_ERRTOK, MSG_USERAUTH_GSSAPI_MIC = range(63, 67) ++HIGHEST_USERAUTH_MESSAGE_ID = 79 + MSG_GLOBAL_REQUEST, MSG_REQUEST_SUCCESS, MSG_REQUEST_FAILURE = range(80, 83) + MSG_CHANNEL_OPEN, MSG_CHANNEL_OPEN_SUCCESS, MSG_CHANNEL_OPEN_FAILURE, \ + MSG_CHANNEL_WINDOW_ADJUST, MSG_CHANNEL_DATA, MSG_CHANNEL_EXTENDED_DATA, \ +diff --git a/paramiko/transport.py b/paramiko/transport.py +index 7906c9f..31df82a 100644 +--- a/paramiko/transport.py ++++ b/paramiko/transport.py +@@ -49,7 +49,8 @@ from paramiko.common import xffffffff, cMSG_CHANNEL_OPEN, cMSG_IGNORE, \ + MSG_CHANNEL_SUCCESS, MSG_CHANNEL_FAILURE, MSG_CHANNEL_DATA, \ + MSG_CHANNEL_EXTENDED_DATA, MSG_CHANNEL_WINDOW_ADJUST, MSG_CHANNEL_REQUEST, \ + MSG_CHANNEL_EOF, MSG_CHANNEL_CLOSE, MIN_WINDOW_SIZE, MIN_PACKET_SIZE, \ +- MAX_WINDOW_SIZE, DEFAULT_WINDOW_SIZE, DEFAULT_MAX_PACKET_SIZE ++ MAX_WINDOW_SIZE, DEFAULT_WINDOW_SIZE, DEFAULT_MAX_PACKET_SIZE, \ ++ HIGHEST_USERAUTH_MESSAGE_ID + from paramiko.compress import ZlibCompressor, ZlibDecompressor + from paramiko.dsskey import DSSKey + from paramiko.kex_gex import KexGex, KexGexSHA256 +@@ -1720,6 +1721,43 @@ class Transport (threading.Thread, ClosingContextManager): + max_packet_size = self.default_max_packet_size + return clamp_value(MIN_PACKET_SIZE, max_packet_size, MAX_WINDOW_SIZE) + ++ def _ensure_authed(self, ptype, message): ++ """ ++ Checks message type against current auth state. ++ ++ If server mode, and auth has not succeeded, and the message is of a ++ post-auth type (channel open or global request) an appropriate error ++ response Message is crafted and returned to caller for sending. ++ ++ Otherwise (client mode, authed, or pre-auth message) returns None. ++ """ ++ if ( ++ not self.server_mode ++ or ptype <= HIGHEST_USERAUTH_MESSAGE_ID ++ or self.is_authenticated() ++ ): ++ return None ++ # WELP. We must be dealing with someone trying to do non-auth things ++ # without being authed. Tell them off, based on message class. ++ reply = Message() ++ # Global requests have no details, just failure. ++ if ptype == MSG_GLOBAL_REQUEST: ++ reply.add_byte(cMSG_REQUEST_FAILURE) ++ # Channel opens let us reject w/ a specific type + message. ++ elif ptype == MSG_CHANNEL_OPEN: ++ kind = message.get_text() ++ chanid = message.get_int() ++ reply.add_byte(cMSG_CHANNEL_OPEN_FAILURE) ++ reply.add_int(chanid) ++ reply.add_int(OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED) ++ reply.add_string('') ++ reply.add_string('en') ++ # NOTE: Post-open channel messages do not need checking; the above will ++ # reject attemps to open channels, meaning that even if a malicious ++ # user tries to send a MSG_CHANNEL_REQUEST, it will simply fall under ++ # the logic that handles unknown channel IDs (as the channel list will ++ # be empty.) ++ return reply + + def run(self): + # (use the exposed "run" method, because if we specify a thread target +@@ -1779,7 +1817,11 @@ class Transport (threading.Thread, ClosingContextManager): + continue + + if ptype in self._handler_table: +- self._handler_table[ptype](self, m) ++ error_msg = self._ensure_authed(ptype, m) ++ if error_msg: ++ self._send_message(error_msg) ++ else: ++ self._handler_table[ptype](self, m) + elif ptype in self._channel_handler_table: + chanid = m.get_int() + chan = self._channels.get(chanid) +diff --git a/tests/test_transport.py b/tests/test_transport.py +index d81ad8f..1305cd5 100644 +--- a/tests/test_transport.py ++++ b/tests/test_transport.py +@@ -32,7 +32,7 @@ from hashlib import sha1 + import unittest + + from paramiko import Transport, SecurityOptions, ServerInterface, RSAKey, DSSKey, \ +- SSHException, ChannelException, Packetizer ++ SSHException, ChannelException, Packetizer, Channel + from paramiko import AUTH_FAILED, AUTH_SUCCESSFUL + from paramiko import OPEN_SUCCEEDED, OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED + from paramiko.common import MSG_KEXINIT, cMSG_CHANNEL_WINDOW_ADJUST, \ +@@ -87,7 +87,11 @@ class NullServer (ServerInterface): + + def check_global_request(self, kind, msg): + self._global_request = kind +- return False ++ # NOTE: for w/e reason, older impl of this returned False always, even ++ # tho that's only supposed to occur if the request cannot be served. ++ # For now, leaving that the default unless test supplies specific ++ # 'acceptable' request kind ++ return kind == 'acceptable' + + def check_channel_x11_request(self, channel, single_connection, auth_protocol, auth_cookie, screen_number): + self._x11_single_connection = single_connection +@@ -125,7 +129,9 @@ class TransportTest(unittest.TestCase): + self.socks.close() + self.sockc.close() + +- def setup_test_server(self, client_options=None, server_options=None): ++ def setup_test_server( ++ self, client_options=None, server_options=None, connect_kwargs=None, ++ ): + host_key = RSAKey.from_private_key_file(test_path('test_rsa.key')) + public_host_key = RSAKey(data=host_key.asbytes()) + self.ts.add_server_key(host_key) +@@ -139,8 +145,13 @@ class TransportTest(unittest.TestCase): + self.server = NullServer() + self.assertTrue(not event.is_set()) + self.ts.start_server(event, self.server) +- self.tc.connect(hostkey=public_host_key, +- username='slowdive', password='pygmalion') ++ if connect_kwargs is None: ++ connect_kwargs = dict( ++ hostkey=public_host_key, ++ username='slowdive', ++ password='pygmalion', ++ ) ++ self.tc.connect(**connect_kwargs) + event.wait(1.0) + self.assertTrue(event.is_set()) + self.assertTrue(self.ts.is_active()) +@@ -846,3 +857,37 @@ class TransportTest(unittest.TestCase): + self.assertEqual([chan], r) + self.assertEqual([], w) + self.assertEqual([], e) ++ ++ def test_server_rejects_open_channel_without_auth(self): ++ try: ++ self.setup_test_server(connect_kwargs={}) ++ self.tc.open_session() ++ except ChannelException as e: ++ assert e.code == OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED ++ else: ++ assert False, "Did not raise ChannelException!" ++ ++ def test_server_rejects_arbitrary_global_request_without_auth(self): ++ self.setup_test_server(connect_kwargs={}) ++ # NOTE: this dummy global request kind would normally pass muster ++ # from the test server. ++ self.tc.global_request('acceptable') ++ # Global requests never raise exceptions, even on failure (not sure why ++ # this was the original design...ugh.) Best we can do to tell failure ++ # happened is that the client transport's global_response was set back ++ # to None; if it had succeeded, it would be the response Message. ++ err = "Unauthed global response incorrectly succeeded!" ++ assert self.tc.global_response is None, err ++ ++ def test_server_rejects_port_forward_without_auth(self): ++ # NOTE: at protocol level port forward requests are treated same as a ++ # regular global request, but Paramiko server implements a special-case ++ # method for it, so it gets its own test. (plus, THAT actually raises ++ # an exception on the client side, unlike the general case...) ++ self.setup_test_server(connect_kwargs={}) ++ try: ++ self.tc.request_port_forward('localhost', 1234) ++ except SSHException as e: ++ assert "forwarding request denied" in str(e) ++ else: ++ assert False, "Did not raise SSHException!" diff --git a/SPECS/python-paramiko.spec b/SPECS/python-paramiko.spec new file mode 100644 index 0000000..e8150d1 --- /dev/null +++ b/SPECS/python-paramiko.spec @@ -0,0 +1,325 @@ +%global srcname paramiko + +%if 0%{?rhel} && 0%{?rhel} <= 7 +%bcond_with weak_deps +%bcond_with python3 +%else +%bcond_without weak_deps +%bcond_without python3 +%endif + +Name: python-%{srcname} +Version: 2.1.1 +Release: 5%{?dist} +Provides: python2-paramiko = %{version}-%{release} +Summary: SSH2 protocol library for python + +# No version specified. +License: LGPLv2+ +URL: https://github.com/paramiko/paramiko +Source0: %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz + +Patch0: CVE-2018-7750.diff + +BuildArch: noarch + +Requires: python-cryptography +Requires: python2-pyasn1 +BuildRequires: python2-devel +BuildRequires: python-setuptools +BuildRequires: python-cryptography +BuildRequires: python2-pyasn1 +%global paramiko_desc \ +Paramiko (a combination of the esperanto words for "paranoid" and "friend") is\ +a module for python 2.3 or greater that implements the SSH2 protocol for secure\ +(encrypted and authenticated) connections to remote machines. Unlike SSL (aka\ +TLS), the SSH2 protocol does not require heirarchical certificates signed by a\ +powerful central authority. You may know SSH2 as the protocol that replaced\ +telnet and rsh for secure access to remote shells, but the protocol also\ +includes the ability to open arbitrary channels to remote services across an\ +encrypted tunnel. (This is how sftp works, for example.)\ + +%description +%{paramiko_desc} + +%if %{with weak_deps} +Recommends: python-gssapi +%endif + +%if %{with python3} +%package -n python%{python3_pkgversion}-%{srcname} +Summary: SSH2 protocol library for python +%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-cryptography +Requires: python%{python3_pkgversion}-cryptography +%if %{with weak_deps} +Recommends: python%{python3_pkgversion}-gssapi +%endif + +%description -n python%{python3_pkgversion}-%{srcname} +%{paramiko_desc} + +Python 3 version. +%endif + +%package doc +Summary: Docs and demo for SSH2 protocol library for python +BuildRequires: /usr/bin/sphinx-build +BuildRequires: python2-sphinx-theme-alabaster +Requires: %{name} = %{version}-%{release} + +%description doc +%{paramiko_desc} + +This is the documentation and demos. + +%prep +%autosetup -n %{srcname}-%{version} -p1 + +chmod a-x demos/* +sed -i -e '/^#!/,1d' demos/* + +%build +CFLAGS="%{optflags}" %{__python} setup.py %{?py_setup_args} build --executable="%{__python2} -s" +%if %{with python3} +%py3_build +%endif + +%install +CFLAGS="%{optflags}" %{__python} setup.py %{?py_setup_args} install -O1 --skip-build --root %{buildroot} +%if %{with python3} +%py3_install +%endif + +sphinx-build -b html sites/docs/ html/ +rm -f html/.buildinfo + +%check +%{__python2} ./test.py --no-sftp --no-big-file +%if %{with python3} +%{__python3} ./test.py --no-sftp --no-big-file +%endif + +%files -n python-%{srcname} +%license LICENSE +%doc NEWS README.rst +%{python2_sitelib}/%{srcname}-*.egg-info/ +%{python2_sitelib}/%{srcname}/ + +%if %{with python3} +%files -n python%{python3_pkgversion}-%{srcname} +%license LICENSE +%doc NEWS README.rst +%{python3_sitelib}/%{srcname}-*.egg-info/ +%{python3_sitelib}/%{srcname}/ +%endif + +%files doc +%doc html/ demos/ + +%changelog +* Fri Jul 20 2018 Jake Hunsaker - 2.1.1-5 +- Rebuild for move from Extras to Base for 7.6 + +* Thu Mar 22 2018 Pavel Cahyna - 2.1.1-4 +- Add a dependency on python2-pyasn1. It used to be a dependency + of python2-cryptography, but it is not the case with newer versions. + (RHBZ #1559133) + +* Wed Mar 21 2018 Pavel Cahyna - 2.1.1-3 +- Fix a security flaw (CVE-2018-7750) in Paramiko's server + mode (emphasis on **server** mode; this does **not** impact *client* use!) + Backported from 2.1.5. + Resolves #1557142 + +* Fri May 12 2017 Pavel Cahyna - 2.1.1-2 +- Rebuild for RHEL 7.4 Extras + +* Thu Jan 05 2017 Troy Dawson 2.1.1-1 +- Update to 2.1.1 + +* Fri Jul 08 2016 Jon Schlueter 2.0.0-1.0 +- Rebuild + +* Fri Apr 29 2016 Igor Gnatenko - 2.0.0-1 +- Update to 2.0.0 (RHBZ #1331737) + +* Sun Mar 27 2016 Igor Gnatenko - 1.16.0-1 +- Update to 1.16.0 +- Adopt to new packaging guidelines + +* Thu Feb 04 2016 Fedora Release Engineering - 1.15.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 1.15.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Thu Jun 18 2015 Fedora Release Engineering - 1.15.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Mar 22 2015 Peter Robinson 1.15.2-2 +- Use %%license +- Move duplicated docs to single doc sub package +- Remove old F-15 conditionals + +* Tue Dec 23 2014 Athmane Madjoudj 1.15.2-1 +- Update to 1.15.2 + +* Mon Nov 24 2014 Athmane Madjoudj 1.15.1-5 +- Add conditional to exclude EL since does not have py3 + +* Sat Nov 15 2014 Athmane Madjoudj 1.15.1-4 +- py3dir creation should be in prep section + +* Fri Nov 14 2014 Athmane Madjoudj 1.15.1-3 +- Build each pkg in a clean dir + +* Fri Nov 14 2014 Athmane Madjoudj 1.15.1-2 +- Add support for python3 +- Add BR -devel for python macros. + +* Fri Oct 17 2014 Jeffrey C. Ollie - 1.15.1-1 +- Update to 1.15.1 + +* Fri Jun 13 2014 Orion Poplawski - 1.12.4-1 +- Update to 1.12.4 + +* Sat Jun 07 2014 Fedora Release Engineering - 1.12.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Feb 25 2014 Orion Poplawski - 1.12.2-1 +- Update to 1.12.2 + +* Wed Jan 22 2014 Orion Poplawski - 1.11.3-1 +- Update to 1.11.3 + +* Mon Oct 21 2013 Orion Poplawski - 1.11.0-1 +- Update to 1.11.0 + +* Sun Aug 04 2013 Fedora Release Engineering - 1.10.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu May 9 2013 Jeffrey Ollie - 1.10.1-1 +- Update to 1.10.1 + +* Thu Feb 14 2013 Fedora Release Engineering - 1.9.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 2 2013 Jeffrey Ollie - 1.9.0-1 +- Update to 1.9.0 + +* Sat Jul 21 2012 Fedora Release Engineering - 1.7.7.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Fedora Release Engineering - 1.7.7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Jul 6 2011 Jeffrey C. Ollie - 1.7.7.1-1 +- v1.7.7.1 (George) 21may11 +- ------------------------- +- * Make the verification phase of SFTP.put optional (Larry Wright) +- * Patches to fix AIX support (anonymous) +- * Patch from Michele Bertoldi to allow compression to be turned on in the +- client constructor. +- * Patch from Shad Sharma to raise an exception if the transport isn't active +- when you try to open a new channel. +- * Stop leaking file descriptors in the SSH agent (John Adams) +- * More fixes for Windows address family support (Andrew Bennetts) +- * Use Crypto.Random rather than Crypto.Util.RandomPool +- (Gary van der Merwe, #271791) +- * Support for openssl keys (tehfink) +- * Fix multi-process support by calling Random.atfork (sugarc0de) + +* Tue Feb 08 2011 Fedora Release Engineering - 1.7.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 4 2011 Toshio Kuratomi - 1.7.6-3 +- Patch to address deprecation warning from pycrypto +- Simplify build as shown in new python guidelines +- Enable test suite + +* Thu Jul 22 2010 David Malcolm - 1.7.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Mon Nov 2 2009 Jeffrey C. Ollie - 1.7.6-1 +- v1.7.6 (Fanny) 1nov09 +- --------------------- +- * fixed bugs 411099 (sftp chdir isn't unicode-safe), 363163 & 411910 (more +- IPv6 problems on windows), 413850 (race when server closes the channel), +- 426925 (support port numbers in host keys) + +* Tue Oct 13 2009 Jeremy Katz - 1.7.5-2 +- Fix race condition (#526341) + +* Thu Jul 23 2009 Jeffrey C. Ollie - 1.7.5-1 +- v1.7.5 (Ernest) 19jul09 +- ----------------------- +- * added support for ARC4 cipher and CTR block chaining (Denis Bernard) +- * made transport threads daemonize, to fix python 2.6 atexit behavior +- * support unicode hostnames, and IP6 addresses (Maxime Ripard, Shikhar +- Bhushan) +- * various small bug fixes + +* Thu Feb 26 2009 Fedora Release Engineering - 1.7.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Feb 16 2009 Jeffrey C. Ollie - 1.7.4-4 +- Add demos as documentation. BZ#485742 + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 1.7.4-3 +- Rebuild for Python 2.6 + +* Wed Sep 3 2008 Tom "spot" Callaway - 1.7.4-2 +- fix license tag + +* Sun Jul 6 2008 Jeffrey C. Ollie - 1.7.4-1 +- Update to 1.7.4 + +* Mon Mar 24 2008 Jeffrey C. Ollie - 1.7.3-1 +- Update to 1.7.3. + +* Tue Jan 22 2008 Jeffrey C. Ollie - 1.7.2-1 +- Update to 1.7.2. +- Remove upstreamed patch. + +* Mon Jan 14 2008 Jeffrey C. Ollie - 1.7.1-3 +- Update to latest Python packaging guidelines. +- Apply patch that fixes insecure use of RandomPool. + +* Thu Jul 19 2007 Jeffrey C. Ollie - 1.7.1-2 +- Bump rev + +* Thu Jul 19 2007 Jeffrey C. Ollie - 1.7.1-1 +- Update to 1.7.1 + +* Sat Dec 09 2006 Toshio Kuratomi - 1.6.4-1 +- Update to 1.6.4 +- Upstream is now shipping tarballs +- Bump for python 2.5 in devel + +* Mon Oct 9 2006 Jeffrey C. Ollie - 1.6.2-1 +- Update to 1.6.2 + +* Sat Sep 16 2006 Shahms E. King 1.6.1-3 +- Rebuild for FC6 + +* Fri Aug 11 2006 Shahms E. King 1.6.1-2 +- Include, don't ghost .pyo files per new guidelines + +* Tue Aug 08 2006 Shahms E. King 1.6.1-1 +- Update to new upstream version + +* Fri Jun 02 2006 Shahms E. King 1.6-1 +- Update to new upstream version +- ghost the .pyo files + +* Fri May 05 2006 Shahms E. King 1.5.4-2 +- Fix source line and rebuild + +* Fri May 05 2006 Shahms E. King 1.5.4-1 +- Update to new upstream version + +* Wed Apr 12 2006 Shahms E. King 1.5.3-1 + - Initial package