| Summary: | python-paramiko new security issue CVE-2022-24302 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | python-paramiko-2.7.2-1.mga8.src.rpm | CVE: | CVE-2022-24302 |
| Status comment: | |||
|
Description
David Walser
2022-03-21 21:45:24 CET
David Walser
2022-03-21 21:45:35 CET
Whiteboard:
(none) =>
MGA8TOO Many different people have maintained this, so have to assign it globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated package fixes a security vulnerability: In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure. (CVE-2022-24302) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24302 https://www.debian.org/lts/security/2022/dla-2959 ======================== Updated package in core/updates_testing: ======================== python3-paramiko-2.7.2-1.1.mga8 from SRPM: python-paramiko-2.7.2-1.1.mga8.src.rpm Assignee:
pkg-bugs =>
qa-bugs MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Ref bug 25904 for testing, but I have no idea (well, only a little) what this is about. Leaving for others. CC:
(none) =>
herman.viaene Ubuntu has issued an advisory for this today (March 28): https://ubuntu.com/security/notices/USN-5351-1 Fedora has issued an advisory for this on March 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U63MJ2VOLLQ35R7CYNREUHSXYLWNPVSB/ mga8, x64
Installed python-paramiko before updating. That dragged in a lot of extra packages. Found a script at stackoverflow which exercises python-paramiko. Modified it for local use and tried to run it. It is supposed to run a couple of commands on a machine elsewhere on the LAN but I could not get past the passphrase stage for SSL - forgotten what it was but accepted that the script was working as far as paramiko is concerned and backed out.
After updating I tried out duplicity, one of the few applications which use paramiko. Not sure if I was running it correctly but it appeared to be performing a direct backup (file copies). Ran the restore command under strace for a subdirectory of the data.
In both cases the user has to enter the passphrase for the key - it seems to use the GNOME keyring - .gpg files.
$ duplicity full /data/images file:///run/media/lcl/gemma/
$ strace -o duplicity.trace duplicity restore Bournemouth file:///run/media/lcl/gemma/images
$ grep paramiko duplicity.trace
stat("/usr/lib64/python3.8/site-packages/duplicity/backends/ssh_paramiko_backend.py", {st_mode=S_IFREG|0644, st_size=19122, ...}) = 0
stat("/usr/lib64/python3.8/site-packages/duplicity/backends/ssh_paramiko_backend.py", {st_mode=S_IFREG|0644, st_size=19122, ...}) = 0
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/duplicity/backends/__pycache__/ssh_paramiko_backend.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 3
That is as far as I can take this - all a bit above my pay grade.
Giving it an OK for 64-bits.CC:
(none) =>
tarazed25 A good effort, guys. Validating. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-04-09 19:54:48 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0132.html Resolution:
(none) =>
FIXED |