Ubuntu
paramiko package

python-paramiko 1.16.0-1 incompatible with python-crypto 2.6.1-6ubuntu0.16.04.1

Bug #1665565 reported by Kenneth Henderick
122
This bug affects 20 people
Affects Status Importance Assigned to Milestone
MySQL Workbench
Invalid
Undecided
Unassigned
OpenStack Charm Test Infra
Fix Released
Critical
Ryan Beisner
paramiko (Ubuntu)
Invalid
Critical
Ubuntu Security Team

Bug Description

Since python-crypto 2.6.1-6ubuntu0.16.04.1 landed, it seems python-paramiko 1.16.0-1 is not working anymore.

/usr/lib/python2.7/dist-packages/paramiko/client.pyc in connect(self, hostname, port, username, password, pkey, key_filename, timeout, allow_agent, look_for_keys, compress, sock, gss_auth, gss_kex, gss_deleg_creds, gss_host, banner_timeout)
    323 if banner_timeout is not None:
    324 t.banner_timeout = banner_timeout
--> 325 t.start_client()
    326 ResourceManager.register(self, t)
    327

/usr/lib/python2.7/dist-packages/paramiko/transport.pyc in start_client(self, event)
    490 e = self.get_exception()
    491 if e is not None:
--> 492 raise e
    493 raise SSHException('Negotiation failed.')
    494 if event.is_set():

ValueError: CTR mode needs counter parameter, not IV

Seems related to the fix for CVE-2013-7459

Extra information:

root@kh001:~# lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04

root@kh001:~# apt-cache policy python-paramiko
python-paramiko:
  Installed: 1.16.0-1
  Candidate: 1.16.0-1
  Version table:
 *** 1.16.0-1 500
        500 http://be.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        500 http://be.archive.ubuntu.com/ubuntu xenial/main i386 Packages
        100 /var/lib/dpkg/status

root@kh001:~# apt-cache policy python-crypto
python-crypto:
  Installed: 2.6.1-6ubuntu0.16.04.1
  Candidate: 2.6.1-6ubuntu0.16.04.1
  Version table:
 *** 2.6.1-6ubuntu0.16.04.1 500
        500 http://be.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.6.1-6build1 500
        500 http://be.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in paramiko (Ubuntu):
status: New → Confirmed
Revision history for this message
James Page (james-page) wrote :

Ubuntu OpenStack CI is tripping over this which is causing quite alot of issues in our pre-landing tests in the OpenStack charms.

Changed in paramiko (Ubuntu):
importance: Undecided → Critical
Ryan Beisner (1chb1n)
Changed in charm-test-infra:
assignee: nobody → Ryan Beisner (1chb1n)
importance: Undecided → Critical
status: New → Confirmed
Ryan Beisner (1chb1n)
tags: added: uosci
Revision history for this message
Spandex (spandex) wrote :

Also affects 14.04 (python-paramiko 1.10.1-1git1build1)

Vej (vej)
tags: added: trusty xenial
tags: added: regression-update
Revision history for this message
Erich E. Hoover (ehoover) wrote :

We applied this patch to get up and running again:
https://github.com/paramiko/paramiko/pull/714/commits/4752287a7379da61245087ee7e35635a4e42bb3f

Revision history for this message
Gregory M. Blumenthal Scharf (llameadrpc) wrote :

Patch (#4) works for mysql-workbench 6.3 on xenial. Thanks, ehoover!

Revision history for this message
Erich E. Hoover (ehoover) wrote :

deb-aelwyn gets the credit for this one, I'm just the monkey entering info into the bug report ;)

Revision history for this message
Adam Jacob Muller (78luphr0rnk2nuqimstywepozxn9kl19tqh0tx66b5dki1xxsh5mkz9gl21a5rlwfnr8jn6ln0m3jxne2k9x1ohg85w3jabxlrqbgszpjpwcmvk-launchpad) wrote :

Can also confirm that that fix works on trusty too, no regressions with a pretty wide set of devices we're connecting to

Revision history for this message
Hans Joachim Desserud (hjd) wrote :

With bug 1665598, python-crypto should now print a warning instead of throwing an exception. (This update should be available for 14.04, 16.04 and 16.10 already) Due to the security aspect I assume this is something which should be fixed properly in paramiko, but it doesn't look like it should throw an exception any more.

Jason Hobbs (jason-hobbs)
tags: added: oil
Revision history for this message
Ryan Beisner (1chb1n) wrote :

Confirmed that installing the updated python-crypto 2.6.1-6ubuntu0.16.04.2 unblocks UOSCI.

I was seeing trace:

Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
    self.run()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "/home/ubuntu/bzr/ubuntu-openstack-ci-use-port-cleanup-tool/tools/../common/osci_utils.py", line 635, in ssh_command_check
    pkey=pkey_rsa, timeout=timeout)
  File "/usr/lib/python2.7/dist-packages/paramiko/client.py", line 325, in connect
    t.start_client()
  File "/usr/lib/python2.7/dist-packages/paramiko/transport.py", line 492, in start_client
    raise e
ValueError: CTR mode needs counter parameter, not IV

.

Now only receive a warning:

/usr/lib/python2.7/dist-packages/Crypto/Cipher/blockalgo.py:141: FutureWarning: CTR mode needs counter parameter, not IV

Changed in charm-test-infra:
status: Confirmed → Fix Released
Revision history for this message
jowan512 (jowan-sebastian) wrote :

Also breaks Fabric used for web deployment. Patch (#4) works in this case.

Revision history for this message
Fluwell (fluwell) wrote :

https://github.com/paramiko/paramiko/pull/889 fixed upstream

Brian Murray (brian-murray)
Changed in paramiko (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This should be fixed now:
https://www.ubuntu.com/usn/usn-3199-2/

I'm closing this bug. Feel free to re-open it if something is still broken after the regression fix is applied. Thanks.

Changed in paramiko (Ubuntu):
status: Confirmed → Invalid
Changed in mysql-workbench:
status: New → Invalid
Revision history for this message
Kenneth Henderick (kenneth-w) wrote :

One could argue that there's now a warning which might change the behavior of some software. I would expect that this ticket (at least the part about the python-paramiko package) would only be resolved once paramiko 1.17 would be packaged, replacing current 1.16.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.