[MIR] pysmi, pycryptodome

Bug #1748572 reported by Steve Langasek
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pycryptodome (Ubuntu)
High
Unassigned
pysmi (Ubuntu)
High
Unassigned

Bug Description

[Rationale]

The new version of python-pysnmp4 adds dependencies on python-pycryptodome and python-pysmi, so these need to be MIRed.

>> pysmi <<

[Availability]
In universe

[Security]
No history: http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pysmi

[Quality assurance]
Package executes unit tests during package build.

[Dependencies]
All in main.

[Standards compliance]
OK

[Maintenance]
ubuntu-openstack

>> pycryptodome <<

[Availability]
In universe

[Security]
No history: http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pycryptodome

[Quality assurance]
Package executes unit tests during package build.

[Dependencies]
All in main.

[Standards compliance]
OK

[Maintenance]
ubuntu-openstack

[Background]
PyCryptodome is a fork of PyCrypto

CVE References

Steve Langasek (vorlon)
Changed in pycryptodome (Ubuntu):
status: New → Incomplete
assignee: nobody → Ubuntu OpenStack (ubuntu-openstack)
Revision history for this message
James Page (james-page) wrote :

bug subscriptions added for ubuntu-openstack team.

description: updated
description: updated
James Page (james-page)
Changed in pysmi (Ubuntu):
status: Incomplete → New
description: updated
description: updated
Changed in pycryptodome (Ubuntu):
status: Incomplete → New
James Page (james-page)
Changed in pycryptodome (Ubuntu):
importance: Undecided → High
Changed in pysmi (Ubuntu):
importance: Undecided → High
Changed in pycryptodome (Ubuntu):
milestone: none → ubuntu-18.02
Changed in pysmi (Ubuntu):
milestone: none → ubuntu-18.02
Revision history for this message
James Page (james-page) wrote :

Having pycrypto and pycryptodome both in main seems less than ideal but would like to get a steer from the security team on preference - the rationale for pycryptodome is that pycrypto is unmaintained.

Revision history for this message
James Page (james-page) wrote :

Subscribing ubuntu-security team due to pycryptodome and fork/nasty-ness

Revision history for this message
James Page (james-page) wrote :

https://github.com/openstack/requirements/blob/master/global-requirements.txt#L224

Some further context - this feels like a general ecosystem move to the fork:

# NOTE(dims): pysaml 4.0.3 uses pycryptodome instead of pycrypto, for mitaka
# we cannot switch to pycryptodome as many projects are likely to break. So
# we should block versions higher then 4.0.2. Also, once all projects and
# dependencies like paramiko switch to pycryptodome, we should revisit this
# and fully switch over to pycryptodome and stop using pycrypto
pysaml2>=4.0.2,<4.0.3 # Apache-2.0

Revision history for this message
Matthias Klose (doko) wrote :

please could you track the conversion of packages in main in a separate bug report using different tasks?

Changed in pycryptodome (Ubuntu):
assignee: Ubuntu OpenStack (ubuntu-openstack) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Seems to me like pysmi would potentially go parse and generate code from MIBs retrieved from the web (those are not necessarily known to be safe). I think this warrants some further code review.

Changed in pysmi (Ubuntu):
assignee: Ubuntu OpenStack (ubuntu-openstack) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Any progress on this review? This is blocking pyasn1*/python-ldap/389-ds-base from migrating.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello,

   One must avoid having both PyCrypto and PyCryptodome installed
   at the same time, as they will interfere with each other.

Is this a concern for us?

Thanks

Revision history for this message
Steve Langasek (vorlon) wrote :

Seth, it's a concern if the packages don't declares a Breaks or Conflicts with one another. If they don't (I'm not currently in a position to check), could you file a bug on them for this?

If the incompatibility is declared, and proposed-migration says no packages are uninstallable as a result, then it's not ideal but allowable.

Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed pycryptodome version 3.4.7-1 as checked into bionic. This is
not a full security audit, but rather a quick gauge of maintainability. I
especially did not investigate if the implementations are properly
constant-timed, free from leaks, implemented correctly, or suitable for
purpose.

One CVE against pycryptodome:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6594.html
Currently unfixed in our packaging. This flaw is shared with python-crypto
which is currently also unfixed. (While we rated it 'Medium', 'Low' might
also be appropriate.)

The fix wasn't exactly quick but the author and interested community
members had a professional discussion of the issue.

- pycryptodome is python-crypto brought back to life
- Build-Depends: dh-python, python-setuptools, python3-setuptools,
  python-all-dev, python3-all-dev, debhelper, python3-sphinx,
  python3-sphinx-rtd-theme
- Does not daemonize
- pre/post inst/rm scripts are automatically generated
- No systemd unit files
- No DBus services
- No setuid files
- No binaries in PATH
- No sudo fragments
- No udev rules
- Large test suite run during the build, not inspected closely
- No cronjobs
- dpkg emits some warnings:
  dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Provides}
  dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Versions}
  dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Provides}
  dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Versions}
  dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Provides}
  dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Versions}
  dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Provides}
  dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Versions}

- No subprocesses spawned
- Memory management looked careful
- No file IO
- No environment variables
- No privileged functions
- Extensive cryptography
- No networking
- No privileged portions of code
- No temporary files
- No WebKit
- No Javascript
- No policykit
- clean cppcheck

The code has extensive references in the comments throughout, errors are
checked, there's a lot of tests.

Security team ACK for promoting pycryptodome to main.

Thanks

Changed in pycryptodome (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
pycryptodome 3.4.7-1 in bionic: universe/misc -> main
1 publication overridden.
Override component to main
python-pycryptodome 3.4.7-1 in bionic amd64: universe/python/optional/100% -> main
python-pycryptodome 3.4.7-1 in bionic arm64: universe/python/optional/100% -> main
python-pycryptodome 3.4.7-1 in bionic armhf: universe/python/optional/100% -> main
python-pycryptodome 3.4.7-1 in bionic i386: universe/python/optional/100% -> main
python-pycryptodome 3.4.7-1 in bionic ppc64el: universe/python/optional/100% -> main
python-pycryptodome 3.4.7-1 in bionic s390x: universe/python/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic amd64: universe/doc/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic arm64: universe/doc/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic armhf: universe/doc/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic i386: universe/doc/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic ppc64el: universe/doc/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic s390x: universe/doc/optional/100% -> main
12 publications overridden.

Changed in pycryptodome (Ubuntu):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed pysmi version 0.2.2-1 as checked into bionic. This should not
be considered a full security audit but rather a quick gauge of
maintainability.

- No CVEs in our database
- pysmi can parse ASN1 mib files and emit json or python code to work with
  data in the described format; there's infrastructure in place to work
  around bugs in poorly-written mib files, hosted on
  http://mibs.snmplabs.com/

- Build-Depends: debhelper, dh-python, python-all, python3-all,
  python-ply, python3-ply, python-setuptools, python3-setuptools,
  python-pysnmp4, python3-pysnmp4, python3-sphinx,

- No cryptography
- Can do http / ftp / sftp
- Does not daemonize
- Auto-generated pre/post inst/rm scripts
- No initscripts / systemd files
- No DBus services
- No setuid files
- /usr/bin/mibdump in PATH
- No sudo fragments
- No udev rules
- Many tests run during the build
- No cronjobs
- Clean build logs

- No subprocesses spawned
- File handling is slightly complicated:
  - well-known locations can hold files
  - applications can request loading from other locations, including zips,
    remote resources ,etc
  - some of these inputs influence code generation but conversations with
    the author gave me confidence that this is still something we can
    support
- minimal logging, looks safe
- No environment variable use
- No privileged operations
- No cryptography
- Can retrieve files over the network via multiple protocols
- No privileged portions of code
- mkstemp is used when temporary files are created
- No WebKit
- No JavaScript
- No PolicyKit

Code generation is a higher-risk activity but the author answered my
questions quickly and confidently and has a clear threat model in mind
that I believe accurately reflects our needs.

Security team ACK for promoting pysmi to main.

Thanks

Changed in pysmi (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
pysmi 0.2.2-1 in bionic: universe/misc -> main
python-pysmi 0.2.2-1 in bionic amd64: universe/python/optional/100% -> main
python-pysmi 0.2.2-1 in bionic arm64: universe/python/optional/100% -> main
python-pysmi 0.2.2-1 in bionic armhf: universe/python/optional/100% -> main
python-pysmi 0.2.2-1 in bionic i386: universe/python/optional/100% -> main
python-pysmi 0.2.2-1 in bionic ppc64el: universe/python/optional/100% -> main
python-pysmi 0.2.2-1 in bionic s390x: universe/python/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic amd64: universe/doc/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic arm64: universe/doc/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic armhf: universe/doc/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic i386: universe/doc/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic ppc64el: universe/doc/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic s390x: universe/doc/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic amd64: universe/python/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic arm64: universe/python/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic armhf: universe/python/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic i386: universe/python/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic ppc64el: universe/python/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic s390x: universe/python/optional/100% -> main
19 publications overridden.

Changed in pysmi (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers