[MIR] pysmi, pycryptodome

bug subscriptions added for ubuntu-openstack team.

Having pycrypto and pycryptodome both in main seems less than ideal but would like to get a steer from the security team on preference - the rationale for pycryptodome is that pycrypto is unmaintained.

Subscribing ubuntu-security team due to pycryptodome and fork/nasty-ness

https://github.com/openstack/requirements/blob/master/global-requirements.txt#L224

Some further context - this feels like a general ecosystem move to the fork:

# NOTE(dims): pysaml 4.0.3 uses pycryptodome instead of pycrypto, for mitaka
# we cannot switch to pycryptodome as many projects are likely to break. So
# we should block versions higher then 4.0.2. Also, once all projects and
# dependencies like paramiko switch to pycryptodome, we should revisit this
# and fully switch over to pycryptodome and stop using pycrypto
pysaml2>=4.0.2,<4.0.3 # Apache-2.0

please could you track the conversion of packages in main in a separate bug report using different tasks?

Seems to me like pysmi would potentially go parse and generate code from MIBs retrieved from the web (those are not necessarily known to be safe). I think this warrants some further code review.

Any progress on this review? This is blocking pyasn1*/python-ldap/389-ds-base from migrating.

Hello,

   One must avoid having both PyCrypto and PyCryptodome installed
   at the same time, as they will interfere with each other.

Is this a concern for us?

Thanks

Seth, it's a concern if the packages don't declares a Breaks or Conflicts with one another. If they don't (I'm not currently in a position to check), could you file a bug on them for this?

If the incompatibility is declared, and proposed-migration says no packages are uninstallable as a result, then it's not ideal but allowable.

Thanks Steve, I've filed:

https://bugs.launchpad.net/ubuntu/+source/python-crypto/+bug/1759985

I reviewed pycryptodome version 3.4.7-1 as checked into bionic. This is
not a full security audit, but rather a quick gauge of maintainability. I
especially did not investigate if the implementations are properly
constant-timed, free from leaks, implemented correctly, or suitable for
purpose.

One CVE against pycryptodome:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6594.html
Currently unfixed in our packaging. This flaw is shared with python-crypto
which is currently also unfixed. (While we rated it 'Medium', 'Low' might
also be appropriate.)

The fix wasn't exactly quick but the author and interested community
members had a professional discussion of the issue.

- pycryptodome is python-crypto brought back to life
- Build-Depends: dh-python, python-setuptools, python3-setuptools,
  python-all-dev, python3-all-dev, debhelper, python3-sphinx,
  python3-sphinx-rtd-theme
- Does not daemonize
- pre/post inst/rm scripts are automatically generated
- No systemd unit files
- No DBus services
- No setuid files
- No binaries in PATH
- No sudo fragments
- No udev rules
- Large test suite run during the build, not inspected closely
- No cronjobs
- dpkg emits some warnings:
  dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Provides}
  dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Versions}
  dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Provides}
  dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Versions}
  dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Provides}
  dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Versions}
  dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Provides}
  dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Versions}

- No subprocesses spawned
- Memory management looked careful
- No file IO
- No environment variables
- No privileged functions
- Extensive cryptography
- No networking
- No privileged portions of code
- No temporary files
- No WebKit
- No Javascript
- No policykit
- clean cppcheck

The code has extensive references in the comments throughout, errors are
checked, there's a lot of tests.

Security team ACK for promoting pycryptodome to main.

Thanks

Override component to main
pycryptodome 3.4.7-1 in bionic: universe/misc -> main
1 publication overridden.
Override component to main
python-pycryptodome 3.4.7-1 in bionic amd64: universe/python/optional/100% -> main
python-pycryptodome 3.4.7-1 in bionic arm64: universe/python/optional/100% -> main
python-pycryptodome 3.4.7-1 in bionic armhf: universe/python/optional/100% -> main
python-pycryptodome 3.4.7-1 in bionic i386: universe/python/optional/100% -> main
python-pycryptodome 3.4.7-1 in bionic ppc64el: universe/python/optional/100% -> main
python-pycryptodome 3.4.7-1 in bionic s390x: universe/python/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic amd64: universe/doc/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic arm64: universe/doc/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic armhf: universe/doc/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic i386: universe/doc/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic ppc64el: universe/doc/optional/100% -> main
python-pycryptodome-doc 3.4.7-1 in bionic s390x: universe/doc/optional/100% -> main
12 publications overridden.

I reviewed pysmi version 0.2.2-1 as checked into bionic. This should not
be considered a full security audit but rather a quick gauge of
maintainability.

- No CVEs in our database
- pysmi can parse ASN1 mib files and emit json or python code to work with
  data in the described format; there's infrastructure in place to work
  around bugs in poorly-written mib files, hosted on
  http://mibs.snmplabs.com/

- Build-Depends: debhelper, dh-python, python-all, python3-all,
  python-ply, python3-ply, python-setuptools, python3-setuptools,
  python-pysnmp4, python3-pysnmp4, python3-sphinx,

- No cryptography
- Can do http / ftp / sftp
- Does not daemonize
- Auto-generated pre/post inst/rm scripts
- No initscripts / systemd files
- No DBus services
- No setuid files
- /usr/bin/mibdump in PATH
- No sudo fragments
- No udev rules
- Many tests run during the build
- No cronjobs
- Clean build logs

- No subprocesses spawned
- File handling is slightly complicated:
  - well-known locations can hold files
  - applications can request loading from other locations, including zips,
    remote resources ,etc
  - some of these inputs influence code generation but conversations with
    the author gave me confidence that this is still something we can
    support
- minimal logging, looks safe
- No environment variable use
- No privileged operations
- No cryptography
- Can retrieve files over the network via multiple protocols
- No privileged portions of code
- mkstemp is used when temporary files are created
- No WebKit
- No JavaScript
- No PolicyKit

Code generation is a higher-risk activity but the author answered my
questions quickly and confidently and has a clear threat model in mind
that I believe accurately reflects our needs.

Security team ACK for promoting pysmi to main.

Thanks

Override component to main
pysmi 0.2.2-1 in bionic: universe/misc -> main
python-pysmi 0.2.2-1 in bionic amd64: universe/python/optional/100% -> main
python-pysmi 0.2.2-1 in bionic arm64: universe/python/optional/100% -> main
python-pysmi 0.2.2-1 in bionic armhf: universe/python/optional/100% -> main
python-pysmi 0.2.2-1 in bionic i386: universe/python/optional/100% -> main
python-pysmi 0.2.2-1 in bionic ppc64el: universe/python/optional/100% -> main
python-pysmi 0.2.2-1 in bionic s390x: universe/python/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic amd64: universe/doc/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic arm64: universe/doc/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic armhf: universe/doc/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic i386: universe/doc/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic ppc64el: universe/doc/optional/100% -> main
python-pysmi-doc 0.2.2-1 in bionic s390x: universe/doc/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic amd64: universe/python/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic arm64: universe/python/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic armhf: universe/python/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic i386: universe/python/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic ppc64el: universe/python/optional/100% -> main
python3-pysmi 0.2.2-1 in bionic s390x: universe/python/optional/100% -> main
19 publications overridden.