[python26-paramiko: 14/33] Add patch to fix security issue.
Andy Grimm
arg at fedoraproject.org
Thu Jul 7 00:41:18 UTC 2011
commit 739aeb28ab780f58c08c18e41edaae8b417ac6f3
Author: Jeffrey C. Ollie <jcollie at fedoraproject.org>
Date: Mon Jan 14 21:22:13 2008 +0000
Add patch to fix security issue.
paramiko-osrandompool-fixed.patch | 135 +++++++++++++++++++++++++++++++++++++
python-paramiko.spec | 22 +++++--
2 files changed, 151 insertions(+), 6 deletions(-)
---
diff --git a/paramiko-osrandompool-fixed.patch b/paramiko-osrandompool-fixed.patch
new file mode 100644
index 0000000..27fcf71
--- /dev/null
+++ b/paramiko-osrandompool-fixed.patch
@@ -0,0 +1,135 @@
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: dwayne at oscl.ca-20080114152712-mfg5hxxi5k5m8dp7
+# target_branch: http://www.lag.net/paramiko/bzr/paramiko/
+# testament_sha1: 97445d0ddc922bc9cf93b2c8254b16bdf949a2a1
+# timestamp: 2008-01-14 09:27:42 -0600
+# base_revision_id: robey at lag.net-20071231052950-8h599bnez3sgbf2e
+#
+# Begin patch
+=== added file 'paramiko/osrandom.py'
+--- paramiko/osrandom.py 1970-01-01 00:00:00 +0000
++++ paramiko/osrandom.py 2008-01-14 15:27:12 +0000
+@@ -0,0 +1,93 @@
++#!/usr/bin/python
++# -*- coding: ascii -*-
++# Copyright (C) 2008 Dwayne C. Litzenberger <dlitz at dlitz.net>
++#
++# This file is part of paramiko.
++#
++# Paramiko is free software; you can redistribute it and/or modify it under the
++# terms of the GNU Lesser General Public License as published by the Free
++# Software Foundation; either version 2.1 of the License, or (at your option)
++# any later version.
++#
++# Paramiko is distrubuted in the hope that it will be useful, but WITHOUT ANY
++# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
++# A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
++# details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with Paramiko; if not, write to the Free Software Foundation, Inc.,
++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++
++import sys
++
++# Detect an OS random number source
++osrandom_source = None
++
++# Try os.urandom
++if osrandom_source is None:
++ try:
++ from os import urandom
++ osrandom_source = "os.urandom"
++ except ImportError:
++ pass
++
++# Try winrandom
++if osrandom_source is None:
++ try:
++ from Crypto.Util import winrandom
++ osrandom_source = "winrandom"
++ except ImportError:
++ pass
++
++# Try /dev/urandom
++if osrandom_source is None:
++ try:
++ _dev_urandom = open("/dev/urandom", "rb", 0)
++ def urandom(bytes):
++ return _def_urandom.read(bytes)
++ osrandom_source = "/dev/urandom"
++ except (OSError, IOError):
++ pass
++
++# Give up
++if osrandom_source is None:
++ raise ImportError("Cannot find OS entropy source")
++
++class BaseOSRandomPool(object):
++ def __init__(self, numbytes=160, cipher=None, hash=None):
++ pass
++
++ def stir(self, s=''):
++ # According to "Cryptanalysis of the Random Number Generator of the
++ # Windows Operating System", by Leo Dorrendorf and Zvi Gutterman
++ # and Benny Pinkas <http://eprint.iacr.org/2007/419>,
++ # CryptGenRandom only updates its internal state using kernel-provided
++ # random data every 128KiB of output.
++ if osrandom_source == 'winrandom' or sys.platform == 'win32':
++ self.get_bytes(128*1024) # discard 128 KiB of output
++
++ def randomize(self, N=0):
++ self.stir()
++
++ def add_event(self, s=None):
++ pass
++
++class WinrandomOSRandomPool(BaseOSRandomPool):
++ def __init__(self, numbytes=160, cipher=None, hash=None):
++ self._wr = winrandom.new()
++ self.get_bytes = self._wr.get_bytes
++ self.randomize()
++
++class UrandomOSRandomPool(BaseOSRandomPool):
++ def __init__(self, numbytes=160, cipher=None, hash=None):
++ self.get_bytes = urandom
++ self.randomize()
++
++if osrandom_source in ("/dev/urandom", "os.urandom"):
++ OSRandomPool = UrandomOSRandomPool
++elif osrandom_source == "winrandom":
++ OSRandomPool = WinrandomOSRandomPool
++else:
++ raise AssertionError("Unrecognized osrandom_source %r" % (osrandom_source,))
++
++# vim:set ts=4 sw=4 sts=4 expandtab:
+
+=== modified file 'paramiko/common.py'
+--- paramiko/common.py 2007-11-19 03:12:09 +0000
++++ paramiko/common.py 2008-01-14 03:56:22 +0000
+@@ -95,22 +95,10 @@
+ DISCONNECT_SERVICE_NOT_AVAILABLE, DISCONNECT_AUTH_CANCELLED_BY_USER, \
+ DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE = 7, 13, 14
+
+-
+-from Crypto.Util.randpool import PersistentRandomPool, RandomPool
++from osrandom import OSRandomPool
+
+ # keep a crypto-strong PRNG nearby
+-import os
+-try:
+- randpool = PersistentRandomPool(os.path.join(os.path.expanduser('~'), '/.randpool'))
+-except:
+- # the above will likely fail on Windows - fall back to non-persistent random pool
+- randpool = RandomPool()
+-
+-try:
+- randpool.randomize()
+-except:
+- # earlier versions of pyCrypto (pre-2.0) don't have randomize()
+- pass
++randpool = OSRandomPool()
+
+ import sys
+ if sys.version_info < (2, 3):
+
diff --git a/python-paramiko.spec b/python-paramiko.spec
index e3b2208..1dc6dde 100644
--- a/python-paramiko.spec
+++ b/python-paramiko.spec
@@ -4,18 +4,24 @@
Name: python-paramiko
Version: 1.7.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: A SSH2 protocol library for python
Group: Development/Libraries
License: LGPL
URL: http://www.lag.net/paramiko/
Source0: http://www.lag.net/paramiko/download/%{srcname}-%{version}.tar.gz
+Patch0: paramiko-osrandompool-fixed.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
-BuildRequires: python-devel
-BuildRequires: python-setuptools
+
+%if 0%{?fedora} >= 8
+BuildRequires: python-setuptools-devel
+%else
+BuildRequires: python-setuptools
+%endif
+
Requires: python-crypto >= 1.9
%description
@@ -30,14 +36,14 @@ encrypted tunnel. (This is how sftp works, for example.)
%prep
%setup -q -n %{srcname}-%{version}
-
+%patch0 -p0
%build
-CFLAGS="$RPM_OPT_FLAGS" %{__python} setup.py build
+CFLAGS="$RPM_OPT_FLAGS" %{__python} -c 'import setuptools; execfile("setup.py")' build
%install
rm -rf $RPM_BUILD_ROOT
-%{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT --single-version-externally-managed
+%{__python} -c 'import setuptools; execfile("setup.py")' install --skip-build --root %{buildroot}
%clean
rm -rf $RPM_BUILD_ROOT
@@ -48,6 +54,10 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitelib}/*
%changelog
+* Mon Jan 14 2008 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.7.1-3
+- Update to latest Python packaging guidelines.
+- Apply patch that fixes insecure use of RandomPool.
+
* Thu Jul 19 2007 Jeffrey C. Ollie <jeff at ocjtech.us> - 1.7.1-2
- Bump rev
More information about the scm-commits
mailing list