Ubuntu
python-crypto package

python-crypto throws exception ValueError: CTR mode needs counter parameter, not IV

Bug #1665598 reported by Hung Nguyen Viet
52
This bug affects 9 people
Affects Status Importance Assigned to Milestone
OpenStack Charm Test Infra
Fix Released
Critical
Ryan Beisner
OpenStack Charm Test Infra 17.05
python-crypto (Ubuntu)
Fix Released
Critical
Unassigned

Bug Description

We've recently upgraded python-crypto package on 14.04 due to this USN https://www.ubuntu.com/usn/usn-3199-1/

apt history log

```
Start-Date: 2017-02-16 23:43:48
Commandline: apt-get -q -y -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-confdef dist-upgrade
Upgrade: bind9-host:amd64 (9.9.5.dfsg-3ubuntu0.12, 9.9.5.dfsg-3ubuntu0.13), liblwres90:amd64 (9.9.5.dfsg-3ubuntu0.12, 9.9.5.dfsg-3ubuntu0.13), python-crypto:amd64 (2.6.1-4build1, 2.6.1-4ubuntu0.1), libdns100:amd64 (9.9.5.dfsg-3ubuntu0.12, 9.9.5.dfsg-3ubuntu0.13), libisccfg90:amd64 (9.9.5.dfsg-3ubuntu0.12, 9.9.5.dfsg-3ubuntu0.13), libbind9-90:amd64 (9.9.5.dfsg-3ubuntu0.12, 9.9.5.dfsg-3ubuntu0.13), bind9:amd64 (9.9.5.dfsg-3ubuntu0.12, 9.9.5.dfsg-3ubuntu0.13), dnsutils:amd64 (9.9.5.dfsg-3ubuntu0.12, 9.9.5.dfsg-3ubuntu0.13), bind9utils:amd64 (9.9.5.dfsg-3ubuntu0.12, 9.9.5.dfsg-3ubuntu0.13), libisccc90:amd64 (9.9.5.dfsg-3ubuntu0.12, 9.9.5.dfsg-3ubuntu0.13), libisc95:amd64 (9.9.5.dfsg-3ubuntu0.12, 9.9.5.dfsg-3ubuntu0.13)
End-Date: 2017-02-16 23:43:52
```

Then our python script which uses paramiko failed with this exception

```
Traceback (most recent call last):
  File "/usr/local/nagios/local/lib/python2.7/site-packages/paramiko/transport.py", line 1583, in run
    self.kex_engine.parse_next(ptype, m)
  File "/usr/local/nagios/local/lib/python2.7/site-packages/paramiko/kex_group1.py", line 68, in parse_next
    return self._parse_kexdh_reply(m)
  File "/usr/local/nagios/local/lib/python2.7/site-packages/paramiko/kex_group1.py", line 107, in _parse_kexdh_reply
    self.transport._activate_outbound()
  File "/usr/local/nagios/local/lib/python2.7/site-packages/paramiko/transport.py", line 1881, in _activate_outbound
    engine = self._get_cipher(self.local_cipher, key_out, IV_out)
  File "/usr/local/nagios/local/lib/python2.7/site-packages/paramiko/transport.py", line 1500, in _get_cipher
    return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv, counter)
  File "/usr/lib/python2.7/dist-packages/Crypto/Cipher/AES.py", line 94, in new
    return AESCipher(key, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/Crypto/Cipher/AES.py", line 59, in __init__
    blockalgo.BlockAlgo.__init__(self, _AES, key, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/Crypto/Cipher/blockalgo.py", line 141, in __init__
    self._cipher = factory.new(key, *args, **kwargs)
ValueError: CTR mode needs counter parameter, not IV

```

packages versions

```
pycrypto==2.6.1
paramiko==1.12.0
```

which works okay BEFORE the upgrade.

Maybe Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850025

CVE References

Robie Basak (racb)
Changed in python-crypto (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-crypto (Ubuntu):
status: New → Confirmed
Revision history for this message
Ryan Beisner (1chb1n) wrote :

See related: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1665565

tags: added: uosci
Changed in charm-test-infra:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Ryan Beisner (1chb1n)
Vej (vej)
tags: added: trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-crypto - 2.6.1-6ubuntu0.16.10.3

---------------
python-crypto (2.6.1-6ubuntu0.16.10.3) yakkety-security; urgency=medium

  * Update CVE-2013-7459: Print a warning, rather than raise an exception.
    Thanks to Sebastian Ramacher. (Closes: #1665598)

 -- Emily Ratliff <email address hidden> Fri, 17 Feb 2017 10:01:32 -0600

Changed in python-crypto (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-crypto - 2.6.1-4ubuntu0.2

---------------
python-crypto (2.6.1-4ubuntu0.2) trusty-security; urgency=medium

  * Update CVE-2013-7459: Print a warning, rather than raise an exception.
    Thanks to Sebastian Ramacher. (Closes: #1665598)

 -- Emily Ratliff <email address hidden> Fri, 17 Feb 2017 10:07:46 -0600

Changed in python-crypto (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-crypto - 2.6.1-6ubuntu0.16.04.2

---------------
python-crypto (2.6.1-6ubuntu0.16.04.2) xenial-security; urgency=medium

  * Update CVE-2013-7459: Print a warning, rather than raise an exception.
    Thanks to Sebastian Ramacher. (Closes: #1665598)

 -- Emily Ratliff <email address hidden> Fri, 17 Feb 2017 09:35:46 -0600

Changed in python-crypto (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Phill (phill.l) wrote :

Possible duplicate of #1665598 or maybe just a dependency, depends on point of view.

Revision history for this message
Phill (phill.l) wrote :

Sorry, I commented on the wrong bug, I think #1665643 may be a duplicate or dependency on this.

Ryan Beisner (1chb1n)
Changed in charm-test-infra:
status: Confirmed → Fix Released
Revision history for this message
Hung Nguyen Viet (hvnsweeting) wrote :

I upgraded to 2.6.1-4ubuntu0.2
and no more exception, only see the warning print now.
Thank you for the fix

Ryan Beisner (1chb1n)
Changed in charm-test-infra:
milestone: none → 17.05
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.