[Bug 1665752] [NEW] Cannot make simple connection with new python3-crypto version

Paul E Kasemir 1665752 at bugs.launchpad.net
Fri Feb 17 19:32:53 UTC 2017 

Public bug reported:

The automatic updates applied a new version of python3-crypto which now
breaks paramiko ssh connections.

The change log for crypto shows me this, which is exactly the error I am seeing.
python-crypto (2.6.1-6ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: throw exception when IV used with ECB or CTR
    - debian/patches/CVE-2013-7459.patch: force exception when IV used ECB/CTR
    - CVE-2013-7459.patch

 -- Emily Ratliff <emily.ratliff at canonical.com>  Tue, 14 Feb 2017
16:05:02 -0600

I found the upgrade from /var/log/apt/history.log
 Start-Date: 2017-02-17  07:04:27
 Commandline: /usr/bin/unattended-upgrade
 Upgrade: <clipped> python3-crypto:amd64 (2.6.1-6build1, 2.6.1-6ubuntu0.16.04.1), <clipped>
 End-Date: 2017-02-17  07:04:56


$ lsb_release -rd
Description:	Ubuntu 16.04.1 LTS
Release:	16.04

$ apt-cache policy python3-paramiko
python3-paramiko:
  Installed: 1.16.0-1
  Candidate: 1.16.0-1
  Version table:
 *** 1.16.0-1 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages
        100 /var/lib/dpkg/status
$ apt-cache policy python3-crypto
python3-crypto:
  Installed: 2.6.1-6ubuntu0.16.04.1
  Candidate: 2.6.1-6ubuntu0.16.04.1
  Version table:
 *** 2.6.1-6ubuntu0.16.04.1 500
        500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.6.1-6build1 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages


A simple test that should connect (and used to) but now doesn't

Python 3.5.2 (default, Nov 17 2016, 17:05:23) 
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import paramiko
>>> ssh = paramiko.SSHClient()
>>> ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
>>> ssh.connect("192.168.2.46", username='xxxx', password='xxxx')
Unknown exception: CTR mode needs counter parameter, not IV
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 1744, in run
    self.kex_engine.parse_next(ptype, m)
  File "/usr/lib/python3/dist-packages/paramiko/kex_group1.py", line 75, in parse_next
    return self._parse_kexdh_reply(m)
  File "/usr/lib/python3/dist-packages/paramiko/kex_group1.py", line 112, in _parse_kexdh_reply
    self.transport._activate_outbound()
  File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2074, in _activate_outbound
    engine = self._get_cipher(self.local_cipher, key_out, IV_out)
  File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 1649, in _get_cipher
    return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv, counter)
  File "/usr/lib/python3/dist-packages/Crypto/Cipher/AES.py", line 94, in new
    return AESCipher(key, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/Crypto/Cipher/AES.py", line 59, in __init__
    blockalgo.BlockAlgo.__init__(self, _AES, key, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/Crypto/Cipher/blockalgo.py", line 141, in __init__
    self._cipher = factory.new(key, *args, **kwargs)
ValueError: CTR mode needs counter parameter, not IV

** Affects: paramiko (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to paramiko in Ubuntu.
https://bugs.launchpad.net/bugs/1665752

Title:
  Cannot make simple connection with new python3-crypto version

Status in paramiko package in Ubuntu:
  New

Bug description:
  The automatic updates applied a new version of python3-crypto which
  now breaks paramiko ssh connections.

  The change log for crypto shows me this, which is exactly the error I am seeing.
  python-crypto (2.6.1-6ubuntu0.16.04.1) xenial-security; urgency=medium

    * SECURITY UPDATE: throw exception when IV used with ECB or CTR
      - debian/patches/CVE-2013-7459.patch: force exception when IV used ECB/CTR
      - CVE-2013-7459.patch

   -- Emily Ratliff <emily.ratliff at canonical.com>  Tue, 14 Feb 2017
  16:05:02 -0600

  I found the upgrade from /var/log/apt/history.log
   Start-Date: 2017-02-17  07:04:27
   Commandline: /usr/bin/unattended-upgrade
   Upgrade: <clipped> python3-crypto:amd64 (2.6.1-6build1, 2.6.1-6ubuntu0.16.04.1), <clipped>
   End-Date: 2017-02-17  07:04:56

  
  $ lsb_release -rd
  Description:	Ubuntu 16.04.1 LTS
  Release:	16.04

  $ apt-cache policy python3-paramiko
  python3-paramiko:
    Installed: 1.16.0-1
    Candidate: 1.16.0-1
    Version table:
   *** 1.16.0-1 500
          500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          500 http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages
          100 /var/lib/dpkg/status
  $ apt-cache policy python3-crypto
  python3-crypto:
    Installed: 2.6.1-6ubuntu0.16.04.1
    Candidate: 2.6.1-6ubuntu0.16.04.1
    Version table:
   *** 2.6.1-6ubuntu0.16.04.1 500
          500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
          100 /var/lib/dpkg/status
       2.6.1-6build1 500
          500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

  
  A simple test that should connect (and used to) but now doesn't

  Python 3.5.2 (default, Nov 17 2016, 17:05:23) 
  [GCC 5.4.0 20160609] on linux
  Type "help", "copyright", "credits" or "license" for more information.
  >>> import paramiko
  >>> ssh = paramiko.SSHClient()
  >>> ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  >>> ssh.connect("192.168.2.46", username='xxxx', password='xxxx')
  Unknown exception: CTR mode needs counter parameter, not IV
  Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 1744, in run
      self.kex_engine.parse_next(ptype, m)
    File "/usr/lib/python3/dist-packages/paramiko/kex_group1.py", line 75, in parse_next
      return self._parse_kexdh_reply(m)
    File "/usr/lib/python3/dist-packages/paramiko/kex_group1.py", line 112, in _parse_kexdh_reply
      self.transport._activate_outbound()
    File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2074, in _activate_outbound
      engine = self._get_cipher(self.local_cipher, key_out, IV_out)
    File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 1649, in _get_cipher
      return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv, counter)
    File "/usr/lib/python3/dist-packages/Crypto/Cipher/AES.py", line 94, in new
      return AESCipher(key, *args, **kwargs)
    File "/usr/lib/python3/dist-packages/Crypto/Cipher/AES.py", line 59, in __init__
      blockalgo.BlockAlgo.__init__(self, _AES, key, *args, **kwargs)
    File "/usr/lib/python3/dist-packages/Crypto/Cipher/blockalgo.py", line 141, in __init__
      self._cipher = factory.new(key, *args, **kwargs)
  ValueError: CTR mode needs counter parameter, not IV

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1665752/+subscriptions

More information about the foundations-bugs mailing list