Bug 2067982

Summary: CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function [ovirt-4.5]
Product: [oVirt] ovirt-distribution Reporter: Sandro Bonazzola <sbonazzo>
Component: python-paramikoAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED CURRENTRELEASE QA Contact: Sandro Bonazzola <sbonazzo>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.5.0Keywords: Security, SecurityTracking, VerifiedUpstream
Target Milestone: ovirt-4.5.0Flags: sbonazzo: ovirt-4.5+
sbonazzo: devel_ack+
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-paramiko-2.7.2-3.el8 Doc Type: Release Note
Doc Text:
CVE-2022-24302: Creation of new private key files using `~paramiko.pkey.PKey` subclasses was subject to a race condition between file creation and mode modification, which could be exploited by an attacker with knowledge of where the Paramiko-using code would write out such files; this has been patched by using `os.open` and `os.fdopen` to ensure new files are opened with the correct mode immediately (we've left the subsequent explicit `chmod` in place to minimize any possible disruption).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-26 15:25:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2065667    
Bug Blocks: 2065665    

Description Sandro Bonazzola 2022-03-24 07:52:00 UTC 
This bug was created to ensure that one or more security vulnerabilities are fixed in affected versions of oVirt.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
Comment 1 Sandro Bonazzola 2022-03-24 14:13:54 UTC 
patch backported to 2.7.2, build: https://cbs.centos.org/koji/buildinfo?buildID=38348