Bug#863129: marked as done (jessie-pu: package salt/2014.1.13+ds-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 17 Jun 2018 20:17:22 +0100
with message-id <1529263042.2082.35.camel@adam-barratt.org.uk>
and subject line Re: Bug#863129: jessie-pu: package salt/2014.1.13+ds-3
has caused the Debian Bug report #863129,
regarding jessie-pu: package salt/2014.1.13+ds-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863129
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: jessie-pu: package salt/2014.1.13+ds-3
• From: Benjamin Drung <benjamin.drung@profitbricks.com>
• Date: Mon, 22 May 2017 14:02:54 +0200
• Message-id: <149545457456.10847.6129644182533314566.reportbug@konstrukt.pb.local>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

salt in jessie is affected by some security issues. Salvatore Bonaccorso
from the security wrote: So we are basically down at
https://security-tracker.debian.org/tracker/source-package/salt to
no-dsa issues, so up to decicde I guess if you still want a DSA or
rather go via the upcoming point release.

Thus the requests for a SPU to fix four security bugs (debdiff
attached).

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.drung@profitbricks.com
Web: https://www.profitbricks.com

Sitz der Gesellschaft: Berlin.
Registergericht: Amtsgericht Charlottenburg, HRB 125506B.
Geschäftsführer: Achim Weiss.

diff -Nru salt-2014.1.13+ds/debian/changelog salt-2014.1.13+ds/debian/changelog
--- salt-2014.1.13+ds/debian/changelog	2015-02-13 06:27:53.000000000 +0100
+++ salt-2014.1.13+ds/debian/changelog	2017-05-22 13:34:40.000000000 +0200
@@ -1,3 +1,18 @@
+salt (2014.1.13+ds-3+deb8u1) jessie; urgency=high
+
+  [ Benjamin Drung ]
+  * Team upload.
+  * CVE-2015-6918: git module leaks authentication details into log
+  * CVE-2015-6941: user state displays passwords in debug log
+
+  [ Salvatore Bonaccorso ]
+  * CVE-2015-8034: Information leak from state.sls cache data stored as
+    world-readable (Closes: #807356)
+  * CVE-2016-3176: Insecure configuration of PAM external authentication
+    service (Closes: #819184)
+
+ -- Benjamin Drung <benjamin.drung@profitbricks.com>  Mon, 22 May 2017 13:34:36 +0200
+
 salt (2014.1.13+ds-3) unstable; urgency=medium
 
   * [5273cd4] Added python-msgpack dependency. Closes: 777665
diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch
--- salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch	1970-01-01 01:00:00.000000000 +0100
+++ salt-2014.1.13+ds/debian/patches/CVE-2015-6918.patch	2017-04-18 12:18:56.000000000 +0200
@@ -0,0 +1,46 @@
+From 528916548726976dcc75626dc6f6641ceb206ee3 Mon Sep 17 00:00:00 2001
+From: Tarjei Husøy <git@thusoy.com>
+Date: Wed, 19 Aug 2015 11:41:10 -0700
+Subject: [PATCH] Git: Don't leak https user/pw to log
+Origin: backport, https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
+
+---
+ salt/modules/git.py            | 17 ++++++++++++++---
+ tests/unit/modules/git_test.py | 18 ++++++++++++++++++
+ 2 files changed, 32 insertions(+), 3 deletions(-)
+
+--- a/salt/modules/git.py
++++ b/salt/modules/git.py
+@@ -5,6 +5,7 @@
+ 
+ # Import python libs
+ import os
++import re
+ import tempfile
+ try:
+     import pipes
+@@ -75,6 +76,7 @@
+     result = __salt__['cmd.run_all'](cmd,
+                                      cwd=cwd,
+                                      runas=runas,
++                                     output_loglevel='quiet',
+                                      env=env,
+                                      **kwargs)
+ 
+@@ -86,7 +88,15 @@
+     if retcode == 0:
+         return result['stdout']
+     else:
+-        raise exceptions.CommandExecutionError(result['stderr'])
++        stderr = _remove_sensitive_data(result['stderr'])
++        raise exceptions.CommandExecutionError(stderr)
++
++
++def _remove_sensitive_data(sensitive_output):
++    '''
++        Remove HTTP user and password.
++    '''
++    return re.sub('(https?)://.*@', r'\1://<redacted>@', sensitive_output)
+ 
+ 
+ def _git_getdir(cwd, user=None):
diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch
--- salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch	1970-01-01 01:00:00.000000000 +0100
+++ salt-2014.1.13+ds/debian/patches/CVE-2015-6941.patch	2017-04-18 12:32:52.000000000 +0200
@@ -0,0 +1,33 @@
+From fdd35374562658f4a20767a3703fab93d92f9ca9 Mon Sep 17 00:00:00 2001
+From: twangboy <slee@saltstack.com>
+Date: Fri, 11 Sep 2015 16:39:47 -0600
+Subject: [PATCH] Replaced password with redacted when displayed
+Origin: backport, https://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710
+
+---
+ salt/states/user.py | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/salt/states/user.py
++++ b/salt/states/user.py
+@@ -362,6 +362,8 @@
+             ret['comment'] = ('The following user attributes are set to be '
+                               'changed:\n')
+             for key, val in changes.items():
++                if key == 'password':
++                    val = 'XXX-REDACTED-XXX'
+                 ret['comment'] += '{0}: {1}\n'.format(key, val)
+             return ret
+         # The user is present
+@@ -480,9 +482,9 @@
+                     if spost['passwd'] != password:
+                         ret['comment'] = 'User {0} created but failed to set' \
+                                          ' password to' \
+-                                         ' {1}'.format(name, password)
++                                         ' {1}'.format(name, 'XXX-REDACTED-XXX')
+                         ret['result'] = False
+-                    ret['changes']['password'] = password
++                    ret['changes']['password'] = 'XXX-REDACTED-XXX'
+                 if date:
+                     __salt__['shadow.set_date'](name, date)
+                     spost = __salt__['shadow.info'](name)
diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch
--- salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch	1970-01-01 01:00:00.000000000 +0100
+++ salt-2014.1.13+ds/debian/patches/CVE-2015-8034.patch	2016-06-11 16:35:29.000000000 +0200
@@ -0,0 +1,43 @@
+From 097838ec0c52b1e96f7f761e5fb3cd7e79808741 Mon Sep 17 00:00:00 2001
+From: Mike Place <mp@saltstack.com>
+Date: Fri, 30 Oct 2015 15:05:36 -0600
+Subject: [PATCH] Wrap all cache calls in state.sls in correct umask
+
+Refs #28455
+---
+ salt/modules/state.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/salt/modules/state.py
++++ b/salt/modules/state.py
+@@ -366,12 +366,13 @@ def sls(mods,
+             )
+ 
+     st_ = salt.state.HighState(opts, pillar, kwargs.get('__pub_jid'))
+-
++    umask = os.umask(0o77)
+     if kwargs.get('cache'):
+         if os.path.isfile(cfn):
+             with salt.utils.fopen(cfn, 'rb') as fp_:
+                 high_ = serial.load(fp_)
+                 return st_.state.call_high(high_)
++    os.umask(umask)
+ 
+     if isinstance(mods, string_types):
+         mods = mods.split(',')
+@@ -407,7 +408,6 @@ def sls(mods,
+     except (IOError, OSError):
+         msg = 'Unable to write to "state.sls" cache file {0}'
+         log.error(msg.format(cache_file))
+-    os.umask(cumask)
+     _set_retcode(ret)
+     # Work around Windows multiprocessing bug, set __opts__['test'] back to
+     # value from before this function was run.
+@@ -422,6 +422,7 @@ def sls(mods,
+     except (IOError, OSError):
+         msg = 'Unable to write to highstate cache file {0}. Do you have permissions?'
+         log.error(msg.format(cfn))
++    os.umask(cumask)
+     return ret
+ 
+ 
diff -Nru salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch
--- salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch	1970-01-01 01:00:00.000000000 +0100
+++ salt-2014.1.13+ds/debian/patches/CVE-2016-3176.patch	2016-06-11 16:35:29.000000000 +0200
@@ -0,0 +1,56 @@
+From d73f70ebb289142e4f692359fe741a54f5d2ad65 Mon Sep 17 00:00:00 2001
+From: Daniel Wallace <dwallace@saltstack.com>
+Date: Fri, 11 Mar 2016 08:25:05 -0700
+Subject: [PATCH] Remove ability of authenticating user to specify pam service
+
+This should be set at the master level, so that whoever is
+authenticating has to conform to what is set by the administrator that
+setup salt.
+---
+ salt/auth/pam.py | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/salt/auth/pam.py
++++ b/salt/auth/pam.py
+@@ -12,6 +12,13 @@ a user against the Pluggable Authenticat
+ 
+ Implemented using ctypes, so no compilation is necessary.
+ 
++There is one extra configuration option for pam.  The `pam_service` that is
++authenticated against.  This defaults to `login`
++
++.. code-block:: yaml
++
++    auth.pam.service: login
++
+ .. note:: PAM authentication will not work for the ``root`` user.
+ 
+     The Python interface to PAM does not support authenticating as ``root``.
+@@ -120,7 +127,7 @@ def __virtual__():
+         return False
+ 
+ 
+-def authenticate(username, password, service='login'):
++def authenticate(username, password):
+     '''
+     Returns True if the given username and password authenticate for the
+     given service.  Returns False otherwise
+@@ -128,10 +135,9 @@ def authenticate(username, password, ser
+     ``username``: the username to authenticate
+ 
+     ``password``: the password in plain text
+-
+-    ``service``: the PAM service to authenticate against.
+-                 Defaults to 'login'
+     '''
++    service = __opts__.get('auth.pam.service', 'login')
++
+     @CONV_FUNC
+     def my_conv(n_messages, messages, p_response, app_data):
+         '''
+@@ -165,4 +171,4 @@ def auth(username, password, **kwargs):
+     '''
+     Authenticate via pam
+     '''
+-    return authenticate(username, password, kwargs.get('service', 'login'))
++    return authenticate(username, password)
diff -Nru salt-2014.1.13+ds/debian/patches/series salt-2014.1.13+ds/debian/patches/series
--- salt-2014.1.13+ds/debian/patches/series	2015-02-13 06:06:38.000000000 +0100
+++ salt-2014.1.13+ds/debian/patches/series	2017-04-18 12:23:00.000000000 +0200
@@ -6,3 +6,7 @@
 0175_releasenotes
 remove_privacy_breaches
 doc_fixes
+CVE-2015-6918.patch
+CVE-2015-6941.patch
+CVE-2015-8034.patch
+CVE-2016-3176.patch

--- End Message ---

--- Begin Message ---

• To: Cyril Brulebois <kibi@debian.org>, 863129-done@bugs.debian.org, Benjamin Drung <benjamin.drung@profitbricks.com>
• Subject: Re: Bug#863129: jessie-pu: package salt/2014.1.13+ds-3
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sun, 17 Jun 2018 20:17:22 +0100
• Message-id: <1529263042.2082.35.camel@adam-barratt.org.uk>
• In-reply-to: <20170627234405.GA2982@mraw.org>
• References: <149545457456.10847.6129644182533314566.reportbug@konstrukt.pb.local> <20170627234405.GA2982@mraw.org>

Control: tags -1 + wontfix

On Wed, 2017-06-28 at 01:44 +0200, Cyril Brulebois wrote:
> I'm tagging this with moreinfo for the time being, as some feedback
> from your side would be welcome.

Unfortunately there was no reply to the above query, and the window for
getting fixes in to the final point release for jessie (before it moves
to LTS support) has now closed.

Regards,

Adam

--- End Message ---