rpm/salt
SHA256
1
0
Fork 0
forked from pool/salt
Code Pull Requests Activity

Accepting request 969843 from systemsmanagement:saltstack

Browse Source 
- Prevent data pollution between actions proceesed
  at the same time (bsc#1197637)
- Fix regression preventing bootstrapping new clients
  caused by redundant dependency on psutil (bsc#1197533)
- Added:
  * fix-regression-with-depending-client.ssh-on-psutil-b.patch
  * prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch

- Fixes for Python 3.10
- Added:
  * fixes-for-python-3.10-502.patch

  * Sign authentication replies to prevent MiTM (CVE-2022-22935)
  * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
  * Prevent job and fileserver replays (CVE-2022-22936)
  * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)

OBS-URL: https://build.opensuse.org/request/show/969843
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/salt?expand=0&rev=128
This commit is contained in:
Dominique Leuenberger 2022-04-14 15:25:03 +00:00 committed by Git OBS Bridge
commit 2be55d9d0f
6 changed files with 355 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_lastrevision
View File

@ -1 +1 @@
babf3dc7d243793c1134a8009ce18de316451d1a 2a9748d411cf0d0e49f59fb6fa7ddd336992532e

53
fix-regression-with-depending-client.ssh-on-psutil-b.patch Normal file
View File

@ -0,0 +1,53 @@
From 0c4a71224d49e778b4a2c683c63de52a0876de69 Mon Sep 17 00:00:00 2001
From: Victor Zhestkov <vzhestkov@suse.com>
Date: Tue, 12 Apr 2022 10:08:17 +0300
Subject: [PATCH] Fix regression with depending client.ssh on psutil
(bsc#1197533)
---
salt/client/ssh/__init__.py | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py
index 6d24d8d716..396f9457f2 100644
--- a/salt/client/ssh/__init__.py
+++ b/salt/client/ssh/__init__.py
@@ -12,7 +12,6 @@ import hashlib
import logging
import multiprocessing
import os
-import psutil
import queue
import re
import shlex
@@ -407,6 +406,16 @@ class SSH:
self.__parsed_rosters[self.ROSTER_UPDATE_FLAG] = False
return
+ def _pid_exists(self, pid):
+ """
+ Check if specified pid is alive
+ """
+ try:
+ os.kill(pid, 0)
+ except OSError:
+ return False
+ return True
+
def _update_roster(self, hostname=None, user=None):
"""
Update default flat roster with the passed in information.
@@ -626,7 +635,8 @@ class SSH:
pid_running = (
False
if cached_session["pid"] == 0
- else cached_session.get("running", False) or psutil.pid_exists(cached_session["pid"])
+ else cached_session.get("running", False)
+ or self._pid_exists(cached_session["pid"])
)
if (
pid_running and prev_session_running < self.max_pid_wait
--
2.35.1

94
fixes-for-python-3.10-502.patch Normal file
View File

@ -0,0 +1,94 @@
From efcf52ad6b7edf64e6a2eaead99c8df5894ab613 Mon Sep 17 00:00:00 2001
From: Victor Zhestkov <vzhestkov@suse.com>
Date: Tue, 5 Apr 2022 12:04:46 +0300
Subject: [PATCH] Fixes for Python 3.10 (#502)
* Fix _compat.py importlib logic for Python 3.10
Use the same logic in _compat.py and entrypoints.py to load
the same importlib.metadata. Python's built in implementation for
Python >= 3.10 and the Salt one for others.
* Use collections.abc.Mapping instead collections.Mapping in state
Co-authored-by: piterpunk <piterpunk@slackware.com>
---
salt/_compat.py | 30 +++++++++++++++++-------------
salt/state.py | 5 +++--
2 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/salt/_compat.py b/salt/_compat.py
index 8149657bea..a402f17a3c 100644
--- a/salt/_compat.py
+++ b/salt/_compat.py
@@ -11,19 +11,23 @@ if sys.version_info >= (3, 9, 5):
else:
import salt.ext.ipaddress as ipaddress
+if sys.version_info >= (3, 10):
+ # Python 3.10 will include a fix in importlib.metadata which allows us to
+ # get the distribution of a loaded entry-point
+ import importlib.metadata # pylint: disable=no-member,no-name-in-module
+else:
+ # importlib_metadata before version 3.3.0 does not include the functionality we need.
+ try:
+ import importlib_metadata
-# importlib_metadata before version 3.3.0 does not include the functionality we need.
-try:
- import importlib_metadata
-
- importlib_metadata_version = [
- int(part)
- for part in importlib_metadata.version("importlib_metadata").split(".")
- if part.isdigit()
- ]
- if tuple(importlib_metadata_version) < (3, 3, 0):
+ importlib_metadata_version = [
+ int(part)
+ for part in importlib_metadata.version("importlib_metadata").split(".")
+ if part.isdigit()
+ ]
+ if tuple(importlib_metadata_version) < (3, 3, 0):
+ # Use the vendored importlib_metadata
+ import salt.ext.importlib_metadata as importlib_metadata
+ except ImportError:
# Use the vendored importlib_metadata
import salt.ext.importlib_metadata as importlib_metadata
-except ImportError:
- # Use the vendored importlib_metadata
- import salt.ext.importlib_metadata as importlib_metadata
diff --git a/salt/state.py b/salt/state.py
index 3361a537cd..b759c8e0ee 100644
--- a/salt/state.py
+++ b/salt/state.py
@@ -12,7 +12,6 @@ The data sent to the state calls is as follows:
"""
-import collections
import copy
import datetime
import fnmatch
@@ -26,6 +25,8 @@ import sys
import time
import traceback
+from collections.abc import Mapping
+
import salt.fileclient
import salt.loader
import salt.minion
@@ -3276,7 +3277,7 @@ class State:
"""
for chunk in high:
state = high[chunk]
- if not isinstance(state, collections.Mapping):
+ if not isinstance(state, Mapping):
continue
for state_ref in state:
needs_default = True
--
2.35.1

174
prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch Normal file
View File

@ -0,0 +1,174 @@
From c86432645863a21da589346ad587b610ab51a2a9 Mon Sep 17 00:00:00 2001
From: Victor Zhestkov <vzhestkov@suse.com>
Date: Tue, 12 Apr 2022 10:06:43 +0300
Subject: [PATCH] Prevent affection of SSH.opts with LazyLoader
(bsc#1197637)
* Prevent affection SSH.opts with LazyLoader
* Restore parsed targets
* Fix test_ssh unit tests
---
salt/client/ssh/__init__.py | 19 +++++++++++--------
tests/unit/client/test_ssh.py | 16 ++++++++--------
2 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py
index bc77eb700e..6d24d8d716 100644
--- a/salt/client/ssh/__init__.py
+++ b/salt/client/ssh/__init__.py
@@ -225,15 +225,16 @@ class SSH:
ROSTER_UPDATE_FLAG = "#__needs_update"
def __init__(self, opts, context=None):
+ self.opts = copy.deepcopy(opts)
+ self.sopts = copy.deepcopy(self.opts)
self.__parsed_rosters = {SSH.ROSTER_UPDATE_FLAG: True}
- pull_sock = os.path.join(opts["sock_dir"], "master_event_pull.ipc")
+ pull_sock = os.path.join(self.opts["sock_dir"], "master_event_pull.ipc")
if os.path.exists(pull_sock) and zmq:
self.event = salt.utils.event.get_event(
- "master", opts["sock_dir"], opts["transport"], opts=opts, listen=False
+ "master", self.opts["sock_dir"], self.opts["transport"], opts=self.opts, listen=False
)
else:
self.event = None
- self.opts = opts
if self.opts["regen_thin"]:
self.opts["ssh_wipe"] = True
if not salt.utils.path.which("ssh"):
@@ -244,7 +245,7 @@ class SSH:
" to run. Exiting."
),
)
- self.opts["_ssh_version"] = ssh_version()
+ self.sopts["_ssh_version"] = ssh_version()
self.tgt_type = (
self.opts["selected_target_option"]
if self.opts["selected_target_option"]
@@ -341,6 +342,9 @@ class SSH:
self.opts["cachedir"], "salt-ssh.session.lock"
)
self.ssh_session_grace_time = int(self.opts.get("ssh_session_grace_time", 1))
+ self.sopts["tgt"] = copy.deepcopy(self.opts["tgt"])
+ self.sopts["ssh_cli_tgt"] = copy.deepcopy(self.opts["ssh_cli_tgt"])
+ self.opts = self.sopts
@property
def parse_tgt(self):
@@ -594,7 +598,6 @@ class SSH:
Spin up the needed threads or processes and execute the subsequent
routines
"""
- opts = copy.deepcopy(self.opts)
que = multiprocessing.Queue()
running = {}
targets_queue = deque(self.targets.keys())
@@ -605,7 +608,7 @@ class SSH:
if not self.targets:
log.error("No matching targets found in roster.")
break
- if len(running) < opts.get("ssh_max_procs", 25) and not init:
+ if len(running) < self.opts.get("ssh_max_procs", 25) and not init:
if targets_queue:
host = targets_queue.popleft()
else:
@@ -669,7 +672,7 @@ class SSH:
continue
args = (
que,
- opts,
+ self.opts,
host,
self.targets[host],
mine,
@@ -763,7 +766,7 @@ class SSH:
if len(rets) >= len(self.targets):
break
# Sleep when limit or all threads started
- if len(running) >= opts.get("ssh_max_procs", 25) or len(
+ if len(running) >= self.opts.get("ssh_max_procs", 25) or len(
self.targets
) >= len(running):
time.sleep(0.1)
diff --git a/tests/unit/client/test_ssh.py b/tests/unit/client/test_ssh.py
index 23cb3d0700..5003500de1 100644
--- a/tests/unit/client/test_ssh.py
+++ b/tests/unit/client/test_ssh.py
@@ -95,7 +95,7 @@ class SSHReturnEventTests(ShellCase):
assert "localhost" in ret
assert "fun" in ret["localhost"]
client.run()
- display_output.assert_called_once_with(expected, "nested", opts)
+ display_output.assert_called_once_with(expected, "nested", client.opts)
self.assertIs(ret, handle_ssh_ret[0])
assert len(client.event.fire_event.call_args_list) == 2
assert "fun" in client.event.fire_event.call_args_list[0][0][0]
@@ -539,7 +539,7 @@ class SSHTests(ShellCase):
MagicMock(return_value=salt.utils.yaml.safe_load(self.roster)),
):
client._expand_target()
- assert opts["tgt"] == host
+ assert client.opts["tgt"] == host
def test_expand_target_dns(self):
"""
@@ -562,7 +562,7 @@ class SSHTests(ShellCase):
MagicMock(return_value=salt.utils.yaml.safe_load(self.roster)),
):
client._expand_target()
- assert opts["tgt"] == host
+ assert client.opts["tgt"] == host
def test_expand_target_no_user(self):
"""
@@ -602,7 +602,7 @@ class SSHTests(ShellCase):
client = ssh.SSH(opts)
assert opts["tgt"] == user + host
client._update_targets()
- assert opts["tgt"] == host
+ assert client.opts["tgt"] == host
assert client.targets[host]["user"] == user.split("@")[0]
def test_update_targets_dns(self):
@@ -620,7 +620,7 @@ class SSHTests(ShellCase):
client = ssh.SSH(opts)
assert opts["tgt"] == user + host
client._update_targets()
- assert opts["tgt"] == host
+ assert client.opts["tgt"] == host
assert client.targets[host]["user"] == user.split("@")[0]
def test_update_targets_no_user(self):
@@ -661,7 +661,7 @@ class SSHTests(ShellCase):
):
client._expand_target()
client._update_targets()
- assert opts["tgt"] == host
+ assert client.opts["tgt"] == host
assert client.targets[host]["user"] == user.split("@")[0]
def test_parse_tgt(self):
@@ -681,7 +681,7 @@ class SSHTests(ShellCase):
client = ssh.SSH(opts)
assert client.parse_tgt["hostname"] == host
assert client.parse_tgt["user"] == user.split("@")[0]
- assert self.opts.get("ssh_cli_tgt") == user + host
+ assert client.opts.get("ssh_cli_tgt") == user + host
def test_parse_tgt_no_user(self):
"""
@@ -700,7 +700,7 @@ class SSHTests(ShellCase):
client = ssh.SSH(opts)
assert client.parse_tgt["hostname"] == host
assert client.parse_tgt["user"] == opts["ssh_user"]
- assert self.opts.get("ssh_cli_tgt") == host
+ assert client.opts.get("ssh_cli_tgt") == host
def test_extra_filerefs(self):
"""
--
2.35.1

28
salt.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Tue Apr 12 09:21:38 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com>
- Prevent data pollution between actions proceesed
at the same time (bsc#1197637)
- Fix regression preventing bootstrapping new clients
caused by redundant dependency on psutil (bsc#1197533)
- Added:
* fix-regression-with-depending-client.ssh-on-psutil-b.patch
* prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch
-------------------------------------------------------------------
Tue Apr 5 09:29:14 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com>
- Fixes for Python 3.10
- Added:
* fixes-for-python-3.10-502.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Mar 31 11:16:01 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com> Thu Mar 31 11:16:01 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com>
@ -10,10 +30,10 @@ Thu Mar 31 11:16:01 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com>
Thu Mar 31 08:34:58 UTC 2022 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com> Thu Mar 31 08:34:58 UTC 2022 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix multiple security issues (bsc#1197417) - Fix multiple security issues (bsc#1197417)
- * Sign authentication replies to prevent MiTM (CVE-2022-22935) * Sign authentication replies to prevent MiTM (CVE-2022-22935)
- * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934) * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
- * Prevent job and fileserver replays (CVE-2022-22936) * Prevent job and fileserver replays (CVE-2022-22936)
- * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)
- Added: - Added:
* fix-multiple-security-issues-bsc-1197417.patch * fix-multiple-security-issues-bsc-1197417.patch

9
salt.spec
View File

@ -296,6 +296,15 @@ Patch75: fix-multiple-security-issues-bsc-1197417.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/501 # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/501
Patch76: fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch Patch76: fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/61064
Patch77: fixes-for-python-3.10-502.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/505
Patch78: prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/506
Patch79: fix-regression-with-depending-client.ssh-on-psutil-b.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: logrotate BuildRequires: logrotate