Accepting request 966247 from systemsmanagement:saltstack

- Fix salt-ssh opts poisoning (bsc#1197637)
- Added:
  * fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch

- Fix multiple security issues (bsc#1197417)
- * Sign authentication replies to prevent MiTM (CVE-2022-22935)
- * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
- * Prevent job and fileserver replays (CVE-2022-22936)
- * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)
- Added:
  * fix-multiple-security-issues-bsc-1197417.patch

OBS-URL: https://build.opensuse.org/request/show/966247
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/salt?expand=0&rev=127

_lastrevision

@@ -1 +1 @@
-8fe3232b41facbf938d591053c0f457ba6b5e3dc
+babf3dc7d243793c1134a8009ce18de316451d1a

fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch

@@ -0,0 +1,128 @@
+From 7096332546a65c0c507fbd4bccbf7062e7c3c9c7 Mon Sep 17 00:00:00 2001
+From: Victor Zhestkov <vzhestkov@suse.com>
+Date: Thu, 31 Mar 2022 13:39:57 +0300
+Subject: [PATCH] Fix salt-ssh opts poisoning (bsc#1197637) - 3004 (#501)
+
+* Fix salt-ssh opts poisoning
+
+* Pass proper __opts__ to roster modules
+
+* Remove redundant copy.deepcopy for opts from handle_routine
+---
+ salt/client/ssh/__init__.py | 17 ++++++++++-------
+ salt/loader/__init__.py     |  7 ++++++-
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py
+index 3e032c7197..bc77eb700e 100644
+--- a/salt/client/ssh/__init__.py
++++ b/salt/client/ssh/__init__.py
+@@ -340,7 +340,7 @@ class SSH:
+         self.session_flock_file = os.path.join(
+             self.opts["cachedir"], "salt-ssh.session.lock"
+         )
+-        self.ssh_session_grace_time = int(self.opts.get("ssh_session_grace_time", 3))
++        self.ssh_session_grace_time = int(self.opts.get("ssh_session_grace_time", 1))
+ 
+     @property
+     def parse_tgt(self):
+@@ -558,7 +558,6 @@ class SSH:
+         """
+         LOG_LOCK.release()
+         salt.loader.LOAD_LOCK.release()
+-        opts = copy.deepcopy(opts)
+         single = Single(
+             opts,
+             opts["argv"],
+@@ -595,6 +594,7 @@ class SSH:
+         Spin up the needed threads or processes and execute the subsequent
+         routines
+         """
++        opts = copy.deepcopy(self.opts)
+         que = multiprocessing.Queue()
+         running = {}
+         targets_queue = deque(self.targets.keys())
+@@ -605,7 +605,7 @@ class SSH:
+             if not self.targets:
+                 log.error("No matching targets found in roster.")
+                 break
+-            if len(running) < self.opts.get("ssh_max_procs", 25) and not init:
++            if len(running) < opts.get("ssh_max_procs", 25) and not init:
+                 if targets_queue:
+                     host = targets_queue.popleft()
+                 else:
+@@ -623,7 +623,7 @@ class SSH:
+                             pid_running = (
+                                 False
+                                 if cached_session["pid"] == 0
+-                                else psutil.pid_exists(cached_session["pid"])
++                                else cached_session.get("running", False) or psutil.pid_exists(cached_session["pid"])
+                             )
+                             if (
+                                 pid_running and prev_session_running < self.max_pid_wait
+@@ -638,9 +638,10 @@ class SSH:
+                         "salt-ssh/session",
+                         host,
+                         {
+-                            "pid": 0,
++                            "pid": os.getpid(),
+                             "master_id": self.master_id,
+                             "ts": time.time(),
++                            "running": True,
+                         },
+                     )
+                 for default in self.defaults:
+@@ -668,7 +669,7 @@ class SSH:
+                     continue
+                 args = (
+                     que,
+-                    self.opts,
++                    opts,
+                     host,
+                     self.targets[host],
+                     mine,
+@@ -704,6 +705,7 @@ class SSH:
+                             "pid": routine.pid,
+                             "master_id": self.master_id,
+                             "ts": time.time(),
++                            "running": True,
+                         },
+                     )
+                 continue
+@@ -755,12 +757,13 @@ class SSH:
+                                 "pid": 0,
+                                 "master_id": self.master_id,
+                                 "ts": time.time(),
++                                "running": False,
+                             },
+                         )
+             if len(rets) >= len(self.targets):
+                 break
+             # Sleep when limit or all threads started
+-            if len(running) >= self.opts.get("ssh_max_procs", 25) or len(
++            if len(running) >= opts.get("ssh_max_procs", 25) or len(
+                 self.targets
+             ) >= len(running):
+                 time.sleep(0.1)
+diff --git a/salt/loader/__init__.py b/salt/loader/__init__.py
+index a0f2220476..bc3634bb7f 100644
+--- a/salt/loader/__init__.py
++++ b/salt/loader/__init__.py
+@@ -622,7 +622,12 @@ def roster(opts, runner=None, utils=None, whitelist=None, context=None):
+         opts,
+         tag="roster",
+         whitelist=whitelist,
+-        pack={"__runner__": runner, "__utils__": utils, "__context__": context},
++        pack={
++            "__runner__": runner,
++            "__utils__": utils,
++            "__context__": context,
++            "__opts__": opts,
++        },
+         extra_module_dirs=utils.module_dirs if utils else None,
+     )
+ 
+-- 
+2.35.1
+
+

salt.changes

@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Thu Mar 31 11:16:01 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com>
+
+- Fix salt-ssh opts poisoning (bsc#1197637)
+
+- Added:
+  * fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch
+
+-------------------------------------------------------------------
+Thu Mar 31 08:34:58 UTC 2022 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
+
+- Fix multiple security issues (bsc#1197417)
+- * Sign authentication replies to prevent MiTM (CVE-2022-22935)
+- * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
+- * Prevent job and fileserver replays (CVE-2022-22936)
+- * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)
+
+- Added:
+  * fix-multiple-security-issues-bsc-1197417.patch
+
 -------------------------------------------------------------------
 Mon Feb 28 15:05:32 UTC 2022 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
 

salt.spec

@@ -290,6 +290,12 @@ Patch73:        add-salt-ssh-support-with-venv-salt-minion-3004-493.patch
 Patch74:        prevent-shell-injection-via-pre_flight_script_args-4.patch
 ###############
 
+# PATCH-FIX_UPSTREAM: implemented at 3004.1 release (no PR)
+Patch75:        fix-multiple-security-issues-bsc-1197417.patch
+
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/501
+Patch76:        fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch
+
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  logrotate