Accepting request 984677 from systemsmanagement:saltstack

- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566) - Added: * fix-for-cve-2022-22967-bsc-1200566.patch - Make sure SaltCacheLoader use correct fileclient (bsc#1199149) - Added: * make-sure-saltcacheloader-use-correct-fileclient-519.patch OBS-URL: https://build.opensuse.org/request/show/984677 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/salt?expand=0&rev=129
2022-06-24 06:45:04 +00:00 · 2022-06-24 06:45:04 +00:00 · 7e02b5c50e
commit 7e02b5c50e
parent 2be55d9d0f 45f7a09468
5 changed files with 126 additions and 1 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-2a9748d411cf0d0e49f59fb6fa7ddd336992532e
+f20138622e17e52fd49e531edd607b46d08a146c
--- a/fix-for-cve-2022-22967-bsc-1200566.patch
+++ b/fix-for-cve-2022-22967-bsc-1200566.patch
@ -0,0 +1,75 @@
+From a9c292fdf9ae53b86109337165214d8aadb155e7 Mon Sep 17 00:00:00 2001
+From: Wayne Werner <wwerner@vmware.com>
+Date: Fri, 1 Apr 2022 14:21:57 -0500
+Subject: [PATCH] Fix for CVE-2022-22967 (bsc#1200566)
+
+---
+ changelog/pam_auth.security         |  1 +
+ salt/auth/pam.py                    |  2 +-
+ tests/pytests/unit/auth/test_pam.py | 32 +++++++++++++++++++++++++++++
+ 3 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 changelog/pam_auth.security
+ create mode 100644 tests/pytests/unit/auth/test_pam.py
+
+diff --git a/changelog/pam_auth.security b/changelog/pam_auth.security
+new file mode 100644
+index 0000000000..52943680f4
+--- /dev/null
+++ b/changelog/pam_auth.security
+@@ -0,0 +1 @@
+Fixed PAM auth to reject auth attempt if user account is locked.
+diff --git a/salt/auth/pam.py b/salt/auth/pam.py
+index a9dde95149..d91883b743 100644
+--- a/salt/auth/pam.py
+++ b/salt/auth/pam.py
+@@ -209,7 +209,7 @@ def authenticate(username, password):
+ 
+     retval = PAM_AUTHENTICATE(handle, 0)
+     if retval == 0:
+-        PAM_ACCT_MGMT(handle, 0)
+        retval = PAM_ACCT_MGMT(handle, 0)
+     PAM_END(handle, 0)
+     return retval == 0
+ 
+diff --git a/tests/pytests/unit/auth/test_pam.py b/tests/pytests/unit/auth/test_pam.py
+new file mode 100644
+index 0000000000..f5f49e65d8
+--- /dev/null
+++ b/tests/pytests/unit/auth/test_pam.py
+@@ -0,0 +1,32 @@
+import pytest
+import salt.auth.pam
+from tests.support.mock import patch
+
+
+@pytest.fixture
+def configure_loader_modules():
+    return {salt.auth.pam: {}}
+
+
+@pytest.fixture
+def mock_pam():
+    with patch("salt.auth.pam.CALLOC", autospec=True), patch(
+        "salt.auth.pam.pointer", autospec=True
+    ), patch("salt.auth.pam.PamHandle", autospec=True), patch(
+        "salt.auth.pam.PAM_START", autospec=True, return_value=0
+    ), patch(
+        "salt.auth.pam.PAM_AUTHENTICATE", autospec=True, return_value=0
+    ), patch(
+        "salt.auth.pam.PAM_END", autospec=True
+    ):
+        yield
+
+
+def test_cve_if_pam_acct_mgmt_returns_nonzero_authenticate_should_be_false(mock_pam):
+    with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=42):
+        assert salt.auth.pam.authenticate(username="fnord", password="fnord") is False
+
+
+def test_if_pam_acct_mgmt_returns_zero_authenticate_should_be_true(mock_pam):
+    with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=0):
+        assert salt.auth.pam.authenticate(username="fnord", password="fnord") is True
+-- 
+2.36.1
+
+
--- a/make-sure-saltcacheloader-use-correct-fileclient-519.patch
+++ b/make-sure-saltcacheloader-use-correct-fileclient-519.patch
@ -0,0 +1,30 @@
+From cdd5edaa40233d83e3ed2eb61de3fbf70bc29dfb Mon Sep 17 00:00:00 2001
+From: Witek Bedyk <wbedyk@suse.com>
+Date: Thu, 19 May 2022 12:52:12 +0200
+Subject: [PATCH] Make sure SaltCacheLoader use correct fileclient (#519)
+
+Backported from https://github.com/saltstack/salt/pull/61895
+
+Signed-off-by: Witek Bedyk <witold.bedyk@suse.com>
+---
+ salt/state.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/salt/state.py b/salt/state.py
+index b759c8e0ee..2c785233c5 100644
+--- a/salt/state.py
+++ b/salt/state.py
+@@ -4061,6 +4061,9 @@ class BaseHighState:
+             )
+         else:
+             try:
+                # Make sure SaltCacheLoader use correct fileclient
+                if context is None:
+                    context = {"fileclient": self.client}
+                 state = compile_template(
+                     fn_,
+                     self.state.rend,
+-- 
+2.36.0
+
+
--- a/salt.changes
+++ b/salt.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Thu Jun 16 09:52:06 UTC 2022 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
+
+- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566)
+
+- Added:
+  * fix-for-cve-2022-22967-bsc-1200566.patch
+
+-------------------------------------------------------------------
+Thu May 19 11:00:15 UTC 2022 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
+
+- Make sure SaltCacheLoader use correct fileclient (bsc#1199149)
+
+- Added:
+  * make-sure-saltcacheloader-use-correct-fileclient-519.patch
+
 -------------------------------------------------------------------
 Tue Apr 12 09:21:38 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com>

--- a/salt.spec
+++ b/salt.spec
@ -304,6 +304,10 @@ Patch78:        prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch

 # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/506
 Patch79:        fix-regression-with-depending-client.ssh-on-psutil-b.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/61895
+Patch80:        make-sure-saltcacheloader-use-correct-fileclient-519.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/commit/e068a34ccb2e17ae7224f8016a24b727f726d4c8
+Patch81:        fix-for-cve-2022-22967-bsc-1200566.patch


 BuildRoot:      %{_tmppath}/%{name}-%{version}-build