diff --git a/_lastrevision b/_lastrevision index 5ae7ef3..bb91596 100644 --- a/_lastrevision +++ b/_lastrevision @@ -1 +1 @@ -2a9748d411cf0d0e49f59fb6fa7ddd336992532e \ No newline at end of file +f20138622e17e52fd49e531edd607b46d08a146c \ No newline at end of file diff --git a/fix-for-cve-2022-22967-bsc-1200566.patch b/fix-for-cve-2022-22967-bsc-1200566.patch new file mode 100644 index 0000000..51c4d99 --- /dev/null +++ b/fix-for-cve-2022-22967-bsc-1200566.patch @@ -0,0 +1,75 @@ +From a9c292fdf9ae53b86109337165214d8aadb155e7 Mon Sep 17 00:00:00 2001 +From: Wayne Werner +Date: Fri, 1 Apr 2022 14:21:57 -0500 +Subject: [PATCH] Fix for CVE-2022-22967 (bsc#1200566) + +--- + changelog/pam_auth.security | 1 + + salt/auth/pam.py | 2 +- + tests/pytests/unit/auth/test_pam.py | 32 +++++++++++++++++++++++++++++ + 3 files changed, 34 insertions(+), 1 deletion(-) + create mode 100644 changelog/pam_auth.security + create mode 100644 tests/pytests/unit/auth/test_pam.py + +diff --git a/changelog/pam_auth.security b/changelog/pam_auth.security +new file mode 100644 +index 0000000000..52943680f4 +--- /dev/null ++++ b/changelog/pam_auth.security +@@ -0,0 +1 @@ ++Fixed PAM auth to reject auth attempt if user account is locked. +diff --git a/salt/auth/pam.py b/salt/auth/pam.py +index a9dde95149..d91883b743 100644 +--- a/salt/auth/pam.py ++++ b/salt/auth/pam.py +@@ -209,7 +209,7 @@ def authenticate(username, password): + + retval = PAM_AUTHENTICATE(handle, 0) + if retval == 0: +- PAM_ACCT_MGMT(handle, 0) ++ retval = PAM_ACCT_MGMT(handle, 0) + PAM_END(handle, 0) + return retval == 0 + +diff --git a/tests/pytests/unit/auth/test_pam.py b/tests/pytests/unit/auth/test_pam.py +new file mode 100644 +index 0000000000..f5f49e65d8 +--- /dev/null ++++ b/tests/pytests/unit/auth/test_pam.py +@@ -0,0 +1,32 @@ ++import pytest ++import salt.auth.pam ++from tests.support.mock import patch ++ ++ ++@pytest.fixture ++def configure_loader_modules(): ++ return {salt.auth.pam: {}} ++ ++ ++@pytest.fixture ++def mock_pam(): ++ with patch("salt.auth.pam.CALLOC", autospec=True), patch( ++ "salt.auth.pam.pointer", autospec=True ++ ), patch("salt.auth.pam.PamHandle", autospec=True), patch( ++ "salt.auth.pam.PAM_START", autospec=True, return_value=0 ++ ), patch( ++ "salt.auth.pam.PAM_AUTHENTICATE", autospec=True, return_value=0 ++ ), patch( ++ "salt.auth.pam.PAM_END", autospec=True ++ ): ++ yield ++ ++ ++def test_cve_if_pam_acct_mgmt_returns_nonzero_authenticate_should_be_false(mock_pam): ++ with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=42): ++ assert salt.auth.pam.authenticate(username="fnord", password="fnord") is False ++ ++ ++def test_if_pam_acct_mgmt_returns_zero_authenticate_should_be_true(mock_pam): ++ with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=0): ++ assert salt.auth.pam.authenticate(username="fnord", password="fnord") is True +-- +2.36.1 + + diff --git a/make-sure-saltcacheloader-use-correct-fileclient-519.patch b/make-sure-saltcacheloader-use-correct-fileclient-519.patch new file mode 100644 index 0000000..d2199a8 --- /dev/null +++ b/make-sure-saltcacheloader-use-correct-fileclient-519.patch @@ -0,0 +1,30 @@ +From cdd5edaa40233d83e3ed2eb61de3fbf70bc29dfb Mon Sep 17 00:00:00 2001 +From: Witek Bedyk +Date: Thu, 19 May 2022 12:52:12 +0200 +Subject: [PATCH] Make sure SaltCacheLoader use correct fileclient (#519) + +Backported from https://github.com/saltstack/salt/pull/61895 + +Signed-off-by: Witek Bedyk +--- + salt/state.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/salt/state.py b/salt/state.py +index b759c8e0ee..2c785233c5 100644 +--- a/salt/state.py ++++ b/salt/state.py +@@ -4061,6 +4061,9 @@ class BaseHighState: + ) + else: + try: ++ # Make sure SaltCacheLoader use correct fileclient ++ if context is None: ++ context = {"fileclient": self.client} + state = compile_template( + fn_, + self.state.rend, +-- +2.36.0 + + diff --git a/salt.changes b/salt.changes index 4d7f357..6868b08 100644 --- a/salt.changes +++ b/salt.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Thu Jun 16 09:52:06 UTC 2022 - Pablo Suárez Hernández + +- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566) + +- Added: + * fix-for-cve-2022-22967-bsc-1200566.patch + +------------------------------------------------------------------- +Thu May 19 11:00:15 UTC 2022 - Pablo Suárez Hernández + +- Make sure SaltCacheLoader use correct fileclient (bsc#1199149) + +- Added: + * make-sure-saltcacheloader-use-correct-fileclient-519.patch + ------------------------------------------------------------------- Tue Apr 12 09:21:38 UTC 2022 - Victor Zhestkov diff --git a/salt.spec b/salt.spec index 534d8a3..f2ee287 100644 --- a/salt.spec +++ b/salt.spec @@ -304,6 +304,10 @@ Patch78: prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/506 Patch79: fix-regression-with-depending-client.ssh-on-psutil-b.patch +# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/61895 +Patch80: make-sure-saltcacheloader-use-correct-fileclient-519.patch +# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/commit/e068a34ccb2e17ae7224f8016a24b727f726d4c8 +Patch81: fix-for-cve-2022-22967-bsc-1200566.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build