Accepting request 984677 from systemsmanagement:saltstack

- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566)
- Added:
  * fix-for-cve-2022-22967-bsc-1200566.patch

- Make sure SaltCacheLoader use correct fileclient (bsc#1199149)
- Added:
  * make-sure-saltcacheloader-use-correct-fileclient-519.patch

OBS-URL: https://build.opensuse.org/request/show/984677
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/salt?expand=0&rev=129

_lastrevision

@@ -1 +1 @@
-2a9748d411cf0d0e49f59fb6fa7ddd336992532e
+f20138622e17e52fd49e531edd607b46d08a146c

fix-for-cve-2022-22967-bsc-1200566.patch

@@ -0,0 +1,75 @@
+From a9c292fdf9ae53b86109337165214d8aadb155e7 Mon Sep 17 00:00:00 2001
+From: Wayne Werner <wwerner@vmware.com>
+Date: Fri, 1 Apr 2022 14:21:57 -0500
+Subject: [PATCH] Fix for CVE-2022-22967 (bsc#1200566)
+
+---
+ changelog/pam_auth.security         |  1 +
+ salt/auth/pam.py                    |  2 +-
+ tests/pytests/unit/auth/test_pam.py | 32 +++++++++++++++++++++++++++++
+ 3 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 changelog/pam_auth.security
+ create mode 100644 tests/pytests/unit/auth/test_pam.py
+
+diff --git a/changelog/pam_auth.security b/changelog/pam_auth.security
+new file mode 100644
+index 0000000000..52943680f4
+--- /dev/null
++++ b/changelog/pam_auth.security
+@@ -0,0 +1 @@
++Fixed PAM auth to reject auth attempt if user account is locked.
+diff --git a/salt/auth/pam.py b/salt/auth/pam.py
+index a9dde95149..d91883b743 100644
+--- a/salt/auth/pam.py
++++ b/salt/auth/pam.py
+@@ -209,7 +209,7 @@ def authenticate(username, password):
+ 
+     retval = PAM_AUTHENTICATE(handle, 0)
+     if retval == 0:
+-        PAM_ACCT_MGMT(handle, 0)
++        retval = PAM_ACCT_MGMT(handle, 0)
+     PAM_END(handle, 0)
+     return retval == 0
+ 
+diff --git a/tests/pytests/unit/auth/test_pam.py b/tests/pytests/unit/auth/test_pam.py
+new file mode 100644
+index 0000000000..f5f49e65d8
+--- /dev/null
++++ b/tests/pytests/unit/auth/test_pam.py
+@@ -0,0 +1,32 @@
++import pytest
++import salt.auth.pam
++from tests.support.mock import patch
++
++
++@pytest.fixture
++def configure_loader_modules():
++    return {salt.auth.pam: {}}
++
++
++@pytest.fixture
++def mock_pam():
++    with patch("salt.auth.pam.CALLOC", autospec=True), patch(
++        "salt.auth.pam.pointer", autospec=True
++    ), patch("salt.auth.pam.PamHandle", autospec=True), patch(
++        "salt.auth.pam.PAM_START", autospec=True, return_value=0
++    ), patch(
++        "salt.auth.pam.PAM_AUTHENTICATE", autospec=True, return_value=0
++    ), patch(
++        "salt.auth.pam.PAM_END", autospec=True
++    ):
++        yield
++
++
++def test_cve_if_pam_acct_mgmt_returns_nonzero_authenticate_should_be_false(mock_pam):
++    with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=42):
++        assert salt.auth.pam.authenticate(username="fnord", password="fnord") is False
++
++
++def test_if_pam_acct_mgmt_returns_zero_authenticate_should_be_true(mock_pam):
++    with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=0):
++        assert salt.auth.pam.authenticate(username="fnord", password="fnord") is True
+-- 
+2.36.1
+
+

make-sure-saltcacheloader-use-correct-fileclient-519.patch

@@ -0,0 +1,30 @@
+From cdd5edaa40233d83e3ed2eb61de3fbf70bc29dfb Mon Sep 17 00:00:00 2001
+From: Witek Bedyk <wbedyk@suse.com>
+Date: Thu, 19 May 2022 12:52:12 +0200
+Subject: [PATCH] Make sure SaltCacheLoader use correct fileclient (#519)
+
+Backported from https://github.com/saltstack/salt/pull/61895
+
+Signed-off-by: Witek Bedyk <witold.bedyk@suse.com>
+---
+ salt/state.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/salt/state.py b/salt/state.py
+index b759c8e0ee..2c785233c5 100644
+--- a/salt/state.py
++++ b/salt/state.py
+@@ -4061,6 +4061,9 @@ class BaseHighState:
+             )
+         else:
+             try:
++                # Make sure SaltCacheLoader use correct fileclient
++                if context is None:
++                    context = {"fileclient": self.client}
+                 state = compile_template(
+                     fn_,
+                     self.state.rend,
+-- 
+2.36.0
+
+

salt.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Thu Jun 16 09:52:06 UTC 2022 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
+
+- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566)
+
+- Added:
+  * fix-for-cve-2022-22967-bsc-1200566.patch
+
+-------------------------------------------------------------------
+Thu May 19 11:00:15 UTC 2022 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
+
+- Make sure SaltCacheLoader use correct fileclient (bsc#1199149)
+
+- Added:
+  * make-sure-saltcacheloader-use-correct-fileclient-519.patch
+
 -------------------------------------------------------------------
 Tue Apr 12 09:21:38 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com>
 

salt.spec

@@ -304,6 +304,10 @@ Patch78:        prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch
 
 # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/506
 Patch79:        fix-regression-with-depending-client.ssh-on-psutil-b.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/61895
+Patch80:        make-sure-saltcacheloader-use-correct-fileclient-519.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/commit/e068a34ccb2e17ae7224f8016a24b727f726d4c8
+Patch81:        fix-for-cve-2022-22967-bsc-1200566.patch
 
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build