Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package salt for openSUSE:Factory checked in at 2022-06-24 08:45:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/salt (Old) and /work/SRC/openSUSE:Factory/.salt.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "salt" Fri Jun 24 08:45:04 2022 rev:129 rq:984677 version:3004 Changes: -------- --- /work/SRC/openSUSE:Factory/salt/salt.changes 2022-04-14 17:25:36.551273468 +0200 +++ /work/SRC/openSUSE:Factory/.salt.new.1548/salt.changes 2022-06-24 08:45:13.963133946 +0200 @@ -1,0 +2,16 @@ +Thu Jun 16 09:52:06 UTC 2022 - Pablo Su??rez Hern??ndez <[email protected]> + +- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566) + +- Added: + * fix-for-cve-2022-22967-bsc-1200566.patch + +------------------------------------------------------------------- +Thu May 19 11:00:15 UTC 2022 - Pablo Su??rez Hern??ndez <[email protected]> + +- Make sure SaltCacheLoader use correct fileclient (bsc#1199149) + +- Added: + * make-sure-saltcacheloader-use-correct-fileclient-519.patch + +------------------------------------------------------------------- New: ---- fix-for-cve-2022-22967-bsc-1200566.patch make-sure-saltcacheloader-use-correct-fileclient-519.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ salt.spec ++++++ --- /var/tmp/diff_new_pack.E2BTFx/_old 2022-06-24 08:45:15.427135586 +0200 +++ /var/tmp/diff_new_pack.E2BTFx/_new 2022-06-24 08:45:15.431135591 +0200 @@ -304,6 +304,10 @@ # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/506 Patch79: fix-regression-with-depending-client.ssh-on-psutil-b.patch +# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/61895 +Patch80: make-sure-saltcacheloader-use-correct-fileclient-519.patch +# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/commit/e068a34ccb2e17ae7224f8016a24b727f726d4c8 +Patch81: fix-for-cve-2022-22967-bsc-1200566.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ _lastrevision ++++++ --- /var/tmp/diff_new_pack.E2BTFx/_old 2022-06-24 08:45:15.483135649 +0200 +++ /var/tmp/diff_new_pack.E2BTFx/_new 2022-06-24 08:45:15.487135653 +0200 @@ -1,3 +1,3 @@ -2a9748d411cf0d0e49f59fb6fa7ddd336992532e +f20138622e17e52fd49e531edd607b46d08a146c (No newline at EOF) ++++++ fix-for-cve-2022-22967-bsc-1200566.patch ++++++ >From a9c292fdf9ae53b86109337165214d8aadb155e7 Mon Sep 17 00:00:00 2001 From: Wayne Werner <[email protected]> Date: Fri, 1 Apr 2022 14:21:57 -0500 Subject: [PATCH] Fix for CVE-2022-22967 (bsc#1200566) --- changelog/pam_auth.security | 1 + salt/auth/pam.py | 2 +- tests/pytests/unit/auth/test_pam.py | 32 +++++++++++++++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 changelog/pam_auth.security create mode 100644 tests/pytests/unit/auth/test_pam.py diff --git a/changelog/pam_auth.security b/changelog/pam_auth.security new file mode 100644 index 0000000000..52943680f4 --- /dev/null +++ b/changelog/pam_auth.security @@ -0,0 +1 @@ +Fixed PAM auth to reject auth attempt if user account is locked. diff --git a/salt/auth/pam.py b/salt/auth/pam.py index a9dde95149..d91883b743 100644 --- a/salt/auth/pam.py +++ b/salt/auth/pam.py @@ -209,7 +209,7 @@ def authenticate(username, password): retval = PAM_AUTHENTICATE(handle, 0) if retval == 0: - PAM_ACCT_MGMT(handle, 0) + retval = PAM_ACCT_MGMT(handle, 0) PAM_END(handle, 0) return retval == 0 diff --git a/tests/pytests/unit/auth/test_pam.py b/tests/pytests/unit/auth/test_pam.py new file mode 100644 index 0000000000..f5f49e65d8 --- /dev/null +++ b/tests/pytests/unit/auth/test_pam.py @@ -0,0 +1,32 @@ +import pytest +import salt.auth.pam +from tests.support.mock import patch + + [email protected] +def configure_loader_modules(): + return {salt.auth.pam: {}} + + [email protected] +def mock_pam(): + with patch("salt.auth.pam.CALLOC", autospec=True), patch( + "salt.auth.pam.pointer", autospec=True + ), patch("salt.auth.pam.PamHandle", autospec=True), patch( + "salt.auth.pam.PAM_START", autospec=True, return_value=0 + ), patch( + "salt.auth.pam.PAM_AUTHENTICATE", autospec=True, return_value=0 + ), patch( + "salt.auth.pam.PAM_END", autospec=True + ): + yield + + +def test_cve_if_pam_acct_mgmt_returns_nonzero_authenticate_should_be_false(mock_pam): + with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=42): + assert salt.auth.pam.authenticate(username="fnord", password="fnord") is False + + +def test_if_pam_acct_mgmt_returns_zero_authenticate_should_be_true(mock_pam): + with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=0): + assert salt.auth.pam.authenticate(username="fnord", password="fnord") is True -- 2.36.1 ++++++ make-sure-saltcacheloader-use-correct-fileclient-519.patch ++++++ >From cdd5edaa40233d83e3ed2eb61de3fbf70bc29dfb Mon Sep 17 00:00:00 2001 From: Witek Bedyk <[email protected]> Date: Thu, 19 May 2022 12:52:12 +0200 Subject: [PATCH] Make sure SaltCacheLoader use correct fileclient (#519) Backported from https://github.com/saltstack/salt/pull/61895 Signed-off-by: Witek Bedyk <[email protected]> --- salt/state.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/state.py b/salt/state.py index b759c8e0ee..2c785233c5 100644 --- a/salt/state.py +++ b/salt/state.py @@ -4061,6 +4061,9 @@ class BaseHighState: ) else: try: + # Make sure SaltCacheLoader use correct fileclient + if context is None: + context = {"fileclient": self.client} state = compile_template( fn_, self.state.rend, -- 2.36.0
