diff -Nru salt-2016.11.2+ds/debian/changelog salt-2016.11.2+ds/debian/changelog --- salt-2016.11.2+ds/debian/changelog 2018-01-22 16:30:47.000000000 +0100 +++ salt-2016.11.2+ds/debian/changelog 2018-04-20 14:33:54.000000000 +0200 @@ -1,3 +1,10 @@ +salt (2016.11.2+ds-1+deb9u2) stretch; urgency=medium + + * Fix CVE-2017-8109: salt-ssh minion copied over configuration from the + Salt Master without adjusting permissions (Closes: #861219) + + -- Ondřej Nový Fri, 20 Apr 2018 14:33:54 +0200 + salt (2016.11.2+ds-1+deb9u1) stretch; urgency=medium * Fix CVE-2017-12791: Directory traversal vulnerability on salt-master diff -Nru salt-2016.11.2+ds/debian/patches/CVE-2017-8109.patch salt-2016.11.2+ds/debian/patches/CVE-2017-8109.patch --- salt-2016.11.2+ds/debian/patches/CVE-2017-8109.patch 1970-01-01 01:00:00.000000000 +0100 +++ salt-2016.11.2+ds/debian/patches/CVE-2017-8109.patch 2018-03-19 09:43:18.000000000 +0100 @@ -0,0 +1,195 @@ +From 6e34c2b5e5e849302af7ccd00509929c3809c658 Mon Sep 17 00:00:00 2001 +From: Daniel Wallace +Date: Mon, 10 Apr 2017 10:30:20 -0600 +Subject: [PATCH] stat file when placing it on server instead of caching + +remove chmod of files in the fileserver +add stat_file to cp module +use cp.stat_file to get file mode in file module +add a note about keep not working with ssh +--- + salt/fileclient.py | 75 +--------------------------------------------------- + salt/modules/cp.py | 22 +++++++++++++++ + salt/modules/file.py | 11 ++++++-- + salt/states/file.py | 7 +++++ + 4 files changed, 39 insertions(+), 76 deletions(-) + +--- a/salt/fileclient.py ++++ b/salt/fileclient.py +@@ -779,22 +779,6 @@ + if not fnd_path: + return '' + +- try: +- fnd_mode = fnd.get('stat', [])[0] +- except (IndexError, TypeError): +- fnd_mode = None +- +- if not salt.utils.is_windows(): +- if fnd_mode is not None: +- try: +- if os.stat(dest).st_mode != fnd_mode: +- try: +- os.chmod(dest, fnd_mode) +- except OSError as exc: +- log.warning('Failed to chmod %s: %s', dest, exc) +- except Exception: +- pass +- + return fnd_path + + def file_list(self, saltenv='base', prefix=''): +@@ -1046,47 +1030,7 @@ + mode_local = None + + if hash_local == hash_server: +- if not salt.utils.is_windows(): +- if mode_server is None: +- log.debug('No file mode available for \'%s\'', path) +- elif mode_local is None: +- log.debug( +- 'No file mode available for \'%s\'', +- dest2check +- ) +- else: +- if mode_server == mode_local: +- log.info( +- 'Fetching file from saltenv \'%s\', ' +- '** skipped ** latest already in cache ' +- '\'%s\', mode up-to-date', saltenv, path +- ) +- else: +- try: +- os.chmod(dest2check, mode_server) +- log.info( +- 'Fetching file from saltenv \'%s\', ' +- '** updated ** latest already in cache, ' +- '\'%s\', mode updated from %s to %s', +- saltenv, +- path, +- salt.utils.st_mode_to_octal(mode_local), +- salt.utils.st_mode_to_octal(mode_server) +- ) +- except OSError as exc: +- log.warning( +- 'Failed to chmod %s: %s', dest2check, exc +- ) +- # We may not have been able to check/set the mode, but we +- # don't want to re-download the file because of a failure +- # in mode checking. Return the cached path. +- return dest2check +- else: +- log.info( +- 'Fetching file from saltenv \'%s\', ** skipped ** ' +- 'latest already in cache \'%s\'', saltenv, path +- ) +- return dest2check ++ return dest2check + + log.debug( + 'Fetching file from saltenv \'%s\', ** attempting ** \'%s\'', +@@ -1203,23 +1147,6 @@ + saltenv, path + ) + +- if not salt.utils.is_windows(): +- if mode_server is not None: +- try: +- if os.stat(dest).st_mode != mode_server: +- try: +- os.chmod(dest, mode_server) +- log.info( +- 'Fetching file from saltenv \'%s\', ' +- '** done ** \'%s\', mode set to %s', +- saltenv, +- path, +- salt.utils.st_mode_to_octal(mode_server) +- ) +- except OSError: +- log.warning('Failed to chmod %s: %s', dest, exc) +- except OSError: +- pass + return dest + + def file_list(self, saltenv='base', prefix=''): +--- a/salt/modules/cp.py ++++ b/salt/modules/cp.py +@@ -628,6 +628,28 @@ + return _client().hash_file(path, saltenv) + + ++def stat_file(path, saltenv='base', octal=True): ++ ''' ++ Return the permissions of a file, to get the permissions of a file on the ++ salt master file server prepend the path with salt:// ++ otherwise, prepend the file with / for a local file. ++ ++ CLI Example: ++ ++ .. code-block:: bash ++ ++ salt '*' cp.stat_file salt://path/to/file ++ ''' ++ path, senv = salt.utils.url.split_env(path) ++ if senv: ++ saltenv = senv ++ ++ stat = _client().hash_and_stat_file(path, saltenv)[1] ++ if stat is None: ++ return stat ++ return salt.utils.st_mode_to_octal(stat[0]) if octal is True else stat[0] ++ ++ + def push(path, keep_symlinks=False, upload_path=None, remove_source=False): + ''' + WARNING Files pushed to the master will have global read permissions.. +--- a/salt/modules/file.py ++++ b/salt/modules/file.py +@@ -4287,7 +4287,7 @@ + if _urlparse(source).scheme in ('salt', 'file') \ + or source.startswith('/'): + try: +- mode = salt.utils.st_mode_to_octal(os.stat(sfn).st_mode) ++ mode = __salt__['cp.stat_file'](source, saltenv=saltenv, octal=True) + except Exception as exc: + log.warning('Unable to stat %s: %s', sfn, exc) + changes = check_file_meta(name, sfn, source, source_sum, user, +@@ -4544,6 +4544,13 @@ + a local file on the minion), the mode of the destination file will be + set to the mode of the source file. + ++ .. note:: keep_mode does not work with salt-ssh. ++ ++ As a consequence of how the files are transfered to the minion, and ++ the inability to connect back to the master with salt-ssh, salt is ++ unable to stat the file as it exists on the fileserver and thus ++ cannot mirror the mode on the salt-ssh minion ++ + CLI Example: + + .. code-block:: bash +@@ -4578,7 +4585,7 @@ + if _urlparse(source).scheme in ('salt', 'file') \ + or source.startswith('/'): + try: +- mode = salt.utils.st_mode_to_octal(os.stat(sfn).st_mode) ++ mode = __salt__['cp.stat_file'](source, saltenv=saltenv, octal=True) + except Exception as exc: + log.warning('Unable to stat %s: %s', sfn, exc) + +--- a/salt/states/file.py ++++ b/salt/states/file.py +@@ -1318,6 +1318,13 @@ + the ``contents`` options, setting the ``mode`` to ``keep`` is also + incompatible with the ``contents`` options. + ++ .. note:: keep does not work with salt-ssh. ++ ++ As a consequence of how the files are transfered to the minion, and ++ the inability to connect back to the master with salt-ssh, salt is ++ unable to stat the file as it exists on the fileserver and thus ++ cannot mirror the mode on the salt-ssh minion ++ + template + If this setting is applied, the named templating engine will be used to + render the downloaded file. The following templates are supported: diff -Nru salt-2016.11.2+ds/debian/patches/series salt-2016.11.2+ds/debian/patches/series --- salt-2016.11.2+ds/debian/patches/series 2018-01-22 16:30:47.000000000 +0100 +++ salt-2016.11.2+ds/debian/patches/series 2018-03-19 09:43:11.000000000 +0100 @@ -8,3 +8,4 @@ CVE-2017-14696.patch Check_if_data_return_is_dict_type.patch clean-doc-without-sphinx.patch +CVE-2017-8109.patch