Bug 200172

Summary: sysutils/py-salt: Multiple security vulnerabilities
Product: Ports & Packages Reporter: Sevan Janiyan <venture37>
Component: Individual Port(s)Assignee: freebsd-python (Nobody) <python>
Status: Closed FIXED    
Severity: Affects Only Me CC: christer.edwards, junovitch, xmj
Priority: --- Keywords: needs-patch, security
Version: LatestFlags: koobs: maintainer-feedback+
Hardware: Any   
OS: Any   
Bug Depends on:    
Bug Blocks: 200044    
Description Flags
Patch for security/vuxml update for Salt 2015.5.0 koobs: maintainer-approval+

Description Sevan Janiyan 2015-05-13 15:23:29 UTC

Bug/200044 will bring in a new version to resolve the issue, just needs a vuxml entry
Comment 1 Christer Edwards 2015-05-14 00:13:56 UTC
This issue has been addressed upstream and the fix is included in the 2015.5.0 release which is pending commit now.

See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200044
Comment 2 Sevan Janiyan 2015-05-14 00:17:30 UTC
(In reply to christer.edwards from comment #1)

Correct, vuxml still needs an entry so users of previous versions are informed of the vulnerability. Which is what this bug report is more about.
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2015-05-14 02:39:15 UTC
Patch required for VuXML entry

See instructions in security/vuxml/vuxml.xml and the porters handbook: 
Comment 4 Jason Unovitch freebsd_committer freebsd_triage 2015-05-16 00:20:24 UTC
Created attachment 156815 [details]
Patch for security/vuxml update for Salt 2015.5.0


# After patching

root@xts-bsd:/usr/ports/security/vuxml # make validate                                                                       [55/1947]
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/us
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py

# After copy to /var/db/pkg/vuxml.xml on vulnerable saltmaster

root@saltmaster:~ # pkg audit
py27-salt-2014.7.5 is vulnerable:
py-salt -- potential shell injection vulnerabilities
WWW: http://vuxml.FreeBSD.org/freebsd/865863af-fb5e-11e4-8fda-002590263bf5.html

1 problem(s) in the installed packages found.
Comment 5 Jason Unovitch freebsd_committer freebsd_triage 2015-05-21 00:59:44 UTC
security/vuxml update was based on the official documentation in the release notes.  The security issue was also mentioned in the salt-announce list.


Neither reference the issue discussed in http://www.openwall.com/lists/oss-security/2015/05/02/1.  I'm not sure about that issue so the update only covers announced issues.  With your approval this should be good to go in with the update to Salt 2015.5.0.

Comment 6 Christer Edwards 2015-05-22 04:19:44 UTC
Sounds good
Comment 7 Johannes Jost Meixner freebsd_committer freebsd_triage 2015-05-24 03:41:11 UTC
Kubilay, next time you grab any diff to a python port (including vulnerabilities like these) off freebsd-ports-bugs, please make sure to assign it to python@ or yourself.

I'm mildly frustrated that we're taking thirteen days to address a potential security issue in what is a widely used infrastructure port, not due to lack of patches but just lack of attention. freebsd-ports-bugs
Comment 8 commit-hook freebsd_committer freebsd_triage 2015-05-24 03:44:20 UTC
A commit references this bug:

Author: xmj
Date: Sun May 24 03:43:25 UTC 2015
New revision: 387242
URL: https://svnweb.freebsd.org/changeset/ports/387242

  document possible vulnerabilities in sysutils/py-salt

  PR:		200172
  Submitted by:	Sevan Janiyan <venture37@geeklan.co.uk>

Comment 9 Johannes Jost Meixner freebsd_committer freebsd_triage 2015-05-24 03:46:49 UTC
Modifying freebsd-ports-bugs, without changing the owner of a PR, is akin to throwing changes into a black hole, for all I care.

Anyway, enough ranting. Thanks Jason for submitting things. Let's make sure we'll do it better next time.
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2015-05-25 02:23:11 UTC
This issues history doesn't show me modifying assignee's, only triaging it as security related and requiring a patch.

If I'm mistaken, let's figure out what happened and how it can be done better in future offline (IRC)

Also regarding the commit log (and for reference here), the patch was:

Submitted by: Jason Unovitch <jason dot unovitch gmail com>
Reported by: Sevan Janiyan <venture37 geeklan co uk>
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2015-05-25 02:24:05 UTC
Comment on attachment 156815 [details]
Patch for security/vuxml update for Salt 2015.5.0

Maintainer approved in comment 6 (also missing in commit log)