Bug 200172 - sysutils/py-salt: Multiple security vulnerabilities
Summary: sysutils/py-salt: Multiple security vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-python (Nobody)
URL:
Keywords: needs-patch, security
Depends on:
Blocks: 200044
  Show dependency treegraph
 
Reported: 2015-05-13 15:23 UTC by Sevan Janiyan
Modified: 2015-05-25 02:24 UTC (History)
3 users (show)

See Also:
koobs: maintainer-feedback+


Attachments
Patch for security/vuxml update for Salt 2015.5.0 (2.31 KB, patch)
2015-05-16 00:20 UTC, Jason Unovitch
koobs: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2015-05-13 15:23:29 UTC
http://www.openwall.com/lists/oss-security/2015/05/02/1

Bug/200044 will bring in a new version to resolve the issue, just needs a vuxml entry
Comment 1 Christer Edwards 2015-05-14 00:13:56 UTC
This issue has been addressed upstream and the fix is included in the 2015.5.0 release which is pending commit now.

See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200044
Comment 2 Sevan Janiyan 2015-05-14 00:17:30 UTC
(In reply to christer.edwards from comment #1)

Correct, vuxml still needs an entry so users of previous versions are informed of the vulnerability. Which is what this bug report is more about.
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2015-05-14 02:39:15 UTC
Patch required for VuXML entry

See instructions in security/vuxml/vuxml.xml and the porters handbook: 
http://www2.au.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#security-notify
Comment 4 Jason Unovitch freebsd_committer 2015-05-16 00:20:24 UTC
Created attachment 156815 [details]
Patch for security/vuxml update for Salt 2015.5.0

TESTING:

#
# After patching
#

root@xts-bsd:/usr/ports/security/vuxml # make validate                                                                       [55/1947]
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/us
r/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py

#
# After copy to /var/db/pkg/vuxml.xml on vulnerable saltmaster
#

root@saltmaster:~ # pkg audit
py27-salt-2014.7.5 is vulnerable:
py-salt -- potential shell injection vulnerabilities
WWW: http://vuxml.FreeBSD.org/freebsd/865863af-fb5e-11e4-8fda-002590263bf5.html

1 problem(s) in the installed packages found.
Comment 5 Jason Unovitch freebsd_committer 2015-05-21 00:59:44 UTC
Christer,
security/vuxml update was based on the official documentation in the release notes.  The security issue was also mentioned in the salt-announce list.

https://groups.google.com/forum/#!topic/salt-announce/kLJs2gmcHKs

Neither reference the issue discussed in http://www.openwall.com/lists/oss-security/2015/05/02/1.  I'm not sure about that issue so the update only covers announced issues.  With your approval this should be good to go in with the update to Salt 2015.5.0.

Jason
Comment 6 Christer Edwards 2015-05-22 04:19:44 UTC
Sounds good
Comment 7 Johannes Jost Meixner freebsd_committer 2015-05-24 03:41:11 UTC
Kubilay, next time you grab any diff to a python port (including vulnerabilities like these) off freebsd-ports-bugs, please make sure to assign it to python@ or yourself.

I'm mildly frustrated that we're taking thirteen days to address a potential security issue in what is a widely used infrastructure port, not due to lack of patches but just lack of attention. freebsd-ports-bugs
Comment 8 commit-hook freebsd_committer 2015-05-24 03:44:20 UTC
A commit references this bug:

Author: xmj
Date: Sun May 24 03:43:25 UTC 2015
New revision: 387242
URL: https://svnweb.freebsd.org/changeset/ports/387242

Log:
  document possible vulnerabilities in sysutils/py-salt

  PR:		200172
  Submitted by:	Sevan Janiyan <venture37@geeklan.co.uk>

Changes:
  head/security/vuxml/vuln.xml
Comment 9 Johannes Jost Meixner freebsd_committer 2015-05-24 03:46:49 UTC
Modifying freebsd-ports-bugs, without changing the owner of a PR, is akin to throwing changes into a black hole, for all I care.

Anyway, enough ranting. Thanks Jason for submitting things. Let's make sure we'll do it better next time.
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2015-05-25 02:23:11 UTC
This issues history doesn't show me modifying assignee's, only triaging it as security related and requiring a patch.

If I'm mistaken, let's figure out what happened and how it can be done better in future offline (IRC)

Also regarding the commit log (and for reference here), the patch was:

Submitted by: Jason Unovitch <jason dot unovitch gmail com>
Reported by: Sevan Janiyan <venture37 geeklan co uk>
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2015-05-25 02:24:05 UTC
Comment on attachment 156815 [details]
Patch for security/vuxml update for Salt 2015.5.0

Maintainer approved in comment 6 (also missing in commit log)