search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
14.17k stars 5.48k forks source link

[BUG] CVE patches for 2017.7.8 contain code from newer version and doesn't work #60011

Open romxi opened 3 years ago

romxi commented 3 years ago

Description After applying the next CVE patches https://gitlab.com/saltstack/open/salt-patches/-/blob/master/patches/2021/01/28/2017.7.8.patch https://gitlab.com/saltstack/open/salt-patches/-/blob/master/patches/2021/02/05/2017.7.8.patch salt 2017.7.8 stop working properly

The last patch contains the next bug: call of if daemonize and not salt.utils.platform.is_windows(): failed with next error:

Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/salt/utils/process.py", line 663, in _run return self._original_run() File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run self._target(*self._args, **self._kwargs) File "/usr/lib/python2.7/dist-packages/salt/client/mixins.py", line 477, in _proc_function if daemonize and not salt.utils.platform.is_windows(): AttributeError: 'module' object has no attribute 'platform'

Seems here should be used if daemonize and not salt.utils.is_windows(): Also seems salt.utils.process.daemonize() valid only for newest salt versions

Please review CVE patches for 2017.7.8 and fix issues. Thanks

Steps to Reproduce the behavior Use above function

Expected behavior All works fine

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) ``` Salt Version: Salt: 2017.7.8 Dependency Versions: cffi: 1.9.1 cherrypy: 3.5.0 dateutil: 2.4.2 docker-py: 1.9.0 gitdb: Not Installed gitpython: Not Installed ioflo: Not Installed Jinja2: 2.8 libgit2: Not Installed libnacl: Not Installed M2Crypto: 0.21.1 Mako: Not Installed msgpack-pure: Not Installed msgpack-python: 0.4.6 mysql-python: Not Installed pycparser: 2.14 pycrypto: 2.6.1 pycryptodome: Not Installed pygit2: Not Installed Python: 2.7.12 (default, Nov 12 2018, 14:36:49) python-gnupg: Not Installed PyYAML: 3.11 PyZMQ: 15.2.0 RAET: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.1.4 System Versions: dist: Ubuntu 16.04 xenial locale: UTF-8 machine: x86_64 release: 4.15.0-43-generic system: Linux version: Ubuntu 16.04 xenial ```

Additional context Add any other context about the problem here.

welcome[bot] commented 3 years ago

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at core@saltstack.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!

dwoz commented 2 years ago

@romxi Since these patches were made, there have been several other CVE's which there are no patches for. You should upgrade to a package of a currently supported version: 3002.x, 3003,x or 3004.x.