[Pkg-salt-team] Bug#1000265: typo in fix for CVE-2021-21996 breaks file.managed on stretch

Markus Koschany apo at debian.org
Sat Nov 20 22:35:45 GMT 2021


On Sat, 20 Nov 2021 16:46:34 +0000 Jamie Heilman <jamie at audible.transient.net>
wrote:
> Package: salt-common
> Version: 2016.11.2+ds-1+deb9u8
> Severity: grave
> 
> The patch for 994016 in the
> /usr/lib/python2.7/dist-packages/salt/fileclient.py file included:
> 
> +        # clean_path returns an empty string if the check fails
> +        root_path = salt.utils.path.join(cachedir, "extrn_files", saltenv,
netloc)
> 
> which might work for newer versions of salt, but in stretch that has
> to be salt.utils.path_join(...) as the salt.utils.path module didn't
> exist yet.  As-is, the security update for CVE-2021-21996 makes
> file.managed states fail with:
> 
>   Unable to manage file: 'module' object has no attribute 'path'
> 
> which makes salt on stretch pretty much unusable.


Thanks for the report. I wonder why the tests didn't catch that problem. I will
address this with the next upload of salt.

Regards,

Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-salt-team/attachments/20211120/21c43627/attachment.sig>


More information about the pkg-salt-team mailing list