[Pkg-salt-team] Bug#1013872: salt: CVE-2022-22967
Emilio Pozuelo Monfort
pochu at debian.org
Mon Mar 6 12:34:16 GMT 2023
On Thu, 1 Sep 2022 08:13:07 +0200 Paul Gevers <elbrus at debian.org> wrote:
> Hi,
>
> On Sun, 26 Jun 2022 13:55:24 +0200 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
> > Source: salt
>
> > The following vulnerability was published for salt.
> >
> > CVE-2022-22967[0]:
> > | An issue was discovered in SaltStack Salt in versions before 3002.9,
> > | 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows
> > | a previously authorized user whose account is locked still run Salt
> > | commands when their account is locked. This affects both local shell
> > | accounts with an active session and salt-api users that authenticate
> > | via PAM eauth.
>
>
> As much as I'd like to stay away from fixing packages, do you need help
> with this one? It causing RC issues in testing even though it's removed.
>
> https://qa.debian.org/dose/debcheck/src_testing_main/1661922002/packages/pytest-testinfra.html#076c12ad0c0676e354433b4fd854e3d5
>
> There's a new upstream release and I pulled it locally, but there are a
> lot of changes. So without experience with the package, it's a bit much
> to go over.
The fix for this is very simple. We are ignoring pam_acct_mgmt()'s return value.
The upstream fix (with tests) is at:
https://github.com/saltstack/salt/commit/e068a34ccb2e17ae7224f8016a24b727f726d4c8
Cheers,
Emilio
More information about the pkg-salt-team
mailing list