Bug 627928 (CVE-2017-12791)

Summary:	<app-admin/salt-2016.11.8: directory traversals on the Salt-master via crafted minion ID
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	chutzpah
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/saltstack/salt/pull/42944
Whiteboard:	~2 [noglsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	633868

Description GLSAMaker/CVETool Bot gentoo-dev

2017-08-15 15:48:57 UTC

CVE-2017-12791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12791):
  Maliciously crafted minion IDs can cause unwanted directory traversals on
  the Salt-master.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-08-15 15:53:15 UTC

@ Maintainer(s): Please bump to

>=app-admin/salt-2016.3.7
>=app-admin/salt-2016.11.7
>=app-admin/salt-2017.7.1

Comment 2 Manuel Rüger (RETIRED) gentoo-dev

2017-08-15 17:22:26 UTC

(In reply to Thomas Deutschmann from comment #1)
> @ Maintainer(s): Please bump to
> 
> >=app-admin/salt-2016.3.7
> >=app-admin/salt-2016.11.7
Added the specified versions and cleaned the old ones up.
Applied the fix to salt-2015.8.13 series as well (in 2015.8.13-r1), which I assume Patrick still wants to keep around.

These still need to be fixed:
> =app-admin/salt-2015.5.10
> =app-admin/salt-2017.7.0
These need to be cleaned up:
> =salt-2015.8.13

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2017-10-28 14:02:12 UTC

@maintainer, upstream only patched 2016.11. Are previous versions needed?

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2018-01-25 00:47:16 UTC

Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83c3b7ff1b9edab8f437aad399ec4b01c07395d2