Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 475438 (CVE-2013-2228) - app-admin/salt: Multiple Vulnerabilities (CVE-2013-2228)
Summary: app-admin/salt: Multiple Vulnerabilities (CVE-2013-2228)
Alias: CVE-2013-2228
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa]
Depends on:
Reported: 2013-07-01 17:04 UTC by Agostino Sarubbo
Modified: 2013-07-03 00:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-01 17:04:15 UTC
From ${URL} :


Multiple vulnerabilities have been reported in Salt, which can be exploited by malicious users to 
compromise a vulnerable system and by malicious people to conduct brute force attacks and bypass 
certain security restrictions.

1) Certain input related to the ID of a connecting minion is not properly verified before being 
used to write files. This can be exploited to write files in arbitrary locations and e.g. bypass 
the manual validation of new unknown minions.

2) An error when generating RSA keys within the "gen_keys()" function in salt/ can be 
exploited to derive the private key and e.g. impersonate Salt masters or minions or disclose 
communications contents.

The vulnerabilities #1 and #2 are reported in versions prior to 0.15.1.

3) Certain input related to the "ext_pillar" option is not properly sanitised before being used to 
execute commands. This can be exploited to inject and execute arbitrary shell commands.

This vulnerability is reported in versions 0.14.0 through 0.15.0.

Update to version 0.15.1.

Provided and/or discovered by:
The vendor credits Ronald Volgers.

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Patrick McLean gentoo-dev 2013-07-01 18:26:00 UTC
Version 0.15.1 was added to the tree on May 11th.

No need to stabilize as there are no stable versions of salt in the tree as of yet.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-02 20:38:21 UTC
0.14.1 needs to be removed, I believe.
Comment 3 Patrick McLean gentoo-dev 2013-07-02 23:35:03 UTC
Ok, all versions lower that 0.15.3 have been removed from the tree.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-03 00:03:15 UTC
All done, then.