Bug 1289109 - (CVE-2015-8034) CVE-2015-8034 salt: Information leak from state.sls cache data stored as world-readable
CVE-2015-8034 salt: Information leak from state.sls cache data stored as worl...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151030,repor...
: Reopened, Security
Depends On: 1289110 1289111
Blocks: 1289115
  Show dependency treegraph
 
Reported: 2015-12-07 08:17 EST by Adam Mariš
Modified: 2016-02-17 11:28 EST (History)
5 users (show)

See Also:
Fixed In Version: salt 2015.8.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-14 23:30:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-12-07 08:17:14 EST
It was found that state.sls function stores state run cache on the minion onto the disk with incorrect permissions, making it world-readable. This file could potentially contain sensitive data that was inserted via jinja into the state SLS files.

Upstream bug report:

https://github.com/saltstack/salt/issues/28455

Upstream patch:

https://github.com/cachedout/salt/commit/097838ec0c52b1e96f7f761e5fb3cd7e79808741
Comment 1 Adam Mariš 2015-12-07 08:17:48 EST
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1289110]
Affects: epel-all [bug 1289111]
Comment 2 Erik Johnson 2016-01-25 11:59:55 EST
The 2015.5.9 builds currently in testing include this patch already.
Comment 3 Erik Johnson 2016-01-25 12:02:03 EST
Actually, the 2015.5.8 builds in stable also include this patch, so I'm going to close this.
Comment 4 Siddharth Sharma 2016-01-25 13:58:15 EST
(In reply to Erik Johnson from comment #3)
> Actually, the 2015.5.8 builds in stable also include this patch, so I'm
> going to close this.

Please do not close CVE bugs, these bugs are supposed to be closed by Red Hat's Product Security after the issue is fixed in all its products.

Thanks
Comment 5 Erik Johnson 2016-01-25 14:05:40 EST
OK, but the issue *is* fixed. 2015.5.8 is in stable. What is the path to getting this issue closed, then, since I didn't add the bug number when I submitted the 2015.5.8 builds to bodhi?

I did add this bug to the 2015.5.9 builds of Salt currently in testing, before I realized that the issue was already resolved in 2015.5.8.
Comment 6 Fedora Update System 2016-02-04 19:21:41 EST
salt-2015.5.9-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.