Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Master running 2019.2.4 or 3000.2 unable to synchronize files using saltutil.sync_all to 2017.7.1 minion due to CVE fix #57027

Closed
ecarson opened this issue Apr 30, 2020 · 3 comments
Closed

[BUG] Master running 2019.2.4 or 3000.2 unable to synchronize files using saltutil.sync_all to 2017.7.1 minion due to CVE fix #57027

ecarson opened this issue Apr 30, 2020 · 3 comments
Assignees
@dwoz
Labels
Bug broken, incorrect, or confusing behavior Core relates to code central or existential to Salt severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around v2019.2.5 unsupported version v3000.3 vulnerable version
Milestone
Approved

Comments

@ecarson
Copy link

ecarson commented Apr 30, 2020

Description
Master running 2019.2.4 or 3000.2 unable to synchronize files using saltutil.sync_all to 2017.7.1 minion due to CVE fix.

Setup
Master version (from Centos 7 py2 package):

# salt-master --version
/usr/lib/python2.7/site-packages/salt/scripts.py:109: DeprecationWarning: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date.  Salt will drop support for Python 2.7 in the Sodium release or later.
salt-master 3000.2

Master config

fileserver_backend:
  - roots

file_roots:
  base:
    - /srv/salt

pillar_roots:
  base:
    - /srv/pillar

Minion version (from Centos 7 public repos):

# salt-minion --version
salt-minion 2017.7.1 (Nitrogen)

Minion config:

log_level: debug

grains:
  node-ip: 192.168.1.13
log_level_logfile: debug
master:
- 192.168.1.9

Steps to Reproduce the behavior

Setup a minion with 2017.7.1 communicating with a master running 2019.2.4 or 3000.2 with the recent CVE vulnerability fixes. Accept the key on the master and then issue a "saltutil.sync_all":

[root@t149-dut1 ~]# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
t149-dut2.openstacklocal
[root@t149-dut1 ~]# salt-key -L
Accepted Keys:
t149-dut2.openstacklocal
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@t149-dut1 ~]# salt * saltutil.sync_all
No minions matched the target. No command was sent, no jid was assigned.
ERROR: No return received
[root@t149-dut1 ~]# salt "*" saltutil.sync_all
t149-dut2.openstacklocal:
    The minion function caused an exception: Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/salt/minion.py", line 1468, in _thread_return
        return_data = executor.execute()
      File "/usr/lib/python2.7/site-packages/salt/executors/direct_call.py", line 28, in execute
        return self.func(*self.args, **self.kwargs)
      File "/usr/lib/python2.7/site-packages/salt/modules/saltutil.py", line 850, in sync_all
        ret['clouds'] = sync_clouds(saltenv, False, extmod_whitelist, extmod_blacklist)
      File "/usr/lib/python2.7/site-packages/salt/modules/saltutil.py", line 652, in sync_clouds
        ret = _sync('clouds', saltenv, extmod_whitelist, extmod_blacklist)
      File "/usr/lib/python2.7/site-packages/salt/modules/saltutil.py", line 99, in _sync
        saltenv = _get_top_file_envs()
      File "/usr/lib/python2.7/site-packages/salt/modules/saltutil.py", line 81, in _get_top_file_envs
        top = st_.get_top()
      File "/usr/lib/python2.7/site-packages/salt/state.py", line 3089, in get_top
        tops = self.get_tops()
      File "/usr/lib/python2.7/site-packages/salt/state.py", line 2787, in get_tops
        saltenv
      File "/usr/lib/python2.7/site-packages/salt/fileclient.py", line 189, in cache_file
        return self.get_url(path, '', True, saltenv, cachedir=cachedir)
      File "/usr/lib/python2.7/site-packages/salt/fileclient.py", line 495, in get_url
        result = self.get_file(url, dest, makedirs, saltenv, cachedir=cachedir)
      File "/usr/lib/python2.7/site-packages/salt/fileclient.py", line 1044, in get_file
        hash_server, stat_server = self.hash_and_stat_file(path, saltenv)
    ValueError: need more than 0 values to unpack

Master logs inidicated the issue:

2020-04-30 19:51:58,435 [salt.master      :1167][ERROR   ][14140] Requested method not exposed: _file_hash_and_stat
2020-04-30 19:51:58,455 [salt.master      :1611][ERROR   ][14139] Received minion error from [t149-dut2.openstacklocal]: The minion function caused an exception

Expected behavior
The file synchronization mechanism should be able to work for masters communicating with older minions.

Screenshots
n/a

Versions Report

[root@t149-dut1 ~]# salt --versions-report
Salt Version:
           Salt: 3000.2
 
Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
         Jinja2: 2.7.2
        libgit2: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.6.2
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.5 (default, Apr  9 2019, 14:30:50)
   python-gnupg: Not Installed
         PyYAML: 3.10
          PyZMQ: 15.3.0
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.1.4
 
System Versions:
           dist: centos 7.3.1611 Core
         locale: UTF-8
        machine: x86_64
        release: 3.10.0-514.el7.x86_64
         system: Linux
        version: CentOS Linux 7.3.1611 Core
 


[root@t149-dut2 ~]# salt-minion --versions-report
Salt Version:
           Salt: 2017.7.1
 
Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.7.2
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.5 (default, Nov  6 2016, 00:28:07)
   python-gnupg: Not Installed
         PyYAML: 3.10
          PyZMQ: 15.3.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4
 
System Versions:
           dist: centos 7.3.1611 Core
         locale: UTF-8
        machine: x86_64
        release: 3.10.0-514.el7.x86_64
         system: Linux
        version: CentOS Linux 7.3.1611 Core

Additional context
After discussing on Slack Dwoz suggested the following patch which was able to resolve this for us when patched locally:

--- /usr/lib/python2.7/site-packages/salt/master.py.orig	2020-04-30 19:54:08.260953710 +0000
+++ /usr/lib/python2.7/site-packages/salt/master.py	2020-04-30 19:54:55.954067419 +0000
@@ -1181,6 +1181,7 @@
         'minion_publish', 'revoke_auth', 'run_func', '_serve_file',
         '_file_find', '_file_hash', '_file_find_and_stat', '_file_list',
         '_file_list_emptydirs', '_dir_list', '_symlink_list', '_file_envs',
+        '_file_hash_and_stat',
     )
 
     def __init__(self, opts):
@ecarson ecarson added the Bug broken, incorrect, or confusing behavior label Apr 30, 2020
@twangboy
Copy link
Contributor

Similar issue here, though a different method: #57016

@twangboy twangboy added Core relates to code central or existential to Salt severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around labels Apr 30, 2020
@twangboy twangboy added this to the Approved milestone Apr 30, 2020
@twangboy twangboy assigned twangboy and dwoz and unassigned twangboy Apr 30, 2020
@rossengeorgiev
Copy link
Contributor

Tried this, and only 2017.7.0 and 2017.7.1 minons appear to be affected.

# salt-run manage.versions
Master:
    3000.2
Minion requires update:
    ----------
    ubuntu16-1.local:
        2016.11.10
    ubuntu16-2.local:
        2017.7.0
    ubuntu16-3.local:
        2017.7.1
    ubuntu16-4.local:
        2017.7.2
# salt '*' saltutil.sync_all                                                                                                                                                                                
ubuntu16-1.local:
    ----------
    beacons:
    engines:
    grains:
    log_handlers:
    modules:
    output:
    proxymodules:
    renderers:
    returners:
    sdb:
    states:
    utils:
ubuntu16-2.local:
    The minion function caused an exception: Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/salt/minion.py", line 1466, in _thread_return
        return_data = executor.execute()
      File "/usr/lib/python2.7/dist-packages/salt/executors/direct_call.py", line 28, in execute
        return self.func(*self.args, **self.kwargs)
      File "/usr/lib/python2.7/dist-packages/salt/modules/saltutil.py", line 850, in sync_all
        ret['clouds'] = sync_clouds(saltenv, False, extmod_whitelist, extmod_blacklist)
      File "/usr/lib/python2.7/dist-packages/salt/modules/saltutil.py", line 652, in sync_clouds
        ret = _sync('clouds', saltenv, extmod_whitelist, extmod_blacklist)
      File "/usr/lib/python2.7/dist-packages/salt/modules/saltutil.py", line 99, in _sync
        saltenv = _get_top_file_envs()
      File "/usr/lib/python2.7/dist-packages/salt/modules/saltutil.py", line 81, in _get_top_file_envs
        top = st_.get_top()
      File "/usr/lib/python2.7/dist-packages/salt/state.py", line 3089, in get_top
        tops = self.get_tops()
      File "/usr/lib/python2.7/dist-packages/salt/state.py", line 2787, in get_tops
        saltenv
      File "/usr/lib/python2.7/dist-packages/salt/fileclient.py", line 189, in cache_file
        return self.get_url(path, '', True, saltenv, cachedir=cachedir)
      File "/usr/lib/python2.7/dist-packages/salt/fileclient.py", line 495, in get_url
        result = self.get_file(url, dest, makedirs, saltenv, cachedir=cachedir)
      File "/usr/lib/python2.7/dist-packages/salt/fileclient.py", line 1044, in get_file
        hash_server, stat_server = self.hash_and_stat_file(path, saltenv)
    ValueError: need more than 0 values to unpack
ubuntu16-3.local:
    The minion function caused an exception: Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/salt/minion.py", line 1468, in _thread_return
        return_data = executor.execute()
      File "/usr/lib/python2.7/dist-packages/salt/executors/direct_call.py", line 28, in execute
        return self.func(*self.args, **self.kwargs)
      File "/usr/lib/python2.7/dist-packages/salt/modules/saltutil.py", line 850, in sync_all
        ret['clouds'] = sync_clouds(saltenv, False, extmod_whitelist, extmod_blacklist)
      File "/usr/lib/python2.7/dist-packages/salt/modules/saltutil.py", line 652, in sync_clouds
        ret = _sync('clouds', saltenv, extmod_whitelist, extmod_blacklist)
      File "/usr/lib/python2.7/dist-packages/salt/modules/saltutil.py", line 99, in _sync
        saltenv = _get_top_file_envs()
      File "/usr/lib/python2.7/dist-packages/salt/modules/saltutil.py", line 81, in _get_top_file_envs
        top = st_.get_top()
      File "/usr/lib/python2.7/dist-packages/salt/state.py", line 3089, in get_top
        tops = self.get_tops()
      File "/usr/lib/python2.7/dist-packages/salt/state.py", line 2787, in get_tops
        saltenv
      File "/usr/lib/python2.7/dist-packages/salt/fileclient.py", line 189, in cache_file
        return self.get_url(path, '', True, saltenv, cachedir=cachedir)
      File "/usr/lib/python2.7/dist-packages/salt/fileclient.py", line 495, in get_url
        result = self.get_file(url, dest, makedirs, saltenv, cachedir=cachedir)
      File "/usr/lib/python2.7/dist-packages/salt/fileclient.py", line 1044, in get_file
        hash_server, stat_server = self.hash_and_stat_file(path, saltenv)
    ValueError: need more than 0 values to unpack
ubuntu16-4.local:
    ----------
    beacons:
    clouds:
    engines:
    grains:
    log_handlers:
    modules:
    output:
    proxymodules:
    renderers:
    returners:
    sdb:
    states:
    utils:

@dwoz dwoz mentioned this issue May 4, 2020
Closed
@sagetherage sagetherage added the ZRelease-Sodium retired label label May 4, 2020
@dwoz dwoz mentioned this issue May 5, 2020
Merged
1 task
dwoz added a commit to dwoz/salt that referenced this issue May 5, 2020
@dwoz
Address issues in cve release
c63253e 
- Fix saltstack#57016
- Fix saltstack#57027
- Add tests for exposed methods on AESFuncs and ClearFuncs
- Add response validation for patched ClearFuncs.wheel
- Add release notes template for 2019.2.5
dwoz added a commit to dwoz/salt that referenced this issue May 6, 2020
@dwoz
Address issues in cve release
4517ed3 
- Fix saltstack#57016
- Fix saltstack#57027
- Add tests for exposed methods on AESFuncs and ClearFuncs
- Add response validation for patched ClearFuncs.wheel
- Add release notes template for 2019.2.5
@dwoz dwoz mentioned this issue May 6, 2020
Merged
1 task
dwoz added a commit that referenced this issue May 6, 2020
@dwoz
Address issues in cve release
cea28c8 
- Fix #57016
- Fix #57027
- Add tests for exposed methods on AESFuncs and ClearFuncs
- Add response validation for patched ClearFuncs.wheel
- Add release notes template for 2019.2.5
@attritionorg
Copy link

Please incldue the CVE ID(s) being referenced.

@sagetherage sagetherage added v2019.2.5 unsupported version v3000.3 vulnerable version and removed ZRelease-Sodium retired label labels May 11, 2020
@arizvisa arizvisa mentioned this issue Jun 16, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dwoz dwoz

Labels
Bug broken, incorrect, or confusing behavior Core relates to code central or existential to Salt severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around v2019.2.5 unsupported version v3000.3 vulnerable version
Projects
None yet
Milestone
Approved
Development

No branches or pull requests
6 participants
@dwoz @rossengeorgiev @attritionorg @ecarson @twangboy @sagetherage