File fix-cve-2020-25592-and-add-tests-bsc-1178319.patch of Package salt.20998
From bc7acab857b952353a959339b06c79d851a9d879 Mon Sep 17 00:00:00 2001
From: "Daniel A. Wozniak" <dwozniak@saltstack.com>
Date: Wed, 16 Sep 2020 00:25:10 +0000
Subject: [PATCH] Fix CVE-2020-25592 and add tests (bsc#1178319)
Properly validate eauth credentials and tokens on SSH calls made by Salt API
(bsc#1178319) (bsc#1178362) (bsc#1178361) (CVE-2020-25592) (CVE-2020-17490) (CVE-2020-16846)
---
 salt/netapi/__init__.py                 | 43 +++++++++++++++++++++++++
 tests/integration/netapi/test_client.py | 13 ++++++--
 2 files changed, 53 insertions(+), 3 deletions(-)
diff --git a/salt/netapi/__init__.py b/salt/netapi/__init__.py
index dec19b37ef..cba1ec574f 100644
--- a/salt/netapi/__init__.py
+++ b/salt/netapi/__init__.py
@@ -109,6 +109,49 @@ class NetapiClient:
                 "Authorization error occurred."
             )
 
+    def _prep_auth_info(self, clear_load):
+        sensitive_load_keys = []
+        key = None
+        if "token" in clear_load:
+            auth_type = "token"
+            err_name = "TokenAuthenticationError"
+            sensitive_load_keys = ["token"]
+            return auth_type, err_name, key, sensitive_load_keys
+        elif "eauth" in clear_load:
+            auth_type = "eauth"
+            err_name = "EauthAuthenticationError"
+            sensitive_load_keys = ["username", "password"]
+            return auth_type, err_name, key, sensitive_load_keys
+        raise salt.exceptions.EauthAuthenticationError(
+            "No authentication credentials given"
+        )
+
+    def _authorize_ssh(self, low):
+        auth_type, err_name, key, sensitive_load_keys = self._prep_auth_info(low)
+        auth_check = self.loadauth.check_authentication(low, auth_type, key=key)
+        auth_list = auth_check.get("auth_list", [])
+        error = auth_check.get("error")
+        if error:
+            raise salt.exceptions.EauthAuthenticationError(error)
+        delimiter = low.get("kwargs", {}).get("delimiter", DEFAULT_TARGET_DELIM)
+        _res = self.ckminions.check_minions(
+            low["tgt"], low.get("tgt_type", "glob"), delimiter
+        )
+        minions = _res.get("minions", list())
+        missing = _res.get("missing", list())
+        authorized = self.ckminions.auth_check(
+            auth_list,
+            low["fun"],
+            low.get("arg", []),
+            low["tgt"],
+            low.get("tgt_type", "glob"),
+            minions=minions,
+        )
+        if not authorized:
+            raise salt.exceptions.EauthAuthenticationError(
+                "Authorization error occurred."
+            )
+
     def run(self, low):
         """
         Execute the specified function in the specified client by passing the
diff --git a/tests/integration/netapi/test_client.py b/tests/integration/netapi/test_client.py
index 70471d3148..9eb6e52920 100644
--- a/tests/integration/netapi/test_client.py
+++ b/tests/integration/netapi/test_client.py
@@ -15,10 +15,12 @@ from tests.support.helpers import (
     SKIP_IF_NOT_RUNNING_PYTEST,
     SaveRequestsPostHandler,
     Webserver,
+    requires_sshd_server,
     slowTest,
 )
 from tests.support.mixins import AdaptedConfigurationTestCaseMixin
 from tests.support.mock import patch
+from tests.support.paths import TMP, TMP_CONF_DIR
 from tests.support.runtests import RUNTIME_VARS
 from tests.support.unit import TestCase, skipIf
 
@@ -178,7 +180,12 @@ class NetapiSSHClientTest(SSHCase):
         """
         opts = AdaptedConfigurationTestCaseMixin.get_config("client_config").copy()
         self.netapi = salt.netapi.NetapiClient(opts)
-        self.priv_file = os.path.join(RUNTIME_VARS.TMP_SSH_CONF_DIR, "client_key")
+        opts = salt.config.client_config(os.path.join(TMP_CONF_DIR, "master"))
+        naopts = copy.deepcopy(opts)
+        naopts["ignore_host_keys"] = True
+        self.netapi = salt.netapi.NetapiClient(naopts)
+
+        self.priv_file = os.path.join(RUNTIME_VARS.TMP_CONF_DIR, "key_test")
         self.rosters = os.path.join(RUNTIME_VARS.TMP_CONF_DIR)
         self.roster_file = os.path.join(self.rosters, "roster")
 
@@ -325,7 +332,7 @@ class NetapiSSHClientTest(SSHCase):
             "roster": "cache",
             "client": "ssh",
             "tgt": "root|id>{} #@127.0.0.1".format(path),
-            "roster_file": self.roster_file,
+            "roster_file": "/tmp/salt-tests-tmpdir/config/roaster",
             "rosters": "/",
             "fun": "test.ping",
             "eauth": "auto",
@@ -355,7 +362,7 @@ class NetapiSSHClientTest(SSHCase):
             "eauth": "auto",
             "username": "saltdev_auto",
             "password": "saltdev",
-            "roster_file": self.roster_file,
+            "roster_file": "/tmp/salt-tests-tmpdir/config/roaster",
             "rosters": "/",
             "ssh_options": ["|id>{} #".format(path), "lol"],
         }
-- 
2.29.2