Bug 943223 (CVE-2015-6918) - VUL-1: CVE-2015-6918: salt: git state leaking authentication details to log (CWE-532)
Summary: VUL-1: CVE-2015-6918: salt: git state leaking authentication details to log (...
Status: RESOLVED FIXED
Alias: CVE-2015-6918
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P4 - Low : Minor
Target Milestone: ---
Assignee: Niels Abspoel
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-26 07:57 UTC by Andreas Stieger
Modified: 2015-10-26 21:05 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-08-26 07:57:29 UTC 
The Salt 2015.5.5 release notes contain the following:
http://docs.saltstack.com/en/latest/topics/releases/2015.5.5.html

> PR #26486: (thusoy) Git: Don't leak https user/pw to log @ 2015-08-20T16:04:52Z
> 
>     ISSUE #26484: (thusoy) Git state leaks HTTPS user/pw to log | refs: #26486
>     ISSUE #26482: (thusoy) Git states doesn't allow user-only auth | refs: #26483
>     PR #26483: (thusoy) Handle user-only http auth in git module | refs: #26486

https://github.com/saltstack/salt/issues/26484
> Calling git.clone with https user/pass will leak the authentication details to the log.

https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
> Git: Don't leak https user/pw to log

This pretty much matches this common weakness:

CWE-532: Information Exposure Through Log Files
https://cwe.mitre.org/data/definitions/532.html
Comment 1 Andreas Stieger 2015-08-26 15:05:47 UTC 
Asked salt security team for whether they are planning an advisory.
Comment 3 Andreas Stieger 2015-08-26 15:42:39 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1257154
Comment 4 Swamp Workflow Management 2015-08-26 22:01:08 UTC 
bugbot adjusting priority
Comment 6 Andreas Stieger 2015-08-27 17:19:51 UTC 
More fixes on this issue will be in 2015.5.6, upstream said there will be an announcement and a CVE.
Comment 7 Andreas Stieger 2015-08-27 17:20:21 UTC 
Upstream: 2014.7 branch is not vulnerable.
Comment 8 Victor Pereira 2015-09-07 12:18:45 UTC 
upstream patch https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a

Which codebase is affected?
Comment 9 Andreas Stieger 2015-09-07 12:30:06 UTC 
openSUSE:13.1 salt          0.16.4    not affected
openSUSE:13.2 salt          2014.1.11 not affected
openSUSE:Factory salt       2015.5.5  affected
devel:languages:python/salt 2015.5.5  affected
Comment 11 Niels Abspoel 2015-09-07 17:44:16 UTC 
@andreas stieger, thanks for looking into this, I will package 2015.5.6 as soon as the tarball is released
Comment 12 Niels Abspoel 2015-09-22 19:45:01 UTC 
fixed with update to version 2015.8.0

https://build.opensuse.org/request/show/333025
Comment 13 Andreas Stieger 2015-10-16 11:08:18 UTC 
This re-appeared in 2015.5.6 and 2015.8.1 release notes so there may be further fixes:
https://docs.saltstack.com/en/latest/topics/releases/2015.5.6.html
https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html

> Fix global key management for git state

We must assume openSUSE:Leap:42.1/salt 2015.8.0 to be affected.
Comment 14 Niels Abspoel 2015-10-26 20:30:09 UTC 
opensuse leap has just updated to 2015.8.1

https://build.opensuse.org/package/show?project=openSUSE%3ALeap%3A42.1&package=salt
Comment 15 Andreas Stieger 2015-10-26 21:05:27 UTC 
Brilliant, closing.