Fix CVE-2021-31607 in snapper module

In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely). Cherry-pick the fix from pull request saltstack#59648 [1], but also fix the regression introduced by that commit [2]. [1] saltstack#59648 [2] saltstack#60046 Closes: #987496 Signed-off-by: Benjamin Drung <[email protected]>
bdrung · May 12, 2021 · 1a46dd5 · 1a46dd5
1 parent a381fdc
commit 1a46dd5
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/salt/modules/snapper.py b/salt/modules/snapper.py
@@ -561,7 +561,12 @@ def _is_text_file(filename):
     """
     Checks if a file is a text file
     """
-    type_of_file = os.popen("file -bi {0}".format(filename), "r").read()
+    type_of_file = subprocess.run(
+        ["file", "-bi", filename],
+        check=False,
+        stdout=subprocess.PIPE,
+        universal_newlines=True,
+    ).stdout
     return type_of_file.startswith("text")