Puppet Labs has become aware of security vulnerabilities in Puppet, Mcollective, Facter, and Hiera. We are working with distribution maintainers and key customers to ensure we are able to patch the vulnerabilities before any are exploited. The vulnerabilities in this email have not been publicly disclosed. They were reported to us externally. We appreciate your consideration to the sensitivity of this information, and respectfully ask that you refrain from publicly disclosing the contents of this email until our planned disclosure date, Thursday, May 29, 2014, at 18:00 UTC. On this date we plan to release updated packages along with a public disclosure. ***** Vulnerability Summary ***** CVE Identifier: CVE-2014-3248 Arbitrary Code Execution with Required Social Engineering On a host on which Puppet, Mcollective, Facter, or Hiera runs on Ruby < 1.9.2, an unprivileged user can create either a valid ruby file in a directory mirroring the internal directory structure of the application or a file called 'rubygems.rb' in a world-writeable location (e.g. /tmp), convince someone with admin privileges to `cd` into that directory and run the application, and the application will load and execute the contents of that ruby file with privileges of the admin user. This is due to the fact that Ruby versions < 1.9.2 append the current working directory to the load path of an application, and these applications do not perform load path sanitation to remove it. Only users running Ruby < 1.9.2 are affected. Later versions of Ruby do not append the load path with the current working directory. Attached are patches based on Puppet 3.6.1, Facter 2.0.1, Hiera 1.3.3, and Mcollective 2.5.1. The fix included is to remove the current working directory from the load path in the executables included with each application. This should hopefully be relatively easy to apply to other versions of these software. The Puppet patch also applies cleanly to 2.7.25. Note that these patches do not do modify behavior at the library level, which means that 3rd-party executables which load these applications as libraries would still be exposed. The reasoning is that any such executables are already exposed before they require Puppet Labs libraries, and removing directories from the global LOAD_PATH may have unintended consequences for 3rd-party applications (e.g. maybe they've added "." to the LOAD_PATH explicitly). We have assigned this vulnerability CVSSv2 score 5.9, with vector AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C. Affected software versions: Puppet (all) Facter 1.6.x and 2.x (1.7.x not affected) Hiera (all) Mcollective (all) Puppet Enterprise 2.8.x (3.x not affected) Resolved in pending releases: Puppet 2.7.26* and 3.6.2 Facter 2.0.2 Hiera 1.3.4 Mcollective 2.5.2 Puppet Enterprise 2.8.7 Patches for remediation: Puppet: puppet-3.6.1-remove-current-directory-from-Ruby-load-path.patch Facter: facter-2.0.1-remove-current-directory-from-Ruby-load-path Hiera: hiera-1.3.3-remove-current-directory-from-Ruby-load-path.patch Mcollective: mcollective-2.5.1-remove-current-directory-from-Ruby-load-path.patch CVE Identifier: CVE-2014-3250 Information Leakage In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl, which defaults it to none and must be explicitly configured. This setting enables checking of a certificate revocation list. The default Puppet master vhost config shipped with Puppet does not include this setting. If a Puppet master is set up to run with Apache 2.4, and this default vhost configuration file is used, the Puppet master will continue to honor a host's certificate even after it is revoked. This file is used in the puppetmaster-passenger deb package shipped by Puppet Labs, which configures a Puppet master in this manner. This vulnerability only applies to users running Apache 2.4. Attached is a patch to Puppet 3.6.1 which adds the setting (commented out by default) and then enables it in the puppetmaster-passenger package for configurations running Apache 2.4 and later. This will not be addressed in Puppet 2.7.26 release. We have assigned this vulnerability CVSSv2 score 3.6 with vector AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:U/RC:C. Affected software versions: Puppet (all) Resolved in pending releases: Puppet 3.6.2 Patch for remediation: puppet-3.6.1-Apache-2.4-requires-explicit-CRL.patch * The Puppet 2.7.x series is officially end of life, but continues to be maintained by community members. Along with Puppet 3.6.2, a "community" release of Puppet 2.7.26 will be issued on our stated disclosure date which addresses the Ruby load path issue. -- Moses Mendoza Puppet Labs Reproducible: Always
CVE-2014-3248 does not apply to us since we no longer have these old ruby versions around (well, technically our jruby 1.6 version behaves the same as ruby < 1.9.2 did, but we don't install puppet for it).
Arches please test and mark stable: =app-admin/puppet-2.7.25 =app-admin/puppet-3.6.2 target KEYWORDS="amd64 hppa ppc sparc x86"
How did this happen? RepoMan scours the neighborhood... dependency.bad 42 app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/kde) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/kde) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/kde/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/kde/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/developer) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/developer) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/gnome) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/gnome) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/gnome/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/gnome/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/kde) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/kde) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/kde/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/kde/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/developer) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/developer) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/desktop) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/desktop) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/desktop/gnome) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/desktop/gnome) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/desktop/gnome/systemd) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/desktop/gnome/systemd) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/desktop/kde) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/desktop/kde) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/desktop/kde/systemd) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/desktop/kde/systemd) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/developer) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]'] app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/developer) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
Also this: These are the packages that would be merged: Calculating dependencies... done! [ebuild U ~] app-admin/puppet-3.6.2 [2.7.25] USE="augeas diff doc emacs ldap rrdtool shadow sqlite3 {test} vim-syntax xemacs -minimal (-selinux)" RUBY_TARGETS="ruby19 ruby20%*" 0 kB [ebuild U ~] dev-ruby/ruby-ldap-0.9.16 [0.9.12] USE="doc%* ssl {-test}" RUBY_TARGETS="ruby19 ruby20%* -ruby21%" 0 kB [ebuild U ~] dev-ruby/ruby-shadow-2.3.4 [2.1.4] USE="{test}" RUBY_TARGETS="ruby19 ruby20%* -ruby21%" 11 kB [ebuild N ~] dev-ruby/rgen-0.6.6-r1 USE="doc {test}" RUBY_TARGETS="ruby19 ruby20 -ruby21" 272 kB [ebuild U ~] dev-ruby/facter-2.0.2 [1.7.1-r1] USE="pciutils {test} virt%* (-dmi)" RUBY_TARGETS="ruby19 ruby20%* (-jruby)" 194 kB [ebuild U ~] dev-ruby/ruby-augeas-0.5.0-r1 [0.4.1] USE="doc {test}" RUBY_TARGETS="ruby19 ruby20%* -ruby21%" 24 kB [ebuild U ~] dev-ruby/sqlite3-1.3.9-r1 [1.3.6] USE="doc {test}" RUBY_TARGETS="ruby19 ruby20%* -ruby21%" 60 kB Total: 7 packages (6 upgrades, 1 new), Size of downloads: 559 kB The following keyword changes are necessary to proceed: (see "package.accept_keywords" in the portage(5) man page for more details) # required by app-admin/puppet-3.6.2[ruby_targets_ruby20,augeas,test] # required by @selected # required by @world (argument) =dev-ruby/ruby-augeas-0.5.0-r1 ~hppa # required by app-admin/puppet-3.6.2[ruby_targets_ruby19,test,ldap] # required by @selected # required by @world (argument) =dev-ruby/ruby-ldap-0.9.16 ~hppa # required by app-admin/puppet-3.6.2[shadow,ruby_targets_ruby20,test] # required by @selected # required by @world (argument) =dev-ruby/ruby-shadow-2.3.4 ~hppa # required by app-admin/puppet-3.6.2[ruby_targets_ruby19,test] # required by @selected # required by @world (argument) =dev-ruby/rgen-0.6.6-r1 ~hppa # required by app-admin/puppet-3.6.2[ruby_targets_ruby20,test] # required by @selected # required by @world (argument) =dev-ruby/facter-2.0.2 ~hppa # required by app-admin/puppet-3.6.2[ruby_targets_ruby20,sqlite3,test] # required by @selected # required by @world (argument) =dev-ruby/sqlite3-1.3.9-r1 ~hppa
ping
since noone has answered, I'm trying to build a list of needed packages. At some point I see that is needed dev-ruby/ruby-augeas[ruby_targets_ruby20]. Keywords for dev-ruby/ruby-augeas: | | u | | a a a p s | n | | l m r h i m m p s p | u s | r | p d a m p a 6 i p c 3 a x | s l | e | h 6 r 6 p 6 8 p p 6 9 s r 8 | e o | p | a 4 m 4 a 4 k s c 4 0 h c 6 | d t | o ---------+-----------------------------+-----+------- 0.4.1 | o + o o + + o o + o o o + + | o 0 | gentoo 0.5.0 | o ~ o o ~ ~ o o ~ o o o ~ + | o | gentoo 0.5.0-r1 | o ~ o o ~ ~ o o ~ o o o ~ ~ | o | gentoo 0.5.0 has only ruby19 and not ruby20 0.5.0-r1 has ruby19, ruby20, ruby21(which can't go stable) So we need a version that does not include ruby21 or make some mask(s).
ok, removed ruby21 in =dev-ruby/ruby-augeas-0.5.0-r2 anything else needed?
(In reply to Matthew Thode ( prometheanfire ) from comment #7) > ok, removed ruby21 in =dev-ruby/ruby-augeas-0.5.0-r2 > > anything else needed? the same problem is with ruby-ldap. Is missing a version with ruby20 and not ruby21
fixed the ldap problem, still waiting on virt-what though....
We need also a ruby-shadow version with ruby20 and without ruby21
would it be easier to just change the ruby dep for this version to be <=2.0
(In reply to Matthew Thode ( prometheanfire ) from comment #0) > On a host on which Puppet, Mcollective, Facter, or Hiera runs on Ruby > < 1.9.2, > This is due to the fact that Ruby versions < 1.9.2 append the current > working directory to the load path of an application If I understand correctly the bug is valid with <ruby-1.9.2 which is not in our tree. So, is this bug/stabilization needed?
even if not needed, I'd like to see it marked stable, since upstream isn't really supporting the current stable 3.x release anymore.
Finally, this bug is invalid because it is reproducible with a ruby version not anymore in the tree.
(In reply to Agostino Sarubbo from comment #14) > Finally, this bug is invalid because it is reproducible with a ruby version > not anymore in the tree. What does that mean?
