***** Vulnerability Summary ***** CVE Identifier: CVE-2014-3248 Arbitrary Code Execution with Required Social Engineering On a host on which Puppet, Mcollective, Facter, or Hiera runs on Ruby < 1.9.2, an unprivileged user can create either a valid ruby file in a directory mirroring the internal directory structure of the application or a file called 'rubygems.rb' in a world-writeable location (e.g. /tmp), convince someone with admin privileges to `cd` into that directory and run the application, and the application will load and execute the contents of that ruby file with privileges of the admin user. This is due to the fact that Ruby versions < 1.9.2 append the current working directory to the load path of an application, and these applications do not perform load path sanitation to remove it. Only users running Ruby < 1.9.2 are affected. Later versions of Ruby do not append the load path with the current working directory. Attached are patches based on Puppet 3.6.1, Facter 2.0.1, Hiera 1.3.3, and Mcollective 2.5.1. The fix included is to remove the current working directory from the load path in the executables included with each application. This should hopefully be relatively easy to apply to other versions of these software. The Puppet patch also applies cleanly to 2.7.25. Note that these patches do not do modify behavior at the library level, which means that 3rd-party executables which load these applications as libraries would still be exposed. The reasoning is that any such executables are already exposed before they require Puppet Labs libraries, and removing directories from the global LOAD_PATH may have unintended consequences for 3rd-party applications (e.g. maybe they've added "." to the LOAD_PATH explicitly). We have assigned this vulnerability CVSSv2 score 5.9, with vector AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C. Affected software versions: Puppet (all) Facter 1.6.x and 2.x (1.7.x not affected) Hiera (all) Mcollective (all) Puppet Enterprise 2.8.x (3.x not affected) Resolved in pending releases: Puppet 2.7.26* and 3.6.2 Facter 2.0.2 Hiera 1.3.4 Mcollective 2.5.2 Puppet Enterprise 2.8.7 Reproducible: Always
Arches, please stablize for the following =dev-ruby/hiera-1.3.4 amd64 hppa ppc sparc x86 sparc, I know that this means a keyword req at the same time :(
I think you need an intermediate ebuild that excludes IUSE=ruby_targets_ruby21. RepoMan scours the neighborhood... >>> Creating Manifest for /newaches/gentoo/cvs/gentoo-x86/dev-ruby/hiera dependency.bad 2 dev-ruby/hiera/hiera-1.3.4.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['dev-ruby/mocha[ruby_targets_ruby20]', 'dev-ruby/mocha[ruby_targets_ruby21]', 'dev-ruby/json[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'dev-ruby/rspec:2[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]', 'virtual/rubygems[ruby_targets_ruby21]'] dev-ruby/hiera/hiera-1.3.4.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['dev-ruby/json[ruby_targets_ruby21]', 'dev-lang/ruby:2.1', 'virtual/rubygems[ruby_targets_ruby21]']
Note that this security bug does not affect Gentoo since we removed <dev-lang/ruby-1.9.2 some time ago and we do not install for jruby 1.6. Stabling this version will also require additional stable bugs to be handled: bug 505920 and bug 513430
(In reply to Hans de Graaff from comment #3) > Note that this security bug does not affect Gentoo since we removed > <dev-lang/ruby-1.9.2 some time ago and we do not install for jruby 1.6. > > Stabling this version will also require additional stable bugs to be > handled: bug 505920 and bug 513430 So this is not a security bug report?
how goes the stablereq?
Stable for HPPA.
Stable on amd64
stable?
The ppc team is unable to work in this way. There are tens of blocker/depends on. As said multiple times, please open _one_ bug with a complete list where repoman does not complain about missing depends and does not complain about missing ebuilds with some ruby_targets. Thanks
The ppc64 team is unable to work in this way. There are tens of blocker/depends on. As said multiple times, please open _one_ bug with a complete list where repoman does not complain about missing depends and does not complain about missing ebuilds with some ruby_targets. Thanks
The sparc team is unable to work in this way. There are tens of blocker/depends on. As said multiple times, please open _one_ bug with a complete list where repoman does not complain about missing depends and does not complain about missing ebuilds with some ruby_targets. Thanks
The x86 team is unable to work in this way. There are tens of blocker/depends on. As said multiple times, please open _one_ bug with a complete list where repoman does not complain about missing depends and does not complain about missing ebuilds with some ruby_targets. Thanks
Stable dependencies are now in place: =dev-ruby/hiera-1.3.4
x86 stable
ppc stable
sparc stable. Closing.
