Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 410857 (CVE-2012-1906) - <app-admin/puppet-2.7.13: Multiple Vulnerabilities (CVE-2012-{1906,1986,1987,1988,1989})
Summary: <app-admin/puppet-2.7.13: Multiple Vulnerabilities (CVE-2012-{1906,1986,1987,...
Status: RESOLVED FIXED
Alias: CVE-2012-1906
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://groups.google.com/group/puppe...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-05 10:52 UTC by Matthew Marlowe (RETIRED)
Modified: 2012-08-14 20:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
2.7 series patch (0001-2.7-Fixes-for-CVEs-2012-1906-2012-1986-to-2012-1989.patch,22.09 KB, patch)
2012-04-05 10:52 UTC, Matthew Marlowe (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Marlowe (RETIRED) gentoo-dev 2012-04-05 10:52:27 UTC
Created attachment 307869 [details, diff]
2.7 series patch

[distro-maint] High and moderate severity vulnerabilities found in Puppet (CVEs 2012-1906, 2012-1986, 2012-1987, 2012-1988, 2012-1989) [not yet public]
gentoo
	x
Matthaus Litteken matthaus@puppetlabs.com
	
4:07 PM (11 hours ago)
		
to distro-maintai.
There have been five vulnerabilities (four high, one moderate)
discovered in Puppet (CVEs 2012-1906, 2012-1986, 2012-1987, 2012-1988,
2012-1989).  Puppet Labs is currently working with distribution
maintainers, as well as key customers to ensure we are able to patch
this vulnerability before it is exploited.

The CVEs and issues have not been made public yet. CVEs, 2012-1987,
was accidentally left public for a time in our ticket tracker for some
time. We marked it private and cleaned up the post from our
puppet-bugs google group, but it may have leaked.
We appreciate your discretion at this time. We have included patches
for 2.6.x and 2.7.x (based on 2.6.14 and 2.7.12, respectively). The
patches are mostly trivial, with the exception of the OS X package
provider fixes.

If you need help with patches for other series or versions of Puppet,
please let us know.

CVE-2012-1906 only affects the OS X package providers, and
CVE-2012-1989 only affects the 2.7.x series.

We have scripts written designed to exploit and test the patches for
these vulnerabilities. If you would like copies of those scripts,
please let us know.

# Summary #

CVE-2012-1906 (High) [#13260] - appdmg and pkgdmg providers write
packages to insecure location
 If a remote source is given for a package, the package is downloaded
to a predictable filename in /tmp.
 It is possible to create a symlink at this name and use it to
clobber any file on the system, or by switching
 the symlink install arbitrary packages (and package installers can
execute arbitrary code).

CVE-2012-1986 (High) [#13511] - Filebucket arbitrary file read
 It is possible to construct a REST request to fetch a file from a
filebucket that overrides the puppet master’s
 defined location for the files to be stored. If a user has access to
construct directories and symlinks on the
 machine they can read any file that the user the puppet master is
running as has access to.

CVE-2012-1987 (Moderate) [#13552,#13553] - Filebucket denial of service
 By constructing a marshaled form of a Puppet::FileBucket::File
object a user can cause it it to be written to
 any place on the disk of the puppet master. This could be used for a
denial of service attach against the puppet
 master if an attacker fills a filesystem that can cause systems to
stop working. In order to do this the attacker
 needs no access to the puppet master system, but does need access to
agent SSL keys.

 Using the symlink attack described in Bug #13511 the puppet master
can be caused to read from a stream
 (e.g. /dev/random) when either trying to save a file or read a file.
Because of the way in which the puppet master
 deals with sending files on the filesystem to a remote system via a
REST request the thread handling the request
 will block forever reading from that stream and continually
consuming more memory. This can lead to the puppet
 master system running out of memory and cause a denial of service.

CVE-2012-1988 (High) [#13518] - Filebucket arbitrary code execution
 This requires access to the cert on the agent and an unprivileged
account on the master.  By creating a path on
 the master in a world-writable location that matches a command
string, one can then make a file bucket request
 to execute that command.

CVE-2012-1989 (High) [#13606] - Telnet utility (used for network
devices) writes to insecure location
 The telnet.rb file opens a NET::Telnet connection with an output log
of /tmp/out.log. That log could be replaced
 by a symlink anywhere on the system and the puppet user would
happily write through the symlink, potentially
 clobbering data or worse.

# Commits in Fixes #
 2.7.x
 =========
 * 1f58ea6 Stub mktmpdir and remove_entry_secure in os x package providers
 * b7553a5 (#13260) Spec test to verify that mktmpdir is used
 * 46e8dc0 (#13260) Use mktmpdir when downloading packages
 * b36bda9 Refactor pkgdmg specs
 * 91e7ce4 Remove telnet Output_log parameter
 * 0d6d299 Fix for bucket_path security vulnerability
 * 19bd30a Removed text/marshal support

 2.6.x
 =========
 * f7829ec Stub mktmpdir and remove_entry_secure in os x package providers
 * 7ac1ec8 (#13260) Spec test to verify that mktmpdir is used
 * 0180200 Refactor pkgdmg specs
 * c51447d (#13260) Use mktmpdir when downloading packages
 * 568ded5 Fix for bucket_path security vulnerability
 * 6bef2e6 Removed text/marshal support


# Plan #

Puppet Labs is currently rebuilding tarballs and packages of Puppet.
This will result in the following new source packages:
 * Puppet 2.6.15
 * Puppet 2.7.13
 * Puppet Labs will also push to rubygems.org for those using gems.
 * Hotfixes will be released for Puppet Enterprise 1.0, 1.1, and
1.2.4, and 2.0.3.
 * Updated packages will be released with Puppet Enterprise 2.5.1.


# Action #

We (Puppet Labs) obviously would like everybody to be as protected from attacks
as possible. We have not disclosed this issue publicly yet. Our
current plan is to
have updated packages ready and disclose the vulnerabilities next Tuesday
April 10th by 6pm PST (Wed April 11, 0100 GMT).

If you have any questions or need additional clarification on
anything, please respond to distro-maintainers@puppetlabs.com.


Thanks,
Matthaus Litteken
Release Manager
Puppet Labs
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-04-05 15:08:07 UTC
Matthew, thanks for the bug.

@matsuu, please create an updated ebuild, either using the attached patch or for 2.7.13 when it is ready. Please do not commit the patch or updated ebuild to any public repo. Thank you.
Comment 2 Matthew Marlowe (RETIRED) gentoo-dev 2012-04-12 08:18:07 UTC
Security bug was publically announced along with release of 2.7.13:

http://groups.google.com/group/puppet-users/browse_thread/thread/e9049d03d9549c9
Comment 3 MATSUU Takuto (RETIRED) gentoo-dev 2012-04-12 13:36:15 UTC
2.7.13 in cvs.
please mark stable 2.7.13.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-04-12 15:35:49 UTC
Arches, please test and mark stable:
=app-admin/puppet-2.7.13
Target keywords : "amd64 hppa ppc sparc x86"
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-16 00:47:12 UTC
RepoMan scours the neighborhood...
>>> Creating Manifest for /newaches/gentoo/cvs/gentoo-x86/app-admin/puppet
  DEPEND.bad                    1
   app-admin/puppet/puppet-2.7.13.ebuild: hppa(default/linux/hppa/10.0) ['>=dev-ruby/facter-1.5.6[ruby_targets_ruby19]', 'dev-ruby/ruby-augeas[ruby_targets_ruby19]', 'dev-ruby/diff-lcs[ruby_targets_ruby19]', 'dev-ruby/rdoc[ruby_targets_ruby19]', 'dev-ruby/ruby-ldap[ruby_targets_ruby19]', 'dev-ruby/ruby-shadow[ruby_targets_ruby19]', 'dev-ruby/sqlite3-ruby[ruby_targets_ruby19]', 'virtual/ruby-ssl[ruby_targets_ruby19]', 'dev-lang/ruby:1.9', 'dev-ruby/rake[ruby_targets_ruby19]', 'virtual/rubygems[ruby_targets_ruby19]', 'virtual/rubygems[ruby_targets_ruby19]']
  RDEPEND.bad                   1
   app-admin/puppet/puppet-2.7.13.ebuild: hppa(default/linux/hppa/10.0) ['>=dev-ruby/facter-1.5.6[ruby_targets_ruby19]', 'dev-ruby/ruby-augeas[ruby_targets_ruby19]', 'dev-ruby/diff-lcs[ruby_targets_ruby19]', 'dev-ruby/rdoc[ruby_targets_ruby19]', 'dev-ruby/ruby-ldap[ruby_targets_ruby19]', 'dev-ruby/ruby-shadow[ruby_targets_ruby19]', 'dev-ruby/sqlite3-ruby[ruby_targets_ruby19]', 'virtual/ruby-ssl[ruby_targets_ruby19]', 'dev-lang/ruby:1.9', 'virtual/rubygems[ruby_targets_ruby19]']

Now we need ruby 1.9 suddenly?
Comment 6 MATSUU Takuto (RETIRED) gentoo-dev 2012-04-16 01:19:23 UTC
ok. I set USE_RUBY="ruby18" now.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-16 11:50:44 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2012-04-16 12:49:21 UTC
amd64 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-04-16 17:09:49 UTC
ppc done
Comment 10 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-04-16 20:42:50 UTC
x86 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2012-04-28 19:00:41 UTC
sparc stable
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-29 03:12:32 UTC
Thanks, everyone. Already on existing GLSA request ready for review.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 18:48:49 UTC
CVE-2012-1988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1988):
  Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise
  (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote
  authenticated users with agent SSL keys and file-creation permissions on the
  puppet master to execute arbitrary commands by creating a file whose full
  pathname contains shell metacharacters, then performing a filebucket
  request. telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE)
  1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite
  arbitrary files via a symlink attack on the NET::Telnet connection log
  (/tmp/out.log).

CVE-2012-1987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1987):
  Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before
  2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x
  before 2.5.1 allows remote authenticated users with agent SSL keys to (1)
  cause a denial of service (memory consumption) via a REST request to a
  stream that triggers a thread block, as demonstrated using CVE-2012-1986 and
  /dev/random; or (2) cause a denial of service (filesystem consumption) via
  crafted REST requests that use "a marshaled form of a
  Puppet::FileBucket::File object" to write to arbitrary file locations.

CVE-2012-1986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1986):
  Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise
  (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote
  authenticated users with an authorized SSL key and certain permissions on
  the puppet master to read arbitrary files via a symlink attack in
  conjunction with a crafted REST request for a file in a filebucket.

CVE-2012-1906 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1906):
  Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise
  (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable
  file names when installing Mac OS X packages from a remote source, which
  allows local users to overwrite arbitrary files or install arbitrary
  packages via a symlink attack on a temporary file in /tmp.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-06-27 22:56:24 UTC
CVE-2012-1989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1989):
  telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x,
  2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary
  files via a symlink attack on the NET::Telnet connection log (/tmp/out.log).
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-08-14 20:53:05 UTC
This issue was resolved and addressed in
 GLSA 201208-02 at http://security.gentoo.org/glsa/glsa-201208-02.xml
by GLSA coordinator Sean Amoss (ackle).