Created attachment 307869 [details, diff] 2.7 series patch [distro-maint] High and moderate severity vulnerabilities found in Puppet (CVEs 2012-1906, 2012-1986, 2012-1987, 2012-1988, 2012-1989) [not yet public] gentoo x Matthaus Litteken matthaus@puppetlabs.com 4:07 PM (11 hours ago) to distro-maintai. There have been five vulnerabilities (four high, one moderate) discovered in Puppet (CVEs 2012-1906, 2012-1986, 2012-1987, 2012-1988, 2012-1989). Puppet Labs is currently working with distribution maintainers, as well as key customers to ensure we are able to patch this vulnerability before it is exploited. The CVEs and issues have not been made public yet. CVEs, 2012-1987, was accidentally left public for a time in our ticket tracker for some time. We marked it private and cleaned up the post from our puppet-bugs google group, but it may have leaked. We appreciate your discretion at this time. We have included patches for 2.6.x and 2.7.x (based on 2.6.14 and 2.7.12, respectively). The patches are mostly trivial, with the exception of the OS X package provider fixes. If you need help with patches for other series or versions of Puppet, please let us know. CVE-2012-1906 only affects the OS X package providers, and CVE-2012-1989 only affects the 2.7.x series. We have scripts written designed to exploit and test the patches for these vulnerabilities. If you would like copies of those scripts, please let us know. # Summary # CVE-2012-1906 (High) [#13260] - appdmg and pkgdmg providers write packages to insecure location If a remote source is given for a package, the package is downloaded to a predictable filename in /tmp. It is possible to create a symlink at this name and use it to clobber any file on the system, or by switching the symlink install arbitrary packages (and package installers can execute arbitrary code). CVE-2012-1986 (High) [#13511] - Filebucket arbitrary file read It is possible to construct a REST request to fetch a file from a filebucket that overrides the puppet master’s defined location for the files to be stored. If a user has access to construct directories and symlinks on the machine they can read any file that the user the puppet master is running as has access to. CVE-2012-1987 (Moderate) [#13552,#13553] - Filebucket denial of service By constructing a marshaled form of a Puppet::FileBucket::File object a user can cause it it to be written to any place on the disk of the puppet master. This could be used for a denial of service attach against the puppet master if an attacker fills a filesystem that can cause systems to stop working. In order to do this the attacker needs no access to the puppet master system, but does need access to agent SSL keys. Using the symlink attack described in Bug #13511 the puppet master can be caused to read from a stream (e.g. /dev/random) when either trying to save a file or read a file. Because of the way in which the puppet master deals with sending files on the filesystem to a remote system via a REST request the thread handling the request will block forever reading from that stream and continually consuming more memory. This can lead to the puppet master system running out of memory and cause a denial of service. CVE-2012-1988 (High) [#13518] - Filebucket arbitrary code execution This requires access to the cert on the agent and an unprivileged account on the master. By creating a path on the master in a world-writable location that matches a command string, one can then make a file bucket request to execute that command. CVE-2012-1989 (High) [#13606] - Telnet utility (used for network devices) writes to insecure location The telnet.rb file opens a NET::Telnet connection with an output log of /tmp/out.log. That log could be replaced by a symlink anywhere on the system and the puppet user would happily write through the symlink, potentially clobbering data or worse. # Commits in Fixes # 2.7.x ========= * 1f58ea6 Stub mktmpdir and remove_entry_secure in os x package providers * b7553a5 (#13260) Spec test to verify that mktmpdir is used * 46e8dc0 (#13260) Use mktmpdir when downloading packages * b36bda9 Refactor pkgdmg specs * 91e7ce4 Remove telnet Output_log parameter * 0d6d299 Fix for bucket_path security vulnerability * 19bd30a Removed text/marshal support 2.6.x ========= * f7829ec Stub mktmpdir and remove_entry_secure in os x package providers * 7ac1ec8 (#13260) Spec test to verify that mktmpdir is used * 0180200 Refactor pkgdmg specs * c51447d (#13260) Use mktmpdir when downloading packages * 568ded5 Fix for bucket_path security vulnerability * 6bef2e6 Removed text/marshal support # Plan # Puppet Labs is currently rebuilding tarballs and packages of Puppet. This will result in the following new source packages: * Puppet 2.6.15 * Puppet 2.7.13 * Puppet Labs will also push to rubygems.org for those using gems. * Hotfixes will be released for Puppet Enterprise 1.0, 1.1, and 1.2.4, and 2.0.3. * Updated packages will be released with Puppet Enterprise 2.5.1. # Action # We (Puppet Labs) obviously would like everybody to be as protected from attacks as possible. We have not disclosed this issue publicly yet. Our current plan is to have updated packages ready and disclose the vulnerabilities next Tuesday April 10th by 6pm PST (Wed April 11, 0100 GMT). If you have any questions or need additional clarification on anything, please respond to distro-maintainers@puppetlabs.com. Thanks, Matthaus Litteken Release Manager Puppet Labs
Matthew, thanks for the bug. @matsuu, please create an updated ebuild, either using the attached patch or for 2.7.13 when it is ready. Please do not commit the patch or updated ebuild to any public repo. Thank you.
Security bug was publically announced along with release of 2.7.13: http://groups.google.com/group/puppet-users/browse_thread/thread/e9049d03d9549c9
2.7.13 in cvs. please mark stable 2.7.13.
Arches, please test and mark stable: =app-admin/puppet-2.7.13 Target keywords : "amd64 hppa ppc sparc x86"
RepoMan scours the neighborhood... >>> Creating Manifest for /newaches/gentoo/cvs/gentoo-x86/app-admin/puppet DEPEND.bad 1 app-admin/puppet/puppet-2.7.13.ebuild: hppa(default/linux/hppa/10.0) ['>=dev-ruby/facter-1.5.6[ruby_targets_ruby19]', 'dev-ruby/ruby-augeas[ruby_targets_ruby19]', 'dev-ruby/diff-lcs[ruby_targets_ruby19]', 'dev-ruby/rdoc[ruby_targets_ruby19]', 'dev-ruby/ruby-ldap[ruby_targets_ruby19]', 'dev-ruby/ruby-shadow[ruby_targets_ruby19]', 'dev-ruby/sqlite3-ruby[ruby_targets_ruby19]', 'virtual/ruby-ssl[ruby_targets_ruby19]', 'dev-lang/ruby:1.9', 'dev-ruby/rake[ruby_targets_ruby19]', 'virtual/rubygems[ruby_targets_ruby19]', 'virtual/rubygems[ruby_targets_ruby19]'] RDEPEND.bad 1 app-admin/puppet/puppet-2.7.13.ebuild: hppa(default/linux/hppa/10.0) ['>=dev-ruby/facter-1.5.6[ruby_targets_ruby19]', 'dev-ruby/ruby-augeas[ruby_targets_ruby19]', 'dev-ruby/diff-lcs[ruby_targets_ruby19]', 'dev-ruby/rdoc[ruby_targets_ruby19]', 'dev-ruby/ruby-ldap[ruby_targets_ruby19]', 'dev-ruby/ruby-shadow[ruby_targets_ruby19]', 'dev-ruby/sqlite3-ruby[ruby_targets_ruby19]', 'virtual/ruby-ssl[ruby_targets_ruby19]', 'dev-lang/ruby:1.9', 'virtual/rubygems[ruby_targets_ruby19]'] Now we need ruby 1.9 suddenly?
ok. I set USE_RUBY="ruby18" now.
Stable for HPPA.
amd64 stable
ppc done
x86 stable
sparc stable
Thanks, everyone. Already on existing GLSA request ready for review.
CVE-2012-1988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1988): Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request. telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log). CVE-2012-1987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1987): Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations. CVE-2012-1986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1986): Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket. CVE-2012-1906 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1906): Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp.
CVE-2012-1989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1989): telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log).
This issue was resolved and addressed in GLSA 201208-02 at http://security.gentoo.org/glsa/glsa-201208-02.xml by GLSA coordinator Sean Amoss (ackle).