Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619016 (CVE-2017-2295) - <app-admin/puppet-4.10.1: Unsafe YAML deserialization
Summary: <app-admin/puppet-4.10.1: Unsafe YAML deserialization
Status: RESOLVED FIXED
Alias: CVE-2017-2295
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-20 08:19 UTC by Agostino Sarubbo
Modified: 2017-11-03 19:54 UTC (History)
3 users (show)

See Also:
Package list:
app-admin/puppet-4.10.1 amd64 hppa x86 app-admin/puppet-agent-1.10.1 amd64 x86 dev-ruby/rgen-0.8.0 x86 dev-ruby/hiera-3.2.2 x86 dev-ruby/deep_merge-1.0.1 x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-20 08:19:27 UTC 
From ${URL} :

It was found that Puppet will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. 
This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the 
format of data on the wire to PSON or safely decoded YAML.

External References:

https://puppet.com/security/cve/cve-2017-2295


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-05-20 21:38:00 UTC 
yep, arches, please stabilize.
Comment 2 Stabilization helper bot gentoo-dev 2017-05-20 22:00:40 UTC 
An automated check of this bug failed - the following atom is unknown:

app-admin/puppet-agent-4.10.1

Please verify the atom list.
Comment 3 Stabilization helper bot gentoo-dev 2017-05-20 23:01:17 UTC 
An automated check of this bug failed - repoman reported dependency errors (17 lines truncated): 

> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: DEPEND: x86(default/linux/x86/13.0) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: RDEPEND: x86(default/linux/x86/13.0) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-05-20 23:40:02 UTC 
@ruby, are you fine with those packages getting stabilized as well?
Comment 5 Hans de Graaff gentoo-dev Security 2017-05-21 05:32:28 UTC 
(In reply to Matthew Thode ( prometheanfire ) from comment #4)
> @ruby, are you fine with those packages getting stabilized as well?

Note that these are only needed for x86 and x86 currently does not have a stable puppet version at all.

No problem from my side. I have updated the package list accordingly.
Comment 6 Stabilization helper bot gentoo-dev 2017-05-21 06:00:41 UTC 
An automated check of this bug failed - the following atom is unknown:

dev-ruby/deep-merge-1.0.1

Please verify the atom list.
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-21 09:47:37 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-05-22 09:26:16 UTC 
x86 stable
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 14:36:51 UTC 
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 02:31:58 UTC 
stable..........
Comment 11 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-20 03:01:51 UTC 
bman, stable hppa? (it's still cc'd)
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 03:24:45 UTC 
(In reply to Matthew Thode ( prometheanfire ) from comment #11)
> bman, stable hppa? (it's still cc'd)

Yup
Comment 13 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-20 03:44:53 UTC 
you should probably remove hppa from cc :P (I'm doing that this time)
Comment 14 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-20 04:18:41 UTC 
readding hppa, wrong version stabilized
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-31 22:42:25 UTC 
hppa stable
Comment 16 Aleksandr Wagner (Kivak) 2017-10-31 23:05:41 UTC 
Stabilization done, thank you arches.

@ Maintainer(s): Please clean vulnerable versions from tree.

@ Security: Please vote on glsa.
Comment 17 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-31 23:15:41 UTC 
cleaned up