Bug 410857 (CVE-2012-1906)

Summary:

<app-admin/puppet-2.7.13: Multiple Vulnerabilities (CVE-2012-{1906,1986,1987,1988,1989})

Product:

Gentoo Security

Reporter:

Matthew Marlowe (RETIRED) <mattm>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

matsuu, mattm

Priority:

Normal

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

https://groups.google.com/group/puppet-users/browse_thread/thread/e9049d03d9549c9?pli=1

Whiteboard:

B1 [glsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
2.7 series patch	none

Description Matthew Marlowe (RETIRED) gentoo-dev

2012-04-05 10:52:27 UTC

Created attachment 307869 [details, diff]
2.7 series patch

[distro-maint] High and moderate severity vulnerabilities found in Puppet (CVEs 2012-1906, 2012-1986, 2012-1987, 2012-1988, 2012-1989) [not yet public]
gentoo
	x
Matthaus Litteken matthaus@puppetlabs.com
	
4:07 PM (11 hours ago)
		
to distro-maintai.
There have been five vulnerabilities (four high, one moderate)
discovered in Puppet (CVEs 2012-1906, 2012-1986, 2012-1987, 2012-1988,
2012-1989).  Puppet Labs is currently working with distribution
maintainers, as well as key customers to ensure we are able to patch
this vulnerability before it is exploited.

The CVEs and issues have not been made public yet. CVEs, 2012-1987,
was accidentally left public for a time in our ticket tracker for some
time. We marked it private and cleaned up the post from our
puppet-bugs google group, but it may have leaked.
We appreciate your discretion at this time. We have included patches
for 2.6.x and 2.7.x (based on 2.6.14 and 2.7.12, respectively). The
patches are mostly trivial, with the exception of the OS X package
provider fixes.

If you need help with patches for other series or versions of Puppet,
please let us know.

CVE-2012-1906 only affects the OS X package providers, and
CVE-2012-1989 only affects the 2.7.x series.

We have scripts written designed to exploit and test the patches for
these vulnerabilities. If you would like copies of those scripts,
please let us know.

# Summary #

CVE-2012-1906 (High) [#13260] - appdmg and pkgdmg providers write
packages to insecure location
 If a remote source is given for a package, the package is downloaded
to a predictable filename in /tmp.
 It is possible to create a symlink at this name and use it to
clobber any file on the system, or by switching
 the symlink install arbitrary packages (and package installers can
execute arbitrary code).

CVE-2012-1986 (High) [#13511] - Filebucket arbitrary file read
 It is possible to construct a REST request to fetch a file from a
filebucket that overrides the puppet master’s
 defined location for the files to be stored. If a user has access to
construct directories and symlinks on the
 machine they can read any file that the user the puppet master is
running as has access to.

CVE-2012-1987 (Moderate) [#13552,#13553] - Filebucket denial of service
 By constructing a marshaled form of a Puppet::FileBucket::File
object a user can cause it it to be written to
 any place on the disk of the puppet master. This could be used for a
denial of service attach against the puppet
 master if an attacker fills a filesystem that can cause systems to
stop working. In order to do this the attacker
 needs no access to the puppet master system, but does need access to
agent SSL keys.

 Using the symlink attack described in Bug #13511 the puppet master
can be caused to read from a stream
 (e.g. /dev/random) when either trying to save a file or read a file.
Because of the way in which the puppet master
 deals with sending files on the filesystem to a remote system via a
REST request the thread handling the request
 will block forever reading from that stream and continually
consuming more memory. This can lead to the puppet
 master system running out of memory and cause a denial of service.

CVE-2012-1988 (High) [#13518] - Filebucket arbitrary code execution
 This requires access to the cert on the agent and an unprivileged
account on the master.  By creating a path on
 the master in a world-writable location that matches a command
string, one can then make a file bucket request
 to execute that command.

CVE-2012-1989 (High) [#13606] - Telnet utility (used for network
devices) writes to insecure location
 The telnet.rb file opens a NET::Telnet connection with an output log
of /tmp/out.log. That log could be replaced
 by a symlink anywhere on the system and the puppet user would
happily write through the symlink, potentially
 clobbering data or worse.

# Commits in Fixes #
 2.7.x
 =========
 * 1f58ea6 Stub mktmpdir and remove_entry_secure in os x package providers
 * b7553a5 (#13260) Spec test to verify that mktmpdir is used
 * 46e8dc0 (#13260) Use mktmpdir when downloading packages
 * b36bda9 Refactor pkgdmg specs
 * 91e7ce4 Remove telnet Output_log parameter
 * 0d6d299 Fix for bucket_path security vulnerability
 * 19bd30a Removed text/marshal support

 2.6.x
 =========
 * f7829ec Stub mktmpdir and remove_entry_secure in os x package providers
 * 7ac1ec8 (#13260) Spec test to verify that mktmpdir is used
 * 0180200 Refactor pkgdmg specs
 * c51447d (#13260) Use mktmpdir when downloading packages
 * 568ded5 Fix for bucket_path security vulnerability
 * 6bef2e6 Removed text/marshal support


# Plan #

Puppet Labs is currently rebuilding tarballs and packages of Puppet.
This will result in the following new source packages:
 * Puppet 2.6.15
 * Puppet 2.7.13
 * Puppet Labs will also push to rubygems.org for those using gems.
 * Hotfixes will be released for Puppet Enterprise 1.0, 1.1, and
1.2.4, and 2.0.3.
 * Updated packages will be released with Puppet Enterprise 2.5.1.


# Action #

We (Puppet Labs) obviously would like everybody to be as protected from attacks
as possible. We have not disclosed this issue publicly yet. Our
current plan is to
have updated packages ready and disclose the vulnerabilities next Tuesday
April 10th by 6pm PST (Wed April 11, 0100 GMT).

If you have any questions or need additional clarification on
anything, please respond to distro-maintainers@puppetlabs.com.


Thanks,
Matthaus Litteken
Release Manager
Puppet Labs

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2012-04-05 15:08:07 UTC

Matthew, thanks for the bug.

@matsuu, please create an updated ebuild, either using the attached patch or for 2.7.13 when it is ready. Please do not commit the patch or updated ebuild to any public repo. Thank you.

Comment 2 Matthew Marlowe (RETIRED) gentoo-dev

2012-04-12 08:18:07 UTC

Security bug was publically announced along with release of 2.7.13:

http://groups.google.com/group/puppet-users/browse_thread/thread/e9049d03d9549c9

Comment 3 MATSUU Takuto (RETIRED) gentoo-dev

2012-04-12 13:36:15 UTC

2.7.13 in cvs.
please mark stable 2.7.13.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2012-04-12 15:35:49 UTC

Arches, please test and mark stable:
=app-admin/puppet-2.7.13
Target keywords : "amd64 hppa ppc sparc x86"

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2012-04-16 00:47:12 UTC

RepoMan scours the neighborhood...
>>> Creating Manifest for /newaches/gentoo/cvs/gentoo-x86/app-admin/puppet
  DEPEND.bad                    1
   app-admin/puppet/puppet-2.7.13.ebuild: hppa(default/linux/hppa/10.0) ['>=dev-ruby/facter-1.5.6[ruby_targets_ruby19]', 'dev-ruby/ruby-augeas[ruby_targets_ruby19]', 'dev-ruby/diff-lcs[ruby_targets_ruby19]', 'dev-ruby/rdoc[ruby_targets_ruby19]', 'dev-ruby/ruby-ldap[ruby_targets_ruby19]', 'dev-ruby/ruby-shadow[ruby_targets_ruby19]', 'dev-ruby/sqlite3-ruby[ruby_targets_ruby19]', 'virtual/ruby-ssl[ruby_targets_ruby19]', 'dev-lang/ruby:1.9', 'dev-ruby/rake[ruby_targets_ruby19]', 'virtual/rubygems[ruby_targets_ruby19]', 'virtual/rubygems[ruby_targets_ruby19]']
  RDEPEND.bad                   1
   app-admin/puppet/puppet-2.7.13.ebuild: hppa(default/linux/hppa/10.0) ['>=dev-ruby/facter-1.5.6[ruby_targets_ruby19]', 'dev-ruby/ruby-augeas[ruby_targets_ruby19]', 'dev-ruby/diff-lcs[ruby_targets_ruby19]', 'dev-ruby/rdoc[ruby_targets_ruby19]', 'dev-ruby/ruby-ldap[ruby_targets_ruby19]', 'dev-ruby/ruby-shadow[ruby_targets_ruby19]', 'dev-ruby/sqlite3-ruby[ruby_targets_ruby19]', 'virtual/ruby-ssl[ruby_targets_ruby19]', 'dev-lang/ruby:1.9', 'virtual/rubygems[ruby_targets_ruby19]']

Now we need ruby 1.9 suddenly?

Comment 6 MATSUU Takuto (RETIRED) gentoo-dev

2012-04-16 01:19:23 UTC

ok. I set USE_RUBY="ruby18" now.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2012-04-16 11:50:44 UTC

Stable for HPPA.

Comment 8 Agostino Sarubbo gentoo-dev

2012-04-16 12:49:21 UTC

amd64 stable

Comment 9 Brent Baude (RETIRED) gentoo-dev

2012-04-16 17:09:49 UTC

ppc done

Comment 10 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-04-16 20:42:50 UTC

x86 stable

Comment 11 Raúl Porcel (RETIRED) gentoo-dev

2012-04-28 19:00:41 UTC

sparc stable

Comment 12 Sean Amoss (RETIRED) gentoo-dev

2012-04-29 03:12:32 UTC

Thanks, everyone. Already on existing GLSA request ready for review.

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2012-06-15 18:48:49 UTC

CVE-2012-1988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1988):
  Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise
  (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote
  authenticated users with agent SSL keys and file-creation permissions on the
  puppet master to execute arbitrary commands by creating a file whose full
  pathname contains shell metacharacters, then performing a filebucket
  request. telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE)
  1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite
  arbitrary files via a symlink attack on the NET::Telnet connection log
  (/tmp/out.log).

CVE-2012-1987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1987):
  Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before
  2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x
  before 2.5.1 allows remote authenticated users with agent SSL keys to (1)
  cause a denial of service (memory consumption) via a REST request to a
  stream that triggers a thread block, as demonstrated using CVE-2012-1986 and
  /dev/random; or (2) cause a denial of service (filesystem consumption) via
  crafted REST requests that use "a marshaled form of a
  Puppet::FileBucket::File object" to write to arbitrary file locations.

CVE-2012-1986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1986):
  Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise
  (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote
  authenticated users with an authorized SSL key and certain permissions on
  the puppet master to read arbitrary files via a symlink attack in
  conjunction with a crafted REST request for a file in a filebucket.

CVE-2012-1906 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1906):
  Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise
  (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable
  file names when installing Mac OS X packages from a remote source, which
  allows local users to overwrite arbitrary files or install arbitrary
  packages via a symlink attack on a temporary file in /tmp.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2012-06-27 22:56:24 UTC

CVE-2012-1989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1989):
  telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x,
  2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary
  files via a symlink attack on the NET::Telnet connection log (/tmp/out.log).

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2012-08-14 20:53:05 UTC

This issue was resolved and addressed in
 GLSA 201208-02 at http://security.gentoo.org/glsa/glsa-201208-02.xml
by GLSA coordinator Sean Amoss (ackle).