Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 473720 (CVE-2013-3567)

Summary: <app-admin/puppet-2.7.22 : Remote code execution on master from unauthenticated clients (CVE-2013-3567)
Product: Gentoo Security Reporter: Matthew Thode ( prometheanfire ) <prometheanfire>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-18 17:32:28 UTC 
When making REST api calls, the puppet master takes YAML from an untrusted
client, deserializes it, and then calls methods on the resulting object. A YAML
payload can be crafted to cause the deserialization to construct an instance of
any class available in the ruby process, which allows an attacker to execute
code contained in the payload.

I have fixes in tree in as 2.7.21-r1, 2.7.22, 3.2.1-r3 and 3.2.2.  The only thing I see as remaining to be done is a fast stabilization of 2.7.21-r1 so we can remove the last vulnerable version from tree (2.7.21).

Reproducible: Always
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-24 19:48:41 UTC 
amd64 hppa ppc sparc x86

all arches, please stabilize puppet 2.7.21-r1 and 2.7.22.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-06-28 15:32:43 UTC 
Arch teams, please test and mark stable:
=app-admin/puppet-2.7.21-r1
app-admin/puppet-2.7.22
Stable KEYWORDS : amd64 hppa ppc sparc x86

Also, who dropped SPARC from 3.*? I don't see a keyword request bug.
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-28 18:10:09 UTC 
there's a dependency that needs to be worked out for sparc, bug 449184.  I should update that stating I have 3.2.2 in tree now as well.
Comment 4 Agostino Sarubbo gentoo-dev 2013-06-28 18:54:57 UTC 
(In reply to Jeroen Roovers from comment #2)
> Arch teams, please test and mark stable:
> =app-admin/puppet-2.7.21-r1
> app-admin/puppet-2.7.22
> Stable KEYWORDS : amd64 hppa ppc sparc x86
> 

Only 2.7.22 is fine.
Comment 5 Agostino Sarubbo gentoo-dev 2013-06-28 20:58:28 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-06-29 10:13:45 UTC 
ppc stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-06-30 22:19:31 UTC 
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-07-04 12:26:36 UTC 
x86 stable
Comment 9 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-16 05:33:27 UTC 
how's sparc doing?
Comment 10 Agostino Sarubbo gentoo-dev 2013-07-21 17:55:16 UTC 
sparc stable
Comment 11 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-15 15:15:50 UTC 
well, now that we are all stable we have another CVE :D

I think we should close in favor of bug 481186
Comment 12 Sergey Popov gentoo-dev 2013-08-21 07:26:42 UTC 
Thanks for you work

Added to existing GLSA draft
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-08-23 18:44:09 UTC 
This issue was resolved and addressed in
 GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 17:19:16 UTC 
CVE-2013-3567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3567):
  Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise
  before 2.8.2, deserializes untrusted YAML, which allows remote attackers to
  instantiate arbitrary Ruby classes and execute arbitrary code via a crafted
  REST API call.