Bug 513284 (CVE-2014-3248)

Comment 1 Hans de Graaff 2014-06-15 06:31:31 UTC

CVE-2014-3248 does not apply to us since we no longer have these old ruby versions around (well, technically our jruby 1.6 version behaves the same as ruby < 1.9.2 did, but we don't install puppet for it).

Comment 2 Mikle Kolyada (RETIRED) 2014-06-15 14:15:26 UTC

Arches please test and mark stable:

=app-admin/puppet-2.7.25

=app-admin/puppet-3.6.2

target KEYWORDS="amd64 hppa ppc sparc x86"

Comment 3 Jeroen Roovers (RETIRED) 2014-06-17 14:36:55 UTC

How did this happen?

RepoMan scours the neighborhood...
  dependency.bad                42
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/kde) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/kde) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/kde/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/desktop/kde/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/developer) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc32/13.0/developer) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/gnome) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/gnome) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/gnome/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/gnome/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/kde) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/kde) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/kde/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/desktop/kde/systemd) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/developer) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~ppc(default/linux/powerpc/ppc64/13.0/32bit-userland/developer) ['>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/desktop) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/desktop) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/desktop/gnome) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/desktop/gnome) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/desktop/gnome/systemd) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/desktop/gnome/systemd) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/desktop/kde) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/desktop/kde) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/desktop/kde/systemd) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/desktop/kde/systemd) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: DEPEND: ~sparc(default/linux/sparc/13.0/developer) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']
   app-admin/puppet/puppet-3.6.2.ebuild: RDEPEND: ~sparc(default/linux/sparc/13.0/developer) ['dev-ruby/hiera[ruby_targets_ruby20]', '>=dev-ruby/facter-1.6.2[ruby_targets_ruby20]', '<dev-ruby/facter-3[ruby_targets_ruby20]']

Comment 4 Jeroen Roovers (RETIRED) 2014-06-17 21:31:28 UTC

Also this:

These are the packages that would be merged:                                                                                        
                                                                                                                                    
Calculating dependencies... done!                                                                                                   
[ebuild     U ~] app-admin/puppet-3.6.2 [2.7.25] USE="augeas diff doc emacs ldap rrdtool shadow sqlite3 {test} vim-syntax xemacs -minimal (-selinux)" RUBY_TARGETS="ruby19 ruby20%*" 0 kB                                                                               
[ebuild     U ~]  dev-ruby/ruby-ldap-0.9.16 [0.9.12] USE="doc%* ssl {-test}" RUBY_TARGETS="ruby19 ruby20%* -ruby21%" 0 kB           
[ebuild     U ~]  dev-ruby/ruby-shadow-2.3.4 [2.1.4] USE="{test}" RUBY_TARGETS="ruby19 ruby20%* -ruby21%" 11 kB                     
[ebuild  N    ~]  dev-ruby/rgen-0.6.6-r1  USE="doc {test}" RUBY_TARGETS="ruby19 ruby20 -ruby21" 272 kB                              
[ebuild     U ~]  dev-ruby/facter-2.0.2 [1.7.1-r1] USE="pciutils {test} virt%* (-dmi)" RUBY_TARGETS="ruby19 ruby20%* (-jruby)" 194 kB                                                                                                                                   
[ebuild     U ~]  dev-ruby/ruby-augeas-0.5.0-r1 [0.4.1] USE="doc {test}" RUBY_TARGETS="ruby19 ruby20%* -ruby21%" 24 kB              
[ebuild     U ~]  dev-ruby/sqlite3-1.3.9-r1 [1.3.6] USE="doc {test}" RUBY_TARGETS="ruby19 ruby20%* -ruby21%" 60 kB                  
                                                                                                                                    
Total: 7 packages (6 upgrades, 1 new), Size of downloads: 559 kB                                                                    
                                                                                                                                    
The following keyword changes are necessary to proceed:                                                                             
 (see "package.accept_keywords" in the portage(5) man page for more details)                                                        
# required by app-admin/puppet-3.6.2[ruby_targets_ruby20,augeas,test]                                                               
# required by @selected                                                                                                             
# required by @world (argument)                                                                                                     
=dev-ruby/ruby-augeas-0.5.0-r1 ~hppa                                                                                                
# required by app-admin/puppet-3.6.2[ruby_targets_ruby19,test,ldap]                                                                 
# required by @selected                                                                                                             
# required by @world (argument)                                                                                                     
=dev-ruby/ruby-ldap-0.9.16 ~hppa                                                                                                    
# required by app-admin/puppet-3.6.2[shadow,ruby_targets_ruby20,test]                                                               
# required by @selected                                                                                                             
# required by @world (argument)                                                                                                     
=dev-ruby/ruby-shadow-2.3.4 ~hppa                                                                                                   
# required by app-admin/puppet-3.6.2[ruby_targets_ruby19,test]                                                                      
# required by @selected                                                                                                             
# required by @world (argument)                                                                                                     
=dev-ruby/rgen-0.6.6-r1 ~hppa                                                                                                       
# required by app-admin/puppet-3.6.2[ruby_targets_ruby20,test]                                                                      
# required by @selected                                                                                                             
# required by @world (argument)                                                                                                     
=dev-ruby/facter-2.0.2 ~hppa                                                                                                        
# required by app-admin/puppet-3.6.2[ruby_targets_ruby20,sqlite3,test]                                                              
# required by @selected                                                                                                             
# required by @world (argument)                                                                                                     
=dev-ruby/sqlite3-1.3.9-r1 ~hppa

Comment 5 Jeroen Roovers (RETIRED) 2014-08-09 11:02:35 UTC

ping

Comment 6 Agostino Sarubbo 2014-08-09 17:00:34 UTC

since noone has answered, I'm trying to build a list of needed packages. At some point I see that is needed dev-ruby/ruby-augeas[ruby_targets_ruby20].

Keywords for dev-ruby/ruby-augeas:                                                                         
         |                             | u   |                                                             
         | a a   a           p     s   | n   |                                                             
         | l m   r h i m m   p s   p   | u s | r                                                           
         | p d a m p a 6 i p c 3   a x | s l | e                                                           
         | h 6 r 6 p 6 8 p p 6 9 s r 8 | e o | p                                                           
         | a 4 m 4 a 4 k s c 4 0 h c 6 | d t | o                                                           
---------+-----------------------------+-----+-------                                                      
0.4.1    | o + o o + + o o + o o o + + | o 0 | gentoo                                                      
0.5.0    | o ~ o o ~ ~ o o ~ o o o ~ + | o   | gentoo                                                      
0.5.0-r1 | o ~ o o ~ ~ o o ~ o o o ~ ~ | o   | gentoo

0.5.0 has only ruby19 and not ruby20
0.5.0-r1 has ruby19, ruby20, ruby21(which can't go stable)

So we need a version that does not include ruby21 or make some mask(s).

Comment 7 Matthew Thode ( prometheanfire ) 2014-08-11 16:14:06 UTC

ok, removed ruby21 in =dev-ruby/ruby-augeas-0.5.0-r2

anything else needed?

Comment 8 Agostino Sarubbo 2014-08-12 10:26:56 UTC

(In reply to Matthew Thode ( prometheanfire ) from comment #7)
> ok, removed ruby21 in =dev-ruby/ruby-augeas-0.5.0-r2
> 
> anything else needed?

the same problem is with ruby-ldap. Is missing a version with ruby20 and not ruby21

Comment 9 Matthew Thode ( prometheanfire ) 2014-08-12 18:12:06 UTC

fixed the ldap problem, still waiting on virt-what though....

Comment 10 Agostino Sarubbo 2014-08-13 09:04:11 UTC

We need also a ruby-shadow version with ruby20 and without ruby21

Comment 11 Matthew Thode ( prometheanfire ) 2014-08-13 14:43:54 UTC

would it be easier to just change the ruby dep for this version to be <=2.0

Comment 12 Agostino Sarubbo 2014-08-24 09:09:18 UTC

(In reply to Matthew Thode ( prometheanfire ) from comment #0)
> On a host on which Puppet, Mcollective, Facter, or Hiera runs on Ruby
> < 1.9.2,

> This is due to the fact that Ruby versions < 1.9.2 append the current
> working directory to the load path of an application

If I understand correctly the bug is valid with <ruby-1.9.2 which is not in our tree.

So, is this bug/stabilization needed?

Comment 13 Matthew Thode ( prometheanfire ) 2014-08-25 05:25:13 UTC

even if not needed, I'd like to see it marked stable, since upstream isn't really supporting the current stable 3.x release anymore.

Comment 14 Agostino Sarubbo 2014-09-16 10:22:14 UTC

Finally, this bug is invalid because it is reproducible with a ruby version not anymore in the tree.

Comment 15 Jeroen Roovers (RETIRED) 2014-09-16 12:58:34 UTC

(In reply to Agostino Sarubbo from comment #14)
> Finally, this bug is invalid because it is reproducible with a ruby version
> not anymore in the tree.

What does that mean?