| Summary: | <app-admin/puppet-4.10.1: Unsafe YAML deserialization | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | prometheanfire, ruby, sysadmin |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1452651 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: |
app-admin/puppet-4.10.1 amd64 hppa x86
app-admin/puppet-agent-1.10.1 amd64 x86
dev-ruby/rgen-0.8.0 x86
dev-ruby/hiera-3.2.2 x86
dev-ruby/deep_merge-1.0.1 x86
|
Runtime testing required: | --- |
yep, arches, please stabilize. An automated check of this bug failed - the following atom is unknown: app-admin/puppet-agent-4.10.1 Please verify the atom list. An automated check of this bug failed - repoman reported dependency errors (17 lines truncated):
> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: DEPEND: x86(default/linux/x86/13.0) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: RDEPEND: x86(default/linux/x86/13.0) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
@ruby, are you fine with those packages getting stabilized as well? (In reply to Matthew Thode ( prometheanfire ) from comment #4) > @ruby, are you fine with those packages getting stabilized as well? Note that these are only needed for x86 and x86 currently does not have a stable puppet version at all. No problem from my side. I have updated the package list accordingly. An automated check of this bug failed - the following atom is unknown: dev-ruby/deep-merge-1.0.1 Please verify the atom list. amd64 stable x86 stable Arches, please finish stabilizing hppa Gentoo Security Padawan ChrisADR stable.......... bman, stable hppa? (it's still cc'd) (In reply to Matthew Thode ( prometheanfire ) from comment #11) > bman, stable hppa? (it's still cc'd) Yup you should probably remove hppa from cc :P (I'm doing that this time) readding hppa, wrong version stabilized hppa stable Stabilization done, thank you arches. @ Maintainer(s): Please clean vulnerable versions from tree. @ Security: Please vote on glsa. cleaned up |
From ${URL} : It was found that Puppet will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML. External References: https://puppet.com/security/cve/cve-2017-2295 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.